-
-
Save dln/3c9665d70d94bd99e74b3245d05af60e to your computer and use it in GitHub Desktop.
A convenience script for using secrets on the commandline using keyctl as keyring
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Author: Daniel Lundin <dln@arity.se> | |
| # | |
| # Convenience script to hide sensitive variables on the command line. | |
| # Uses keyctl to store secrets in the keyring. | |
| # | |
| # Example usage: mycommand --user=foo --password=$(pw mypass) | |
| set -eo pipefail | |
| purge=0 | |
| ttl=${PW_TTL:-259200} | |
| usage() { echo "Usage: $0 [-t SECONDS] [-f] SECRET_NAME" 1>&2; exit 1; } | |
| while getopts ":ft:" o; do | |
| case "${o}" in | |
| f) | |
| purge=1 | |
| ;; | |
| t) | |
| ttl=${OPTARG} | |
| ;; | |
| *) | |
| usage | |
| ;; | |
| esac | |
| done | |
| shift $((OPTIND-1)) | |
| var="$1" | |
| shift || usage | |
| [ -z "$1" ] || usage | |
| key="pw.${var}" | |
| if [ "${purge}" == "1" ]; then | |
| keyctl purge user "${key}" >>/dev/null 2>&1 || true | |
| fi | |
| out=$(systemd-ask-password --accept-cached --keyname="${key}" "${var}:") | |
| key_id=$(keyctl request user "${key}" 2>/dev/null) | |
| keyctl timeout "$key_id" "$ttl" | |
| printf "%s" "$out" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment