Like the process described in Encrypting Filespooler Jobs with GPG, Filespooler can handle packets Encrypted with Age (Encryption). Age may be easier than GnuPG in a number of cases, particularly because it can use a person’s existing SSH keypairs for encryption.
This process is fundamentally quite similar to handling encryption with GnuPG: we’ll be adding an encryption command in the pipe after prepare, and adding a decoder to the queue processing commands.
How to use age
First, let’s generate our keypair:
$ age-keygen -o test.age.sec
Public key: age1apfzl3df26aur7rd0stps75gf6fretpdjwhtvjm7t3uru47sjqvsvmx0sh
Now, the sender needs to know that public key and the recipient needs to have the test.age.sec file. So, say we have done fspl queue-init -q ~/q and want to add a packet to it:
sender$ echo hi \
| fspl prepare -i - -s ~/seq \
| age -e -r age1apfzl3df26aur7rd0stps75gf6fretpdjwhtvjm7t3uru47sjqvsvmx0sh \
| fspl queue-write -q ~/q
OK, that’s the encryption bit. How about the decryption?
receiver$ $ fspl queue-ls -q /tmp/q -d 'age -d -i test.age.sec'
ID creation timestamp filename
1 2022-05-20T22:52:39-05:00 fspl-c537c39d-984d-4dc6-b488-9048124b8d75.fspl
That’s all there was to it! We gave queue-ls (could have easily been queue-process or some such also) the decoder that caused age to decode the data using the secret key. Done!
Links to this note
It seems that lately I’ve written several shell implementations of a simple queue that enforces ordered execution of jobs that may arrive out of order. After writing this for the nth time in bash, I decided it was time to do it properly. But first, a word on the why of it all.
Thanks to Filespooler’s support for decoders, data for filespooler can be Encrypted at rest and only decrypted when Filespooler needs to scan or process a queue.