Add an encrypt command

[kpaulisse]

This PR adds an encrypt subcommand that does the inverse of decrypt.

Our use case is that we want to use Medusa to export secrets, but we also are exporting our PKI private keys via /sys/raw. To keep things simple, we'd like one tool to be able to handle the encryption and decryption of all these files. There's already a subcommand to handle the decryption that works well, so we need a subcommand to do the encryption. (There's no expectation that Medusa will restore the stuff we exported from /sys/raw.)

Help:

$ .../medusa encrypt -h
Encrypt a Vault export file onto stdout or to an output file

Usage:
  medusa encrypt [file path] [flags]

Flags:
  -h, --help                help for encrypt
  -o, --output string       Write to file instead of stdout
  -p, --public-key string   Location of the RSA public key

Global Flags:
  -a, --address string     Address of the Vault server
  -k, --insecure           Allow insecure server connections when using SSL
  -n, --namespace string   Namespace within the Vault server (Enterprise only)
  -t, --token string       Vault authentication token

This goes back and forth nicely (FWIW this is a test only key and non sensitive data so no need to redact anything):

$ echo "Hello World" > payload.txt
$ .../medusa encrypt payload.txt --public-key public-key.pem --output payload.txt.b64
$ cat payload.txt.b64
7okDQwelUizUsndet4sTKpk3TzbBn6hiRW/G/jdHpTgULLvpovyx5Q==
WnlZY0NjajRESUhwTHI5YzN0dnZDV1FoUEVTc3ZCUFN3WEdXczZOMFlNaU9TWFFWYWwyTXI3eHNUYU8wYmEvaG55TGlwdUdCbWNpaWFBS0crYkxDbXAvd1FvTmFUMUcySmtGR3c1b2o3REMxZklRVU1HOElmaTFJb3FEbVJSKzdwL3VJZHY4Z0NmNnd5M3g2TE9mbFZkNnlWcVpNVDhoeE5OR2dPT0lYWTRVNkdlTjBIaWV1YlRoZ3A0TlpKUXZKc3ExUFhrOWc0YWNxQnZHU0V3VFZCOXhrdy9PS2ZKQklWVUI1N1hnemJJNXVrRmZia1I5MWJhWW1oKzlZbUIvdndUNXZsVXFIS1ppSmRTZWZzWExhaERGVGFwRyt4dExkUDhTYlFoUENCUXowRDV6K0NLdWlvOHZNNzd3WWlFSlV6NisxUCtmdjVCajJqaDdRQVhBVXhaRVk2NG04bDNSaDFEK1cxQ2Jvbi9wTHlGYkJCUnYyckk1VExER0p5VUNndWVhMFFRODVuVlEzanllK0YrVGdjb2lGenVENUswRmRXVk5mQXBWZTYvTWRmeDZkMVZvSTdBKzFPQlM4U0tSTjdzM0tkbUlVM2xMamcrZmIrSm5lSW9mM0ZpSHEwakpFeGtRV3NHRTBzNGFOYTJ0L21VUk5meGpUTnlZRE0wYm9xdkF4eFdlYlBxSE1vd00vR3hSMWpuNkRpL25MeVBLL0RtRnE4dFRlbEFvQXN4bnlXZHo5ZGdsQytDZG1UZXpnQS9HeFQrWnZRSnJtY2J5M1JoUTFGcFhTUElQOW9keVo1L09FTDZlVEZ0aTdicTFwOTJDRWpDeG1JdHIxaHRvSDVwRXhWT0xlMEZEcCtpckFqRmdEdm4rUnhMT3RzWGhZSjlhRGZPbkZ1SkE9
$ .../medusa decrypt payload.txt.b64 --private-key private-key.pem > payload.txt.new
$ cat payload.txt.new
Hello World

Implementation note: The output code added to cmd/encrypt.go is copy-pasta from:

medusa/cmd/export.go

Lines 71 to 97 in 578643a

	publicKeyPath, _ := cmd.Flags().GetString("public-key")
	encryptedKey, encryptedData := encrypt.Encrypt(publicKeyPath, output, data)
	if output == "" {
	fmt.Println(string([]byte(encryptedData)))
	fmt.Println(string(encryptedKey))
	} else {
	// Write to file
	// First encrypted data
	err = vaultengine.WriteToFile(output, []byte(encryptedData))
	if err != nil {
	return err
	}
	err = vaultengine.AppendStringToFile(output, "\n")
	if err != nil {
	return err
	}
	// Then encrypted AES key
	err = vaultengine.AppendStringToFile(output, encryptedKey)
	if err != nil {
	return err
	}
	err = vaultengine.AppendStringToFile(output, "\n")
	if err != nil {
	return err
	}
	}

I can DRY this if you prefer, but didn't want to go refactoring a bunch of stuff without a specific request to do so.

[jonasvinther]

Not a bad idea. Thank you for your contribution.