// Encrypt reads all contents from 'in', extracts the pubkey
// and performs the requested encryption operation, writing
// the resulting data to 'out'.
// Returns the number of bytes written and any error that might have
// occurred.
func Encrypt(in io.Reader, out io.Writer) (int, error) {
data, err := ioutil.ReadAll(in)
if err != nil {
return -1, err
}
var myKP crypto.Keypair
if err = myKP.Generate(); err != nil {
return -1, err
}
pubkey, err := json.ExtractPublicKey(data)
if err != nil {
return -1, err
}
encrypter := myKP.Encrypter(pubkey)
walker := json.Walker{
Action: encrypter.Encrypt,
}
newdata, err := walker.Walk(data)
if err != nil {
return -1, err
}
return out.Write(newdata)
}
// DecryptFile takes a path to an encrypted EJSON file and decrypts it to
// STDOUT. If any keys in the file are encryptable but currently-unencrypted,
// ejson will print an error and exit non-zero, as this condition probably
// indicates that a plaintext secret was committed to source control, and
// requires manual intervention to rotate.
//
// The public key used to encrypt the values is embedded in the referenced
// document, and the matching private key is searched for in keydir. There must
// exist a file in keydir whose name is the public key from the EJSON document,
// and whose contents are the corresponding private key. See README.md for more
// details on this.
func DecryptFile(filePath, keydir string) (string, error) {
data, err := readFile(filePath)
if err != nil {
return "", err
}
pubkey, err := json.ExtractPublicKey(data)
if err != nil {
return "", err
}
privkey, err := findPrivateKey(pubkey, keydir)
if err != nil {
return "", err
}
myKP := crypto.Keypair{
Public: pubkey,
Private: privkey,
}
decrypter := myKP.Decrypter()
walker := json.Walker{
Action: decrypter.Decrypt,
}
newdata, err := walker.Walk(data)
if err != nil {
return "", err
}
return string(newdata), nil
}
// Decrypt reads an ejson stream from 'in' and writes the decrypted data to 'out'.
// The private key is expected to be under 'keydir'.
// Returns error upon failure, or nil on success.
func Decrypt(in io.Reader, out io.Writer, keydir string) error {
data, err := ioutil.ReadAll(in)
if err != nil {
return err
}
pubkey, err := json.ExtractPublicKey(data)
if err != nil {
return err
}
privkey, err := findPrivateKey(pubkey, keydir)
if err != nil {
return err
}
myKP := crypto.Keypair{
Public: pubkey,
Private: privkey,
}
decrypter := myKP.Decrypter()
walker := json.Walker{
Action: decrypter.Decrypt,
}
newdata, err := walker.Walk(data)
if err != nil {
return err
}
_, err = out.Write(newdata)
return err
}
// EncryptFileInPlace takes a path to a file on disk, which must be a valid EJSON file
// (see README.md for more on what constitutes a valid EJSON file). Any
// encryptable-but-unencrypted fields in the file will be encrypted using the
// public key embdded in the file, and the resulting text will be written over
// the file present on disk.
func EncryptFileInPlace(filePath string) (int, error) {
data, err := readFile(filePath)
if err != nil {
return -1, err
}
fileMode, err := getMode(filePath)
if err != nil {
return -1, err
}
var myKP crypto.Keypair
if err := myKP.Generate(); err != nil {
return -1, err
}
pubkey, err := json.ExtractPublicKey(data)
if err != nil {
return -1, err
}
encrypter := myKP.Encrypter(pubkey)
walker := json.Walker{
Action: encrypter.Encrypt,
}
newdata, err := walker.Walk(data)
if err != nil {
return -1, err
}
if err := writeFile(filePath, newdata, fileMode); err != nil {
return -1, err
}
return len(newdata), nil
}