From ad783cf82ec31c20ce329dc3351afcbc318e5a68 Mon Sep 17 00:00:00 2001 From: Colin Powell Date: Thu, 25 Dec 2025 23:28:40 -0500 Subject: [PATCH] [bin] Add rekey and load_key scripts --- bin/.bin/load_keys | 41 +++++++++++++++++++++++++++++++++++++++++ bin/.bin/rekey | 26 ++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100755 bin/.bin/load_keys create mode 100755 bin/.bin/rekey diff --git a/bin/.bin/load_keys b/bin/.bin/load_keys new file mode 100755 index 0000000..0ae12b9 --- /dev/null +++ b/bin/.bin/load_keys @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +PASS_BASE="personal/ssh" +STORE_ROOT="${PASSWORD_STORE_DIR:-$HOME/.password-store}" +ABS_BASE_PATH="${STORE_ROOT}/${PASS_BASE}" + +# Ensure ssh-agent is running +if [[ -z "${SSH_AUTH_SOCK:-}" ]]; then + eval "$(ssh-agent -s)" +fi + +# Verify the base path exists +if [[ ! -d "$ABS_BASE_PATH" ]]; then + echo "ERROR: Base path not found in pass: $PASS_BASE" >&2 + exit 1 +fi + +# Loop through each identity subdirectory +while IFS= read -r dir; do + IDENTITY=$(basename "$dir") + + # Find the latest .gpg file by name (ISO sort) + LATEST_FILE=$(find "$dir" -maxdepth 1 -name "*.gpg" -printf "%f\n" \ + | sed 's/\.gpg$//' \ + | sort -r \ + | head -n 1) + + if [[ -z "$LATEST_FILE" ]]; then + continue + fi + + echo "Injecting $IDENTITY ($LATEST_FILE) into ssh-agent..." + + # Decrypt and pipe directly to ssh-add + # The '-' tells ssh-add to read the key from standard input (stdin) + pass show "${PASS_BASE}/${IDENTITY}/${LATEST_FILE}" | ssh-add - >/dev/null 2>&1 + +done < <(find "$ABS_BASE_PATH" -mindepth 1 -maxdepth 1 -type d) + +echo "Done. All latest keys injected into agent." diff --git a/bin/.bin/rekey b/bin/.bin/rekey new file mode 100755 index 0000000..5bd75f1 --- /dev/null +++ b/bin/.bin/rekey @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -euo pipefail + +USER="${USER:-$(whoami)}" +HOST="${HOST:-$(hostname)}" +DATE="$(date +%F)" +SSH_DIR="$HOME/.ssh" +mkdir -p "$SSH_DIR" +PASS_PATH="personal/ssh/$USER@$HOST/$DATE" + +# --- Temporary RAM-backed file for private key --- +TMP_PRIV="/dev/shm/sshkey_$USER@$HOST$DATE" +trap 'rm -f "$TMP_PRIV"' EXIT + +# Generate Ed25519 key pair into RAM +ssh-keygen -t ed25519 -f "$TMP_PRIV" -N "" -q + +# Insert private key into pass +cat "$TMP_PRIV" | pass insert --multiline --force "$PASS_PATH" +echo "Private key stored in pass at $PASS_PATH" + +# Extract public key from the same temp file +ssh-keygen -y -f "$TMP_PRIV" > "$SSH_DIR/$USER@$HOST.pub" +echo "Public key written to $SSH_DIR/$USER@$HOST.pub" + +# Private key removed from /dev/shm automatically