-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: rekey only specific identity #295
base: main
Are you sure you want to change the base?
Conversation
Currently rekey re-encrypts all files. For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed. But I don’t think there’s an (easy) way to achieve that with `age` currently, as there’s no way to get the current recipients from an encrypted file? This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed. In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
@@ -13,7 +13,7 @@ function show_help () { | |||
echo '-h, --help show help' | |||
# shellcheck disable=SC2016 | |||
echo '-e, --edit FILE edits FILE using $EDITOR' | |||
echo '-r, --rekey re-encrypts all secrets with specified recipients' | |||
echo '-r, --rekey [PUBLIC_KEY] re-encrypts all secrets with specified recipients' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this makes sense here.
It makes parsing harder e.g. --rekey -v
is currently broken.
@@ -77,6 +78,10 @@ while test $# -gt 0; do | |||
;; | |||
-r|--rekey) | |||
shift | |||
if test $# -gt 0; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Fix e.g. --rekey -v
FILTER_EXPRESSION="true"; | ||
fi | ||
|
||
RULES_EXPRESSION=$(cat <<EOF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does using a here document make sense here? I tried fitting it all in the single line but that isn't pretty.
Currently rekey re-encrypts all files.
For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed. But I don’t think there’s an (easy) way to achieve that with
age
currently, as there’s no way to get the current recipients from an encrypted file?This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed.
In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
The syntax currently isn't great, but works for me now. Am open to implement improvements here.
Example:
agenix --rekey 'ssh-ed25519 AA... root@some-host'
Are you in general open to this feature? This PR is more of a draft but "works".