Created
April 8, 2016 12:59
-
-
Save Luzifer/e021a1ffa696c3562d3ee0203ec35c09 to your computer and use it in GitHub Desktop.
vault-gpg script to unlock GPG keys using Vault stored passwords #blog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
KEY=$1 | |
if [ -z "${KEY}" ] || ! (gpg --list-secret-keys | grep -q ${KEY}); then | |
echo "No key given or no secret key found for '${KEY}'" | |
exit 2 | |
fi | |
# Read password for this key | |
PWD=$(vault read --field=passphrase "/secret/gpg-key/${KEY}") | |
if [ -z "${PWD}" ]; then | |
echo "Could not read passphrase from vault." | |
exit 2 | |
fi | |
HEXPWD=$(python -c "print '${PWD}'.encode('hex')") | |
# Get keygrip of secret key | |
for KEYGRIP in $(gpg --fingerprint --fingerprint ${KEY} | grep fingerprint | sed -e "s/ //g" | cut -d '=' -f 2); do | |
# Set password for keygrip | |
if ! ( gpg-connect-agent -q "PRESET_PASSPHRASE ${KEYGRIP} -1 ${HEXPWD}" /bye >/dev/null 2>&1 ); then | |
echo "An error occurred while caching password in GPG agent" | |
exit 1 | |
fi | |
done | |
echo "Successfully cached password in GPG agent" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment