Last active
February 28, 2018 17:32
-
-
Save CodeArtha/dc17cfcb5c9fb0b0794e15d1fd0514d2 to your computer and use it in GitHub Desktop.
Script for making a new commit after encrypting sensitive files so that people accessing the repo can't see them if they're not supposed to.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/dash | |
| # Gets the number of files in the current directory + subdirectories that have a certain extension. | |
| PASS=`find . -type f -name "*.pass" | wc -l` | |
| ASC0=`find . -type f -name "*.asc" | wc -l` | |
| if [ "$PASS" != 0 ]; then | |
| # We use gpg to encrypt for ourself any file that contains password if they aren't already. | |
| # I take as a convention in this repository to name all files I want to encrypt with the .pass extension. | |
| # The encrypted version of said files will have the .pass.asc extension. | |
| find . -type f -name "*.pass" | gpg --yes --armor -r codeartha@gmail.com -r william@arsac.net --encrypt-files | |
| fi | |
| # Gets the number of files in the current directory + subdirectories that have a certain extension. | |
| ASC1=`find . -type f -name "*.asc" | wc -l` | |
| ASC=$(($ASC1 - $ASC0)) | |
| # checking that all the unencrypted files yielded an encrypted one before deleting unencrypted version. | |
| if [ "$ASC" -eq "$PASS" ]; then | |
| echo "[INFO] Password files encrypted correctly." | |
| echo "[INFO] Deleting .pass files after encryption..." | |
| # Deleting files after encryption | |
| # find . -type f -name "*.pass" | shred -u # doesn't work need to use -exec command | |
| find . -type f -name "*.pass" -exec shred -u {} ';' | |
| # Checking they all got deleted, then commit. | |
| PASS=`find . -type f -name "*.pass" | wc -l` | |
| if [ "$PASS" -eq 0 ]; then | |
| echo "[INFO] All sensitive files deleted." | |
| # This commit needs a comment. We check if one is passed by argument, else we ask for one. | |
| if [ $# -eq 0 ]; then | |
| echo "Comment for this commit: " | |
| read COMMENT | |
| else | |
| COMMENT=$1 | |
| fi | |
| # Making a new commit using specified comment. | |
| git add . | |
| git commit -m "$COMMENT" | |
| echo "[INFO] Done." | |
| else | |
| echo "[ERROR] Failed to delete all .pass files." | |
| echo "[INFO] Aborting!" | |
| fi | |
| else | |
| echo "[ERROR] Number of encrypted and unencrypted files do not match." | |
| echo "[INFO] Aborting!" | |
| fi |
Author
Author
Intended to use together with this script: https://gist.github.com/CodeArtha/a77caaff4bd6d054acf6265c163e2cdb
as if there are already other .asc files in the directory that were previously or manually encrypted it will error out.
Author
EDIT: solved errors when there is a mix of .asc and .pass before using this script. I also added a lot more log information about errors.
Author
TODO: make it also work with files that have another extension than .pass but contain a certain string like "codeartha.git.secure"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use at your own discretion. I prefer using this with private repos, but since using OpenPGP which uses AES-128 by default (and can use AES-256) is plenty strong it could also be used on public repos without too much fear. I don't save critical passwords nonetheless.