feat: rekey only specific identity #295
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently rekey re-encrypts all files. For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed. But I don’t think there’s an (easy) way to achieve that with `age` currently, as there’s no way to get the current recipients from an encrypted file? This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed. In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
felixscheinost
commented
Oct 25, 2024
| @@ -13,7 +13,7 @@ function show_help () { | |||
| echo '-h, --help show help' | |||
| # shellcheck disable=SC2016 | |||
| echo '-e, --edit FILE edits FILE using $EDITOR' | |||
| echo '-r, --rekey re-encrypts all secrets with specified recipients' | |||
| echo '-r, --rekey [PUBLIC_KEY] re-encrypts all secrets with specified recipients' | |||
There was a problem hiding this comment.
Not sure if this makes sense here.
It makes parsing harder e.g. --rekey -v is currently broken.
felixscheinost
commented
Oct 25, 2024
| @@ -77,6 +78,10 @@ while test $# -gt 0; do | |||
| ;; | |||
| -r|--rekey) | |||
| shift | |||
| if test $# -gt 0; then | |||
There was a problem hiding this comment.
TODO: Fix e.g. --rekey -v
felixscheinost
commented
Oct 25, 2024
| FILTER_EXPRESSION="true"; | ||
| fi | ||
|
|
||
| RULES_EXPRESSION=$(cat <<EOF |
There was a problem hiding this comment.
Does using a here document make sense here? I tried fitting it all in the single line but that isn't pretty.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently rekey re-encrypts all files.
For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed. But I don’t think there’s an (easy) way to achieve that with
agecurrently, as there’s no way to get the current recipients from an encrypted file?This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed.
In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
The syntax currently isn't great, but works for me now. Am open to implement improvements here.
Example:
agenix --rekey 'ssh-ed25519 AA... root@some-host'Are you in general open to this feature? This PR is more of a draft but "works".