diff options
Diffstat (limited to 'share')
-rwxr-xr-x | share/keyringer/decrypt | 23 | ||||
-rwxr-xr-x | share/keyringer/del | 28 | ||||
-rwxr-xr-x | share/keyringer/encrypt | 35 | ||||
-rwxr-xr-x | share/keyringer/genpair | 111 | ||||
-rwxr-xr-x | share/keyringer/git | 16 | ||||
-rwxr-xr-x | share/keyringer/ls | 17 | ||||
-rwxr-xr-x | share/keyringer/recipients | 27 | ||||
-rwxr-xr-x | share/keyringer/recrypt | 28 |
8 files changed, 285 insertions, 0 deletions
diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt new file mode 100755 index 0000000..b933f3f --- /dev/null +++ b/share/keyringer/decrypt @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Decrypt files. +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source $LIB + +BASEDIR="$1" +FILE="`keyringer_filename $2`" +KEYDIR="$BASEDIR/keys" +BASENAME="`basename $0`" + +if [ -z "$FILE" ]; then + echo "Usage: `basename $0` <basedir> <file>" + exit 1 +elif [ ! -f "$KEYDIR/$FILE" ]; then + echo "File not found: $KEYDIR/$FILE" + exit 1 +fi + +gpg -d $KEYDIR/$FILE diff --git a/share/keyringer/del b/share/keyringer/del new file mode 100755 index 0000000..cc6ad4e --- /dev/null +++ b/share/keyringer/del @@ -0,0 +1,28 @@ +#!/bin/bash +# +# Remove files. +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source $LIB + +# Config +BASEDIR="$1" +FILE="`keyringer_filename $2`" +KEYDIR="$BASEDIR/keys" +BASENAME="`basename $0`" + +# Setup +if [ -z "$FILE" ]; then + echo "Usage: `basename $0` <basedir> <file>" + exit 1 +elif [ ! -f "$KEYDIR/$FILE" ]; then + echo "File not found: $KEYDIR/$FILE" + exit 1 +fi + +# Remove +if [ -d "$KEYDIR/.git" ]; then + ./git $KEYDIR rm $FILE --force +fi diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt new file mode 100755 index 0000000..1245715 --- /dev/null +++ b/share/keyringer/encrypt @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source $LIB + +# Config +ACTIONS="`dirname $0`" +BASEDIR="$1" +FILE="`keyringer_filename $2`" +KEYDIR="$BASEDIR/keys" +RECIPIENTS="$BASEDIR/config/recipients" +BASENAME="`basename $0`" + +# Setup +if [ -z "$FILE" ]; then + echo "Usage: `basename $0` <basedir> <file>" + exit 1 +elif [ ! -f "$RECIPIENTS" ]; then + echo "No recipient config was found" + exit 1 +fi + +# Encrypt +mkdir -p $KEYDIR/`dirname $FILE` +echo "Type your message and finish your input with EOF (Ctrl-D)." +gpg --armor -e -s $(keyringer_recipients $RECIPIENTS) - > $KEYDIR/$FILE + +# Stage +if [ -d "$BASEDIR/.git" ]; then + keyringer_exec git $KEYDIR add $FILE +fi diff --git a/share/keyringer/genpair b/share/keyringer/genpair new file mode 100755 index 0000000..ff554cc --- /dev/null +++ b/share/keyringer/genpair @@ -0,0 +1,111 @@ +#!/bin/bash +# +# Generate keypairs. +# +# This script is just a wrapper to easily generate keys for +# automated systems. +# + +# Generate a keypair, ssh version +function genpair_ssh { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # TODO: programatically enter blank passphrase twice + ssh-keygen -t dsa -f $WORK/id_dsa -C "root@$NODE" + + # Encrypt the result + cat $WORK/id_dsa | keyringer_exec encrypt $BASEDIR $FILE + cat $WORK/id_dsa.pub | keyringer_exec encrypt $BASEDIR $FILE.pub + + echo "Done" +} + +# Generate a keypair, gpg version +function genpair_gpg { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -s -p "Enter password for the private key: " passphrase + + # TODO: insert 279 random bytes + gpg --homedir $WORK --gen-key --batch <<EOF + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 4096 + Name-Real: $NODE + Name-Comment: backupninja + Name-Email: root@$NODE + Expire-Date: 0 + Passphrase: $passphrase + %commit +EOF + + # Encrypt the result + gpg --homedir $WORK --export-secret-keys | keyringer_exec encrypt $BASEDIR $FILE + gpg --homedir $WORK --export | keyringer_exec encrypt $BASEDIR $FILE.pub + echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt $BASEDIR $FILE.passwd + + echo "Done" +} + +# Generate a keypair, ssl version +function genpair_ssl { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # Setup + cd $WORK + + # Generate certificate + $LIB/csr.sh $NODE + + # Self-sign + openssl x509 -in $NODE"_csr.pem" -out $NODE.crt -req -signkey $NODE"_privatekey.pem" -days 365 + chmod 600 $NODE"_privatekey.pem" + + # Encrypt the result + cat $NODE"_privatekey.pem" | keyringer_exec encrypt $BASEDIR $FILE.pem + cat $NODE"_csr.pem" | keyringer_exec encrypt $BASEDIR $FILE.csr.pem + cat $NODE.crt | keyringer_exec encrypt $BASEDIR $FILE.crt + + echo "Done" + cd $CWD +} + +# Load functions +LIB="`dirname $0`/../../lib/keyringer" +source $LIB/functions + +# Config +ACTIONS="`dirname $0`" +BASEDIR="$1" +KEYDIR="$BASEDIR/keys" +KEYTYPE="$2" +FILE="$3" +NODE="$4" +BASENAME="`basename $0`" +CWD="`pwd`" + +# Verify +if [ -z "$NODE" ]; then + echo "Usage: $BASENAME <keydir> <gpg|ssh|ssl> <file> <hostname>" + exit 1 +elif [ ! -e "$KEYDIR" ]; then + echo "Folder not found: $KEYDIR, leaving" + exit 1 +fi + +# Prepare +mkdir -p $KEYDIR && chmod 700 $KEYDIR +WORK="`mktemp -d $KEYDIR/genpair.XXXXXX`" +if [ "$?" != "0" ]; then + echo "Error setting up $WORK" + exit 1 +fi + +# Dispatch +genpair_$KEYTYPE + +# Cleanup +cd $CWD +rm -rf $WORK diff --git a/share/keyringer/git b/share/keyringer/git new file mode 100755 index 0000000..5e98105 --- /dev/null +++ b/share/keyringer/git @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Git wrapper. +# + +BASEDIR="$1" +CWD="`pwd`" + +if [ -z "$BASEDIR" ]; then + echo "Usage: `basename $0` <basedir> [arguments]" + exit 1 +fi + +shift +mkdir -p $BASEDIR && cd $BASEDIR && git $* +cd $CWD diff --git a/share/keyringer/ls b/share/keyringer/ls new file mode 100755 index 0000000..f37df8e --- /dev/null +++ b/share/keyringer/ls @@ -0,0 +1,17 @@ +#!/bin/bash +# +# List keys. +# + +BASEDIR="$1" +KEYDIR="$BASEDIR/keys" +CWD="`pwd`" + +if [ -z "$KEYDIR" ]; then + echo "Usage: `basename $0` <basedir> [arguments]" + exit 1 +fi + +shift +cd $KEYDIR && ls $* +cd $CWD diff --git a/share/keyringer/recipients b/share/keyringer/recipients new file mode 100755 index 0000000..46d3e92 --- /dev/null +++ b/share/keyringer/recipients @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Recipient management. +# + +# Config +BASEDIR="$1" +COMMAND="$2" +BASENAME="`basename $0`" +RECIPIENTS="$BASEDIR/config/recipients" + +if [ -z "$COMMAND" ]; then + echo "Usage: `basename $0` <basedir> <command> [arguments]" + exit 1 +elif [ ! -f "$RECIPIENTS" ]; then + echo "No recipient config was found" + exit 1 +fi + +if [ "$COMMAND" == "ls" ]; then + cat $RECIPIENTS +elif [ "$COMMAND" == "edit" ]; then + $EDITOR $RECIPIENTS +else + echo "$BASENAME: No such command $COMMAND" + exit 1 +fi diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt new file mode 100755 index 0000000..ff1d60e --- /dev/null +++ b/share/keyringer/recrypt @@ -0,0 +1,28 @@ +#!/bin/bash +# +# Re-encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../../lib/keyringer/functions" +source $LIB + +# Config +BASEDIR="$1" +FILE="`keyringer_filename $2`" +KEYDIR="$BASEDIR/keys" +RECIPIENTS="$BASEDIR/config/recipients" +BASENAME="`basename $0`" + +if [ -z "$FILE" ]; then + echo "Usage: `basename $0` <basedir> <file>" + exit 1 +elif [ ! -f "$RECIPIENTS" ]; then + echo "No recipient config was found" + exit 1 +elif [ ! -f "$KEYDIR/$FILE" ]; then + echo "File not found: $KEYDIR/$FILE" + exit 1 +fi + +gpg -d $KEYDIR/$FILE | gpg --armor -e -s $(keyringer_recipients $RECIPIENTS) > $KEYDIR/$FILE |