creds-encrypt.sh

   1 #!/usr/bin/env bash
   2 # USAGE: ./creds-encrypt.sh path/to/file.gpg
   3 # Find the machine-id and credential.secret.gpg files
   4 # in an ancestor directory, to reencrypt path/to/file.gpg
   5 # into path/to/file.cred
   6 set -eu
   7 set -o pipefail
   8 gpg=$(realpath "$1")
   9 base=${gpg%.gpg}
  10
  11 cd "$(dirname "$gpg")"
  12 while test "$PWD" != /
  13 do test ! -f machine-id || break; cd ..
  14 done
  15
  16 umask 177
  17 SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
  18 trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
  19 set -e${XTRACE:+x}
  20 gpg --yes --output "$SECRET" --decrypt credential.secret.gpg
  21
  22 gpg --decrypt "$gpg" |
  23 sudo unshare --mount sh -${XTRACE:+x}c "
  24   chmod 400 $SECRET
  25   mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
  26   mount --bind machine-id /etc/machine-id &&
  27   systemd-creds encrypt --with-key=host --name '${base##*/}' - - |
  28   install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
  29 "