diff options
Diffstat (limited to 'gpg')
-rwxr-xr-x | gpg/add-key.sh | 17 | ||||
-rwxr-xr-x | gpg/create-environment.sh | 40 | ||||
-rwxr-xr-x | gpg/get-vault-pass- | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-chaos-at-home | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-elevate | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-spreadspace | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass.sh | 20 | ||||
-rwxr-xr-x | gpg/gpg2.sh | 10 | ||||
-rwxr-xr-x | gpg/list-keys.sh | 10 | ||||
-rwxr-xr-x | gpg/remove-keys.sh | 19 | ||||
-rwxr-xr-x | gpg/set-vault-pass.sh | 15 | ||||
-rw-r--r-- | gpg/vault-keyring-chaos-at-home.gpg | bin | 0 -> 37630 bytes | |||
-rw-r--r-- | gpg/vault-keyring-elevate.gpg | bin | 0 -> 37630 bytes | |||
-rw-r--r-- | gpg/vault-keyring-spreadspace.gpg (renamed from gpg/vault-keyring.gpg) | bin | 37014 -> 37014 bytes | |||
-rw-r--r-- | gpg/vault-pass-chaos-at-home.gpg | 19 | ||||
-rw-r--r-- | gpg/vault-pass-elevate.gpg | 19 | ||||
-rw-r--r-- | gpg/vault-pass-spreadspace.gpg (renamed from gpg/vault-pass.gpg) | 0 |
17 files changed, 159 insertions, 18 deletions
diff --git a/gpg/add-key.sh b/gpg/add-key.sh index 98e29174..82970a91 100755 --- a/gpg/add-key.sh +++ b/gpg/add-key.sh @@ -1,21 +1,28 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "no keyfile specified, reading from stdin ..." fi -"${BASH_SOURCE%/*}/gpg2.sh" --import $@ +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" if [ $? -ne 0 ]; then - echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: importing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/create-environment.sh b/gpg/create-environment.sh new file mode 100755 index 00000000..7ee5827b --- /dev/null +++ b/gpg/create-environment.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -e "${BASH_SOURCE%/*}/get-vault-pass-$NAME" ]; then + echo "environment '$NAME' already exists." + exit 0 +fi + + +if [ -z "$1" ]; then + echo "no keyfile specified, reading from stdin ..." +fi + +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" +if [ $? -ne 0 ]; then + echo -e "\nERROR: importing key(s) failed." + exit 1 +fi + + +### enable this as soon https://github.com/ansible/ansible/issues/18319 has landed +#ln -s get-vault-pass- "${BASH_SOURCE%/*}/get-vault-pass-$NAME" +cp "${BASH_SOURCE%/*}/get-vault-pass-" "${BASH_SOURCE%/*}/get-vault-pass-$NAME" + +echo "" +echo "Please type in passphrase:" +"${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" +if [ $? -ne 0 ]; then + echo -e "\nERROR: creating vault password file failed!" + exit 1 +fi +echo "" +echo "Successfully created vault password file!" +echo " Don't forget to commit gpg/get-vault-pass-$NAME, gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/get-vault-pass- b/gpg/get-vault-pass- new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass- @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-chaos-at-home b/gpg/get-vault-pass-chaos-at-home new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-chaos-at-home @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-elevate b/gpg/get-vault-pass-elevate new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-elevate @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-spreadspace b/gpg/get-vault-pass-spreadspace new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-spreadspace @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh index 202c94f7..6cf2ff9a 100755 --- a/gpg/get-vault-pass.sh +++ b/gpg/get-vault-pass.sh @@ -1,2 +1,20 @@ #!/bin/bash -gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +gpg2 --decrypt --batch --no-tty --quiet < "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" + +# Ansible up to including 2.6 seems to have a bug which ignores the setting of 'vault_id_match = True' +# in ansible.cfg (or the equivalent environment variable). +# +# To make it possible to use ansible-vault view as a textconv filter for git, we need to support +# the case that some people do not have access to all vaults. So let's return an invalid +# secret, and pretend success. +if [ $? -ne 0 ]; then + echo This is my secret. There are many others like it, but this one is mine. My secret is my best friend. It is my life. I must master it as I must master my life. Without me, my secret is useless. Without my secret, I am useless. Please do not quote from movies when searching for a passphrase. + exit 0 +fi diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh index 27435ab5..2c0f2157 100755 --- a/gpg/gpg2.sh +++ b/gpg/gpg2.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-options --no-default-keyring --trust-model always $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring-$NAME.gpg" --secret-keyring /dev/null --no-default-keyring --trust-model always "$@" diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh index 4b010495..4166fa59 100755 --- a/gpg/list-keys.sh +++ b/gpg/list-keys.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec "${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --list-keys "$@" diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh index 80ae1573..d5fd93c3 100755 --- a/gpg/remove-keys.sh +++ b/gpg/remove-keys.sh @@ -1,9 +1,16 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <key-id> [ <key-id> [ .. ] ] ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "Please specify at least one key ID!" echo "" - echo "You can find out the key ID using the command: gpg/list-keys.sh" + echo "You can find out the key ID using the command: ${0%/*}/list-keys.sh $NAME" echo "" echo " Here is an example output:" echo "" @@ -18,18 +25,18 @@ if [ -z "$1" ]; then exit 1 fi -"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@ +"${BASH_SOURCE%/*}/gpg2.sh" $NAME --delete-keys $@ if [ $? -ne 0 ]; then - echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh index 1fb3426c..64191a37 100755 --- a/gpg/set-vault-pass.sh +++ b/gpg/set-vault-pass.sh @@ -1,6 +1,13 @@ #!/bin/bash -keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +keyids=$("${BASH_SOURCE%/*}/list-keys.sh" "$NAME" --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') if [ -z "$keyids" ]; then echo "ERROR: no keys to encrypt to, is the keyring empty?" exit 1 @@ -12,9 +19,9 @@ for keyid in $keyids; do done -"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --yes --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" $receipients if [ $? -ne 0 ]; then - rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$" + rm -f "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" exit 1 fi -mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg" +mv "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" diff --git a/gpg/vault-keyring-chaos-at-home.gpg b/gpg/vault-keyring-chaos-at-home.gpg Binary files differnew file mode 100644 index 00000000..864ce7d3 --- /dev/null +++ b/gpg/vault-keyring-chaos-at-home.gpg diff --git a/gpg/vault-keyring-elevate.gpg b/gpg/vault-keyring-elevate.gpg Binary files differnew file mode 100644 index 00000000..161d61bc --- /dev/null +++ b/gpg/vault-keyring-elevate.gpg diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring-spreadspace.gpg Binary files differindex 8d2e0443..8d2e0443 100644 --- a/gpg/vault-keyring.gpg +++ b/gpg/vault-keyring-spreadspace.gpg diff --git a/gpg/vault-pass-chaos-at-home.gpg b/gpg/vault-pass-chaos-at-home.gpg new file mode 100644 index 00000000..b69478a6 --- /dev/null +++ b/gpg/vault-pass-chaos-at-home.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPAQ//XhC91fRTgM2g8c9sPYLVakqUrr0ErQNWCUvKCRQxV3TA +sxgKWdIpuam4mW7HkE96BHGB+qLd//lrq+LM3jCZFUHgGal1XyWgHwAoHNC0y8Cg +5LKdVyGhDeeh8dSAs9pYouyfwUx3UTG9sFFcm5Nl7KFXP38VHA9ZyerUmC0g7t7F +l5mQmtK+Nc+ZBrZ5+Yr79U/f1VeKaNX2qkDbBrQmO+VubZ4covr4S1amG34ymvlr +2mLf+9wV8sGiOikZTzdDyCtO+32BpjuYvfoZnFRpTdCeKa0niFyrzvqFn6C0No9H +zhIY/SDdfauzLIIvj6WODOW0H6ILVGJ0Eq9KGACTAka+98uhIunHB4MKpOBC01x9 +LLCiISodqIfQuuOHVz4jJqHAwq+MGm0vmoWOfqiNDnOnRCC2kJnMP9K/wynPmXdm +eLSfOz9/8sOqW0MLL5Ugz0sZr9+5rdISlSf2/oa4ssJb3uUQwlSGkG+2MwD0dEMT +wowZBJOrGhGtKxzLRzSsErkng/j/arW3NU9Rai9RIzfyUFjDND5SqnTBdWp+AZqc +YGAeQ1hBTPQzYppx9qgF51p0rGzBmoB9/wC3Td0HavJaswtiwUL4/BATenoMzkG4 +KnB81ZFpkFW1Ze3XilFtmKXXqWpj7dURQ54D4moIwV2dk6dSCKmRumJVREKa5NvS +vAHID0sr7R7BF4z/IrdElmrXa1HExsPAIkPLeyUeU8fkvToSJ009avz6f68hkWEp +vR4hzN6Fe14HU4m9NP8Gn7HJsBnym8d93E8KVKcyEdCb9La1FfFHWm2Ado85Vll0 +EN/GMVhrD2sbX4Dz7+TCklx7n+hzZahankBgP4/1ZyTrrUyQvYNuczXPanckmrCV +DQaYuh+RY1C4bRgQZy47nQzCsYqZpxyn6jH2LvWZWyN9xDuj6vPefphfawqv +=MPgO +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass-elevate.gpg b/gpg/vault-pass-elevate.gpg new file mode 100644 index 00000000..382a0e3a --- /dev/null +++ b/gpg/vault-pass-elevate.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPARAAh/hpOPDkQFckrlbmwFYiKtMyzJcHVOeSckFAsGYh0BFa +MzcbLqdRPGDwZL9yIruc/6ubQv1zqq8MZcvRW7BZkkCzBk5h2BcJ76iMgWfcwte6 +Jc2pmog36GihU9t41BJFtxm6mazEN4JTW3SC6i1boMPEJBOEcSIu8SBAFNGm0nCq +GL0j9Rw/T/EiMtmjY6c9nMTSnhOtcedpWeBsMPtYoWAo8/ea1kaGHCON+UGs6/4D +QUhI/ate8RA0vAD6NFkZE9C+uwU22/cyT7pZZTA11ohF32aF4vyVgMf9UY0+MYy0 ++msJZps2KRmECcVZiFGQZ2/OwU4tnYq53jUwL1erzADeFAco4vKtc7yVffN/pIn8 +aQ48kaKe9WT064fe92zWJfWF285fyEB8we72j6AmwA5RxIViVvl/2xdCdYNN6yv+ +kqYmdCEBdMHhcDz73K2mCGeqlkB8+DVpeHwtn+TT5J1IeFkCiK2LD2PtpyqV7BTn +dExQaKtUCbF3+jiPTv6N5ChMbY5ql2roN2zzHgoGVNREGaTxJXnkroJpxaelf4Q3 +ahnNE+/3G16TNCpzYXBNWh9wIHh+6mFhwqKxPy40goW4TMXqSs9+n1MCQhu8GCTH +8CsW6tK98vBgzbhoWLyyNVa40hdltw4+D0YdRle+YFqHaiXJcf2/FjaLoz+jSXvS +uwHQGVypRlmepR7lAKTTVCEjBrJ3lnW7LcBsHEKTr1gX+UleiPri5e029BRLcJDR +PJE4PBi7fp4tAUgSiN6D+mVF0+eXz2px+NVPAeavveMY/oTl8GsPQc/hYtjW9CnM +nhadEDPSmkaLMkCjR6XApprZtuoPyHPSTFIKGTe4bSU1Ezbpd9XNfXcU2Gz55JEk +rAvuyAfHqyXB1zzyA3UTPvRDAw0TN72wbMPEg2v5TE8TFB2Q3XoDuZYsN/A= +=fg/w +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass-spreadspace.gpg index 20130b37..20130b37 100644 --- a/gpg/vault-pass.gpg +++ b/gpg/vault-pass-spreadspace.gpg |