-
Notifications
You must be signed in to change notification settings - Fork 3
/
encrypt_file
executable file
·87 lines (68 loc) · 2.96 KB
/
encrypt_file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env bash
## Encrypt a file within a repository, creating a `${file}.encrypted` file.
## Remember to `.gitignore` the original file path, and to purge it from git history if needed.
# Load common tools
CRYPTIC_REPO="$( dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" )"
source "${CRYPTIC_REPO}/lib/argparse.sh"
source "${CRYPTIC_REPO}/lib/common.sh"
# Get the repository root
find_repository_root
# Look for the repo key
find_repo_key
# Get the file paths to encrypt
if [[ "$#" -ge 1 ]]; then
FILE_PATH="${1}"
else
read -e -p 'File to encrypt: ' FILE_PATH
fi
# If this is a reachable file, use that
if [[ -f "${FILE_PATH}" ]]; then
FILE_PATH="$(realpath "${FILE_PATH}")"
# If this was not reachable, but it's a repo-relative path, use that
elif [[ -f "${REPO_ROOT}/${FILE_PATH}" ]]; then
FILE_PATH="$(realpath "${REPO_ROOT}/${FILE_PATH}")"
else
die "File path '${FILE_PATH}' not found!"
fi
# Extract the repo-relative location
FILE_PATH="${FILE_PATH#${REPO_ROOT}/}"
# Check to make sure there's not already a `.encrypted` file:
ENC_FILE_PATH="${REPO_ROOT}/${FILE_PATH}.encrypted"
if [[ -f "${ENC_FILE_PATH}" ]]; then
die "Encrypted file path '${ENC_FILE_PATH}' already exists!"
fi
# Do the actual encryption
encrypt_aes "${REPO_KEY_PATH}" <"${REPO_ROOT}/${FILE_PATH}" >"${ENC_FILE_PATH}"
cat <<-EOD
Congratulations, you have successfully encrypted a secret.
The file has been encrypted into the path '${FILE_PATH}.encrypted'.
EOD
# Check to see if the unencrypted file is `.gitignored` already:
if ! git -C "${REPO_ROOT}" check-ignore -q "${REPO_ROOT}/${FILE_PATH}"; then
# If it hasn't been, add it to a `.gitignore` automatically
GITIGNORE_PATH="$(dirname "${REPO_ROOT}/${FILE_PATH}")/.gitignore"
basename "${FILE_PATH}" >> "${GITIGNORE_PATH}"
# Check to see if it was ever added to a git repository:
if [[ "$(git log --all --pretty=format: --name-only --diff-filter=A "${REPO_ROOT}/${FILE_PATH}" | wc -l)" -gt 0 ]]; then
cat <<-EOD
It appears that it was previously checked into this repository; we highly recommend
deleting its history to truly eliminate it. We suggest using a tool such as the
excellent 'git-filter-repo' to do this: https://github.com/newren/git-filter-repo
EOD
fi
cat <<-EOD
We have automatically added a rule to ${GITIGNORE_PATH} to ignore the unencrypted
file in the future, please verify that the ignore pattern is as you wish it to be.
EOD
fi
cat <<-EOD
Add the following plugin stanza to the step you want to have access to the secret.
Be sure to minimize the number of steps that have access to this secret information, as
for true security you should lock down the CI configuration through treehashing your
repository's pipeline.yaml files. See the top-level README.md for more information on
locking down CI configuration and next steps.
plugins:
- staticfloat/cryptic:
files:
- ${FILE_PATH}
EOD