sops seal/unseal functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
seal-sops: ## SOPS Encrypt all secrets path matching [_sec|secret|config|*.secret*] | |
@find $(PTH) -path "*/_sec/*" -type f -o -path "*/secret/*" -type f -o -path "*/config/*" -name "*.secret*" -type f |\ | |
egrep -v '(\.enc|\.asc|\.sealed|\.matrix)' |\ | |
while read file; do \ | |
./scripts/seal-sops $$file;\ | |
done; | |
unseal-sops: ## SOPS Decrypt all secrets (suffix: .enc and .enc.yaml) | |
@find $(PTH) -name "*.enc" -type f -o -name "*.enc.*" -type f |\ | |
while read file; do \ | |
./scripts/unseal-sops $$file;\ | |
done; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# sops-seal, encrypt file if modified (adds .enc before(as) its suffix) | |
sops-seal() { | |
file=$1 | |
fullname="${file##*/}" | |
dirname="${file%/*}" | |
basename="${fullname%.*}" | |
extension=".${fullname##*.}" | |
# If the file is in the same directory with the script, | |
# path likely will not include any directory seperator. | |
[[ "$dirname" == "$path" ]] && dirname="." | |
# If the file has no extension, correct the variable accordingly. | |
[[ "$extension" == ".$basename" ]] && extension="" | |
# Destination file | |
dest="${dirname}/${basename}.enc${extension}"; | |
[[ ! -e "$dest" ]] && { | |
sops -e --output "$dest" "$file"; | |
} || { | |
# if changed | |
diff $file <(sops --config ${SOPS_CONFIG:-.sops.yaml} -d "$dest") > /dev/null ||\ | |
{ rm "$dest"; echo " ${dest}"; sops -e --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file";}; | |
} | |
git add -f ${dest} | |
} | |
sops-seal $@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# sops-unseal, decrypt files (while removing `.enc.` file.enc.suffix) | |
sops-unseal() { | |
for file in $(ls $@); do | |
ex=".${file##*.}"; | |
fp="${file%.enc*}"; | |
#[[ "$ex" == ".$fp" ]] && ex="" # fix, no filename suffix | |
dest="$fp${ex#.enc}"; | |
echo " ${dest}"; | |
sops -d --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file"; \ | |
done | |
} | |
sops-unseal $@ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment