eacc is a bash script which allows a group of people to share an encrypted(gpg), revision controlled(RCS) file on a shared filesystem. Rather than store an encrypted file in RCS, eacc encrypts the RCS file and handles the decryption, check-out, check-in and encryption steps automatically. The repository is encrypted using GPG's multi-recipient support which allows each member of the group to use their own unique password.
A typical use case would be to securely store sensitive information, such as a password list, which is shared by a team.
You will need the following software on your computer
- GPG (aka GnuPG) - Versions 1.4 and 2.0 are known to work
- RCS - Version 5.7 is known to work
- Bash - Any version should work without issue
Download the latest version from github and copy eacc somewhere on your PATH
git clone https://github.com/jamessthompson/eacc.git cd eacc cp eacc /usr/local/bin/
Initial file setup
To place a file named "secret" under control of eacc.
~> cd demo ~/demo> eacc init secret
You will be prompted for your gpg passphrase as well as a space separated list of emails associated with GPG public keys in your keyring. The file be will checked into RCS, the RCS file will be encrypted, and the original file will be replaced with placeholder.
Looking at the contents of the placeholder file you'll see something similar to the following.
~/demo> more secret File managed by /usr/local/bin/eacc
Viewing an encrypted file
To view, but not edit, the encrypted file use the view command. You will be prompted for your gpg passphrase.
~> cd demo ~/demo> eacc view secret
Others will not be able to access the file via eacc while you are viewing it.
Viewing an encrypted file
To edit the encrypted file use the view command. You will be prompted for your gpg passphrase.
~> cd demo ~/demo> eacc edit secret
Others will not be able to access the file via eacc while you are editing it.
Resetting an encrypted file
In certain cases, such as a disconnected session, it is possible for a file to be left in a checked out state. To fix this
~> cd demo ~/demo> eacc reset secret
Validating your GPG keychain
If you wish to validate your keychain without trying to view or edit the file.
~> eacc validate
Adding or removing an individual's access
To adjust access to a file you must 1. add or remove email addressed from the appropriate .access file in the RCS directory 1. make a small edit to the protected file to trigger reencryption with the appropriate keys * Please note that the backup files (,v.gpg.[0-2]) will still contain the old keys and access levels at the time of their creation
~> cd demo ~/demo> cd RCS ~/demo/RCS> vi secret.access # Add or remove email addresses as needed ~/demo> cd .. ~/demo> eacc edit secret
Things to Note
While editing or viewing a file the placeholder file is replaced with the unencrypted contents of the file. Anyone with the appropriate filesystem level permissions can access the contents of the file.
Each member of the group that requires access to the encrypted file must exchange GPG public keys. The keys will be used by GPG to encrypt a symmetric key which is used to encrypt the RCS repository file. To prevent a person from locking another member of the group out of the file eacc will verify that you have all the keys necessary to re-encrypt a file prior to allowing access.
In cases of failure, eacc makes every attempt to not lose data. It retains three prior revisions of the encrypted repository (,v.gpg.[0-2]) in the RCS directory which can be copied over a corrupted encrypted repository file.
Access to the file is controlled by a file in the RCS dir which follows the naming convention "filename.access" The file consists of a list of email addresses, one per line, that are associated with GPG keys in your keychain.
Copyright(c) 2008-2013 James Thompson
Released under the MIT License.