Add an encrypt command (#117)

kpaulisse · web-flow · commit ed8d551c58fd · 2023-03-28T22:21:04.000+02:00
diff --git a/README.md b/README.md
@@ -226,6 +226,26 @@ env:
 ./medusa decrypt encrypted-export.txt --private-key private-key.pem > plaintext-export.yaml
 ```
 
+### Encrypt secrets
+> Get help with `./medusa encrypt -h`
+Medusa encrypt will take a [FILE path] with [flags]
+
+```
+  Flags:
+  -o, --output string       Write to file instead of stdout
+  -p, --public-key string   Location of the RSA public key
+```
+
+Example:
+```
+# Write to stdout
+./medusa encrypt plaintext-export.txt --public-key public-key.pem
+&lt;Encrypted data&gt;
+
+# Write to file
+./medusa encrypt plaintext-export.txt --public-key public-key.pem --output encrypted-export.txt.b64
+```
+
 ## Secure secret management outside Vault
 Medusa will help you securely manage your secrets outside Vault.
 This could for instance be as a backup of your Vault data or while your secrets are being transported between Vault instances.  
diff --git a/cmd/encrypt.go b/cmd/encrypt.go
@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/jonasvinther/medusa/pkg/encrypt"
+	"github.com/jonasvinther/medusa/pkg/vaultengine"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(encryptCmd)
+	encryptCmd.PersistentFlags().StringP("output", "o", "", "Write to file instead of stdout")
+	encryptCmd.PersistentFlags().StringP("public-key", "p", "", "Location of the RSA public key")
+}
+
+var encryptCmd = &cobra.Command{
+	Use:   "encrypt [file path] [flags]",
+	Short: "Encrypt a Vault export file onto stdout or to an output file",
+	Long:  ``,
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		file := args[0]
+		publicKey, _ := cmd.Flags().GetString("public-key")
+		output, _ := cmd.Flags().GetString("output")
+
+		data, err := os.ReadFile(file)
+		if err != nil {
+			fmt.Println(err)
+			return err
+		}
+
+		encryptedKey, encryptedData := encrypt.Encrypt(publicKey, output, data)
+
+		if output == "" {
+			fmt.Println(string([]byte(encryptedData)))
+			fmt.Println(string(encryptedKey))
+		} else {
+			// Write to file
+			// First encrypted data
+			err = vaultengine.WriteToFile(output, []byte(encryptedData))
+			if err != nil {
+				return err
+			}
+			err = vaultengine.AppendStringToFile(output, "\n")
+			if err != nil {
+				return err
+			}
+			// Then encrypted AES key
+			err = vaultengine.AppendStringToFile(output, encryptedKey)
+			if err != nil {
+				return err
+			}
+			err = vaultengine.AppendStringToFile(output, "\n")
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	},
+}
