sedrubal · January 7, 2025 08:22
diff --git a/decrypt-vault_pw.sh b/decrypt-vault_pw.sh
 #!/bin/bash

 set -euo pipefail

 set +e

 # gpgsm exits with code 2 if the file is encrypted to multiple recipients and
 # if we don't have the private keys for at least one of the recipients.
 # We ignore this error messages and exit with exit code 0 in that case.
 gpgsm --batch "$@" --decrypt "${BASH_SOURCE%/*}/vault_pw.gpg" 2> \
    >(
        grep -v \
            -e "gpgsm: error decrypting session key: No secret key" \
            -e "gpgsm: decrypting session key failed: No secret key" 1>&2
    )
 EXIT_CODE=$?

 set -e

 if (( EXIT_CODE == 2 )); then
    exit 0
 else
    exit "${EXIT_CODE}"
 fi
diff --git a/encrypt-vault_pw.sh b/encrypt-vault_pw.sh
 #!/bin/bash
 # Encrypt the vault password for all authorized admins

 set -euo pipefail

 SCRIPT_DIR="${BASH_SOURCE%/*}"

 DECRYPTED_PW_FILE="${SCRIPT_DIR}/vault_pw"
 ENCRYPTED_PW_FILE="${DECRYPTED_PW_FILE}.gpg"

 declare -A ADMIN_KEYS
 ADMIN_KEYS["00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:12:34:56:78"]="[email protected]"
 ADMIN_KEYS["12:34:56:78:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF"]="[email protected]"

 if [ ! -f "${DECRYPTED_PW_FILE}" ]; then
    echo "[i] Decrypting password file"
    "${SCRIPT_DIR}/decrypt-vault_pw.sh" "--output=${DECRYPTED_PW_FILE}"
 fi

 rm -f "${ENCRYPTED_PW_FILE}"

 echo "[i] Encrypting password file for new recipients"
 recipient_args=()
 for key in "${!ADMIN_KEYS[@]}"; do
    echo "Encrypting to ${ADMIN_KEYS[$key]}"
    recipient_args+=("--recipient=${key}")
 done

 gpgsm --batch --armor --output="${ENCRYPTED_PW_FILE}" "${recipient_args[@]}" --encrypt "${DECRYPTED_PW_FILE}"
 rm -f "${DECRYPTED_PW_FILE}"
	#!/bin/bash

	set -euo pipefail

	set +e

	# gpgsm exits with code 2 if the file is encrypted to multiple recipients and
	# if we don't have the private keys for at least one of the recipients.
	# We ignore this error messages and exit with exit code 0 in that case.
	gpgsm --batch "$@" --decrypt "${BASH_SOURCE%/*}/vault_pw.gpg" 2> \
	>(
	grep -v \
	-e "gpgsm: error decrypting session key: No secret key" \
	-e "gpgsm: decrypting session key failed: No secret key" 1>&2
	)
	EXIT_CODE=$?

	set -e

	if (( EXIT_CODE == 2 )); then
	exit 0
	else
	exit "${EXIT_CODE}"
	fi
	#!/bin/bash
	# Encrypt the vault password for all authorized admins

	set -euo pipefail

	SCRIPT_DIR="${BASH_SOURCE%/*}"

	DECRYPTED_PW_FILE="${SCRIPT_DIR}/vault_pw"
	ENCRYPTED_PW_FILE="${DECRYPTED_PW_FILE}.gpg"

	declare -A ADMIN_KEYS
	ADMIN_KEYS["00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:12:34:56:78"]="[email protected]"
	ADMIN_KEYS["12:34:56:78:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF"]="[email protected]"

	if [ ! -f "${DECRYPTED_PW_FILE}" ]; then
	echo "[i] Decrypting password file"
	"${SCRIPT_DIR}/decrypt-vault_pw.sh" "--output=${DECRYPTED_PW_FILE}"
	fi

	rm -f "${ENCRYPTED_PW_FILE}"

	echo "[i] Encrypting password file for new recipients"
	recipient_args=()
	for key in "${!ADMIN_KEYS[@]}"; do
	echo "Encrypting to ${ADMIN_KEYS[$key]}"
	recipient_args+=("--recipient=${key}")
	done

	gpgsm --batch --armor --output="${ENCRYPTED_PW_FILE}" "${recipient_args[@]}" --encrypt "${DECRYPTED_PW_FILE}"
	rm -f "${DECRYPTED_PW_FILE}"