utils: switch to asymmetric encryption

1 files changed, 10 insertions, 6 deletions

diff --git a/utils/src/main.rs b/utils/src/main.rs
index bcd63f6..ff5f86f 100644
--- a/utils/src/main.rs
+++ b/utils/src/main.rs
@@ -7,6 +7,7 @@ use std::io::Write;
 
 use std::path::PathBuf;
 use structopt::StructOpt;
+use secrecy::ExposeSecret;
 
 use age::x25519::Recipient;
 
@@ -39,9 +40,9 @@ struct Options {
     /// a dhall configuration file that describes a survey
     #[structopt(long, short, parse(from_os_str))]
     config_file: PathBuf,
-    /// encrypt the survey with the given password (not yet implemented)
+    /// encrypt the survey with a passphrase (will be printed to stderr)
     #[structopt(long, short)]
-    password: Option<secrecy::Secret<String>>,
+    encrypt: bool,
     /// file to write the configuration to (will otherwise print to stdout)
     #[structopt(long, short)]
     out_file: Option<PathBuf>
@@ -90,13 +91,16 @@ fn main () {
             let mut encrypted = vec![];
             // are we restricting access to the survey? if so, encrypt it with
             // the password as passphrase.
-            let outdata = match opt.password {
-                None => json.as_bytes(),
-                Some(password) => {
-                    let encryptor = age::Encryptor::with_user_passphrase(password);
+            let outdata = match opt.encrypt {
+                false => json.as_bytes(),
+                true => {
+                    let key = age::x25519::Identity::generate();
+                    let pubkey = key.to_public();
+                    let encryptor = age::Encryptor::with_recipients(vec![Box::new(pubkey)]);
                     let mut writer = encryptor.wrap_output(&mut encrypted).unwrap();
                     writer.write_all(&json.as_bytes()).unwrap();
                     writer.finish().unwrap();
+                    eprintln!("Passphrase for this survey: {}", key.to_string().expose_secret());
                     encrypted.as_slice()
                 }
             };