sops seal/unseal functions

Makefile

seal-sops: ## SOPS Encrypt all secrets path matching [_sec|secret|config|*.secret*]
	@find $(PTH) -path "*/_sec/*" -type f -o -path "*/secret/*" -type f -o -path "*/config/*" -name "*.secret*" -type f |\
		egrep -v '(\.enc|\.asc|\.sealed|\.matrix)' |\
		while read file; do \
		 ./scripts/seal-sops $$file;\
		done;

unseal-sops: ## SOPS Decrypt all secrets (suffix: .enc and .enc.yaml)
	@find $(PTH) -name "*.enc" -type f -o -name "*.enc.*" -type f |\
		while read file; do \
		 ./scripts/unseal-sops $$file;\
		done;

seal-sops

#!/bin/bash -e

# sops-seal, encrypt file if modified (adds .enc before(as) its suffix)
sops-seal() {

  file=$1
  fullname="${file##*/}"
  dirname="${file%/*}"
  basename="${fullname%.*}"
  extension=".${fullname##*.}"

  # If the file is in the same directory with the script,
  # path likely will not include any directory seperator.
  [[ "$dirname" == "$path" ]] && dirname="."

  # If the file has no extension, correct the variable accordingly.
  [[ "$extension" == ".$basename" ]] && extension=""

  # Destination file
  dest="${dirname}/${basename}.enc${extension}";

  [[ ! -e "$dest" ]] && {
    sops -e --output "$dest" "$file";
  } || {
    # if changed
      diff $file <(sops --config ${SOPS_CONFIG:-.sops.yaml} -d "$dest") > /dev/null ||\
      { rm "$dest"; echo "  ${dest}"; sops -e --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file";};
  }
  git add -f ${dest} 
}

sops-seal $@

unseal-sops

#!/bin/bash

# sops-unseal, decrypt files (while removing `.enc.` file.enc.suffix)
sops-unseal() {
  for file in $(ls $@); do
  ex=".${file##*.}";
  fp="${file%.enc*}";
  #[[ "$ex" == ".$fp" ]] && ex="" # fix, no filename suffix
  dest="$fp${ex#.enc}";

  echo "  ${dest}";
	sops -d --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file"; \
  done
}

sops-unseal $@