Skip to content

Instantly share code, notes, and snippets.

@sedrubal

sedrubal/decrypt-vault_pw.sh

Last active January 7, 2025 12:36
Show Gist options
  • Save sedrubal/27dee8766832c26133dde4a421c903ff to your computer and use it in GitHub Desktop.
Save sedrubal/27dee8766832c26133dde4a421c903ff to your computer and use it in GitHub Desktop.
Download ZIP
Ansible Vault Password Management using gpg
Raw
decrypt-vault_pw.sh
#!/usr/bin/env bash
gpg --quiet --batch --use-agent --decrypt "${BASH_SOURCE%/*}/vault_pw.gpg"
Raw
encrypt-vault_pw.sh
#!/usr/bin/env bash
# Encrypt the vault password for all authorized admins
set -e
DECRYPTED_PW_FILE="${BASH_SOURCE%/*}/vault_pw"
ENCRYPTED_PW_FILE="${DECRYPTED_PW_FILE}.gpg"
declare -A ADMIN_KEYS
ADMIN_KEYS["0xC839DB1EC3F4BBA9F9BE7406E6CE0A10496C1733"]="Sebastian Endres <[email protected]>"
if [ ! -f "${DECRYPTED_PW_FILE}" ]; then
if [ ! -f "${ENCRYPTED_PW_FILE}" ]; then
echo "πŸ—² Neither the encrypted nor the decrypted password file exist."
echo " encrypted password file: ${ENCRYPTED_PW_FILE}"
echo " decrypted password file: ${DECRYPTED_PW_FILE}"
exit 1
fi
echo "πŸ›ˆ Decrypting password file"
rm -f "${DECRYPTED_PW_FILE}"
gpg --quiet --batch --use-agent --output "${DECRYPTED_PW_FILE}" --decrypt "${ENCRYPTED_PW_FILE}"
fi
echo "πŸ›ˆ Encrypting password file for new recipients"
recipient_args=()
for key in "${!ADMIN_KEYS[@]}"; do
echo " β†’ encrypting to '${ADMIN_KEYS[$key]}'"
recipient_args+=("--recipient=${key}")
done
rm -f "${ENCRYPTED_PW_FILE}"
gpg --quiet --batch --use-agent --output "${ENCRYPTED_PW_FILE}" --always-trust "${recipient_args[@]}" --encrypt "${DECRYPTED_PW_FILE}"
rm -f "${DECRYPTED_PW_FILE}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment