Fix in_place encryption/decryption of binary files, plus readme

2015-10-26 16:29:23 -04:00 · 2015-10-26 16:29:23 -04:00 · df7cb474d0
--- a/README.rst
+++ b/README.rst
@ -275,6 +275,38 @@ original file after encrypting or decrypting it.
 	$ sops -d -i /path/to/existing/file.yaml
 	# file.yaml is back in cleartext

+Encrypting binary files
+~~~~~~~~~~~~~~~~~~~~~~~
+
+`sops` primary use case is encrypting YAML and JSON configuration files, but it
+also has the ability to manage binary files. When encrypting a binary, sops will
+read the data as bytes, encrypt it, store the encrypted base64 under
+`tree['data']` and write the result as JSON.
+
+Note that the base64 encoding of encrypted data can actually make the encrypted
+file larger than the cleartext one.
+
+In-place encryption/decryption also works on binary files.
+
+.. code::
+
+	$ dd if=/dev/urandom of=/tmp/somerandom bs=1024
+	count=512
+	512+0 records in
+	512+0 records out
+	524288 bytes (524 kB) copied, 0.0466158 s, 11.2 MB/s
+
+	$ sha512sum /tmp/somerandom
+	9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
+
+	$ sops -e -i /tmp/somerandom 
+	please wait while a data encryption key is being generated and stored securely
+
+	$ sops -d -i /tmp/somerandom 
+
+	$ sha512sum /tmp/somerandom
+	9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom
+
 Extract a sub-part of a document tree
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/sops/init.py
+++ b/sops/init.py
@ -182,8 +182,13 @@ def main():
        # Encrypt mode: encrypt, display and exit
        key, tree = get_key(tree, need_key)
        tree = walk_and_encrypt(tree, key)
-        finalize_output(tree, args.file, encrypt=True, in_place=args.in_place,
-                        output_type=otype)
+        dest = '/dev/stdout'
+        if args.in_place:
+            dest = args.file
+        if otype == "bytes":
+            otype = "json"
+        write_file(tree, path=dest, filetype=otype)
+        sys.exit(0)

    if args.decrypt:
        # Decrypt mode: decrypt, display and exit
@ -191,8 +196,13 @@ def main():
        tree = walk_and_decrypt(tree, key, ignoreMac=args.ignore_mac)
        if not args.show_master_keys:
            tree.pop('sops', None)
-        finalize_output(tree, args.file, decrypt=True, in_place=args.in_place,
-                        output_type=otype, tree_path=args.tree_path)
+        dest = '/dev/stdout'
+        if args.in_place:
+            dest = args.file
+        if args.tree_path:
+            tree = truncate_tree(tree, args.tree_path)
+        write_file(tree, path=dest, filetype=otype)
+        sys.exit(0)

    # EDIT Mode: decrypt, edit, encrypt and save
    key, tree = get_key(tree, need_key)
@ -264,7 +274,12 @@ def main():
    tree = update_master_keys(tree, key)
    os.remove(tmppath)

-    finalize_output(tree, args.file, output_type=otype)
+    # always store encrypted binary files in a json enveloppe
+    if otype == "bytes":
+        otype = "json"
+    path = write_file(tree, path=args.file, filetype=otype)
+    print("file written to %s" % (path), file=sys.stderr)
+    sys.exit(0)


 def detect_filetype(file):
@ -880,32 +895,6 @@ def encrypt_key_with_pgp(key, entry):
    return entry


-def finalize_output(tree, path, encrypt=False, decrypt=False, in_place=False,
-                    output_type="json", tree_path=None):
-    """ Write the final output of sops to a destination path """
-    # if we're in -e or -d mode, and not in -i mode, display to stdout
-    if encrypt and not in_place:
-        if output_type == "bytes":
-            output_type = "json"
-        write_file(tree, path='/dev/stdout', filetype=output_type)
-
-    elif decrypt and not in_place:
-        if tree_path:
-            tree = truncate_tree(tree, tree_path)
-        # don't show sops metadata in decrypt mode
-
-        write_file(tree, path='/dev/stdout', filetype=output_type)
-
-    # otherwise, write the tree to a file
-    else:
-        if output_type == "bytes":
-            output_type = "json"
-        path = write_file(tree, path=path, filetype=output_type)
-        print("file written to %s" % (path), file=sys.stderr)
-    # it's called "finalize" for a reason...
-    sys.exit(0)
-
-
 def write_file(tree, path=None, filetype=None):
    """Write the tree content in a file using filetype format.