feat: Add support for password-protected age keys

2021-12-04 00:27:24 +01:00
parent cc72f880b4
commit 5ee9ddf325
1 changed files with 38 additions and 0 deletions
--- a/cmd/stbak/cmd/recovery_fetch.go
+++ b/cmd/stbak/cmd/recovery_fetch.go
@@ -284,6 +284,25 @@ func decryptString(
 ) (string, error) {
 	switch encryptionFormat {
 	case encryptionFormatAgeKey:
+		if password != "" {
+			passwordIdentity, err := age.NewScryptIdentity(password)
+			if err != nil {
+				return "", err
+			}
+
+			r, err := age.Decrypt(bytes.NewBuffer(privkey), passwordIdentity)
+			if err != nil {
+				return "", err
+			}
+
+			out := &bytes.Buffer{}
+			if _, err := io.Copy(out, r); err != nil {
+				return "", err
+			}
+
+			privkey = out.Bytes()
+		}
+
 		identity, err := age.ParseX25519Identity(string(privkey))
 		if err != nil {
 			return "", err
@@ -356,6 +375,25 @@ func decrypt(
 ) (io.ReadCloser, error) {
 	switch encryptionFormat {
 	case encryptionFormatAgeKey:
+		if password != "" {
+			passwordIdentity, err := age.NewScryptIdentity(password)
+			if err != nil {
+				return nil, err
+			}
+
+			r, err := age.Decrypt(bytes.NewBuffer(privkey), passwordIdentity)
+			if err != nil {
+				return nil, err
+			}
+
+			out := &bytes.Buffer{}
+			if _, err := io.Copy(out, r); err != nil {
+				return nil, err
+			}
+
+			privkey = out.Bytes()
+		}
+
 		identity, err := age.ParseX25519Identity(string(privkey))
 		if err != nil {
 			return nil, err