blackbox/bin/blackbox_update_all_files

#!/usr/bin/env bash

#
# blackbox_update_all_files -- Decrypt then re-encrypt all files. Useful after keys are changed.
#

set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source "${blackbox_home}/_blackbox_common.sh"

if [[ -z $GPG_AGENT_INFO ]]; then
  echo 'WARNING: You probably want to run gpg-agent as'
  echo 'you will be asked for your passphrase many times.'
  echo 'Example: $ eval $(gpg-agent --daemon)'
  read -r -p 'Press CTRL-C now to stop. ENTER to continue: '
fi

disclose_admins
prepare_keychain

echo '========== ENCRYPTED FILES TO BE RE-ENCRYPTED:'
awk <"$BB_FILES" '{ print "    " $1 ".gpg" }'

echo '========== FILES IN THE WAY:'
need_warning=false
for i in $(<"$BB_FILES") ; do
  unencrypted_file=$(get_unencrypted_filename "$i")
  encrypted_file=$(get_encrypted_filename "$i")
  if [[ -f "$unencrypted_file" ]]; then
    need_warning=true
    echo "    $unencrypted_file"
  fi
done
if "$need_warning" ; then
  echo
  echo 'WARNING: This will overwrite any unencrypted files laying about.'
  read -r -p 'Press CTRL-C now to stop. ENTER to continue: '
else
  echo 'All OK.'
fi

echo '========== RE-ENCRYPTING FILES:'
for i in $(<"$BB_FILES") ; do
  unencrypted_file=$(get_unencrypted_filename "$i")
  encrypted_file=$(get_encrypted_filename "$i")
  echo ========== PROCESSING "$unencrypted_file"
  fail_if_not_on_cryptlist "$unencrypted_file"
  decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
  encrypt_file "$unencrypted_file" "$encrypted_file"
  shred_file "$unencrypted_file"
done

fail_if_keychain_has_secrets

echo '========== COMMITING TO VCS:'
vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' )

VCSCMD=$(which_vcs)
echo '========== DONE.'
echo 'Likely next step:'
echo "    ${VCSCMD} push"