MT#58014 encrypt, decrypt: Clarify cryptographic terms

Rename gpg to pgp or OpenPGP and remove crypted from filenames. The standard is called OpenPGP, GnuPG (or GPG, gpg) is one of many implementations (although depending on the context the prevalent one) so we use that when referring to the specification. For the encrypted tarball we remove the «-crypted» term which is an odd wording use for encryted content and it is unnecessary and confusing when using layered containers (as when the tarball is decrypted the name becomes invalid); and make it use «.pgp» instead of «.gpg» as extension, while trying the old filename on decryption for backwards compatibility. Change-Id: If5e0349ff0c3d8e3b47ced361e9e77d7d4d2defc
2 years ago · 6e5628d599
parent 090653e682
commit 6e5628d599
5 changed files with 27 additions and 14 deletions
--- a/docs/ngcpcfg.txt
+++ b/docs/ngcpcfg.txt
@ -424,7 +424,9 @@ pending changes to be committed execute 'ngcpcfg status'.

  **decrypt**::

-Decrypt /etc/ngcp-config-crypted.tgz.gpg and restore configuration files,
+Decrypt /etc/ngcp-config.tgz.pgp
+(or /etc/ngcp-config-crypted.tgz.gpg for backwards compatibility)
+and restore configuration files,
 doing the reverse operation of the _encrypt_ option.
 Note: This feature is only available if the ngcp-ngcpcfg-locker package is
 installed.
@ -451,7 +453,7 @@ Helper to edit the ngcpcfg's YML configuration files in a faster way
  **encrypt**::

 Encrypt /etc/ngcp-config and all resulting configuration files with a user
-defined password and save the result as /etc/ngcp-config-crypted.tgz.gpg.
+defined password and save the result as /etc/ngcp-config.tgz.pgp.
 Note: This feature is only available if the ngcp-ngcpcfg-locker package is
 installed.

--- a/functions/init
+++ b/functions/init
@ -24,7 +24,8 @@ else
        fi
      done
    fi
-  elif [ -r /etc/ngcp-config-crypted.tgz.gpg ] ; then
+  elif [ -r /etc/ngcp-config.tgz.pgp ] ||
+       [ -r /etc/ngcp-config-crypted.tgz.gpg ] ; then
    log_error "Configuration pool locked. Please contact your distributor. Exiting."
    exit 1
  else
--- a/sbin/ngcpcfg
+++ b/sbin/ngcpcfg
@ -89,7 +89,7 @@ Actions:

  # display only if ngcp-ngcpcfg-locker is available
  if [ -r "${SCRIPTS}"/encrypt ] ; then
-    printf "  decrypt             decrypt /etc/ngcp-config-crypted.tgz.gpg and restore config files\n"
+    printf "  decrypt             decrypt /etc/ngcp-config.tgz.pgp and restore config files\n"
    printf "  encrypt             encrypt /etc/ngcp-config and all resulting configuration files\n"
  fi

--- a/scripts/decrypt
+++ b/scripts/decrypt
@ -53,23 +53,32 @@ if ! type -p gpg &>/dev/null ; then
 fi

 RC=0
-TARGZ=/etc/ngcp-config-crypted.tgz
+TARGZ=
+TARGZPGP=
+# XXX: Try the "-crypted.gpg" terminator for backwards compatibility.
+for file in /etc/ngcp-config.tgz.pgp /etc/ngcp-config-crypted.tgz.gpg; do
+  if [ -r "${file}" ]; then
+    TARGZ="${file%.*}"
+    TARGZPGP="${file}"
+    break
+  fi
+done

 # ensure created files can be read by root only
 umask 066

-if ! gpg -d "${TARGZ}".gpg > "${TARGZ}" ; then
-  log_error "Error while decrypting ${TARGZ}.gpg"
+if ! gpg -d "${TARGZPGP}" > "${TARGZ}" ; then
+  log_error "Error while decrypting ${TARGZPGP}"
  RC=1
 else
  # For backwards compatibility we switch to the root directory, for old
  # encrypted tarballs that stripped the leading /.
  cd /
  if tar zxPf "${TARGZ}" ; then
-    log_info "Successfully restored configuration archive ${TARGZ}.gpg"
+    log_info "Successfully restored configuration archive ${TARGZPGP}"
    log_info "Now you should be able to run 'ngcpcfg apply' again."
  else
-    log_error "Error while restoring ${TARGZ}.gpg"
+    log_error "Error while restoring ${TARGZPGP}"
    RC=1
  fi
 fi
--- a/scripts/encrypt
+++ b/scripts/encrypt
@ -44,7 +44,7 @@ if ! type -p gpg &>/dev/null ; then
 fi

 if ! tty -s; then
-  log_error "Cannot request gpg password (no tty). Aborting."
+  log_error "Cannot request OpenPGP password (no tty). Aborting."
  exit 1
 fi

@ -59,15 +59,16 @@ else
  log_debug "Packing configs: ${FILES[*]}"
 fi

-TARGZ=/etc/ngcp-config-crypted.tgz
+TARGZ=/etc/ngcp-config.tgz
+TARGZPGP="${TARGZ}.pgp"

 tar zcPf "${TARGZ}" /etc/ngcp-config/ "${FILES[@]}" /etc/.git
-if gpg --symmetric "${TARGZ}" ; then
-  log_info "Successfully created encrypted ngcpcfg configuration archive ${TARGZ}.gpg"
+if gpg -o "${TARGZPGP}" --symmetric "${TARGZ}" ; then
+  log_info "Successfully created encrypted ngcpcfg configuration archive ${TARGZPGP}"
  # ensure we don't leave the unencrypted version behind
  rm -f "${TARGZ}"
 else
-  log_error "Error while setting up ${TARGZ}.gpg"
+  log_error "Error while setting up ${TARGZPGP}"
  # ensure we don't leave the unencrypted version behind
  rm -f "${TARGZ}"
  exit 1