ENH: Add subcommand 'pw', primitive wrapping password input

Author: kernc

README.full.md

@@ -157,6 +157,7 @@ Subcommands:
   checkout PATH...      Sparse-checkout and decrypt files into $WORK_TREE
   checkout COMMIT       Switch files to a commit of plain or encrypted repo
   gc                    Garbage collect, remove synced encrypted packs
+  pw                    Secure password input. Usage: PASSWORD="$(myba pw)"
   git CMD [OPTS]        Inspect/execute raw git commands inside plain repo
   git_enc CMD [OPTS]    Inspect/execute raw git commands inside encrypted repo
 
@@ -198,15 +199,18 @@ export WORK_TREE="$HOME"
 
 myba init
 myba add Documents Photos Etc .dotfile
-PASSWORD='secret'  myba commit -m "my precious"
+PASSWORD="$(myba pw)"  # Secure read from the controlling terminal
+export PASSWORD
+myba commit -m "my precious"
 myba remote add origin "/media/usb/backup/path"
 myba remote add github "git@github.com:user/my-backup.git"
 VERBOSE=1 myba push  # Push to ALL configured remotes & free up disk space
 
-# Somewhere else, much, much later, avoiding catastrophe ...
+# Somewhere else, post apocalypse, yet avoiding catastrophe ...
 
 export WORK_TREE="$HOME"
-PASSWORD='secret'  myba clone "..."  # Clone one of the known remotes
+export PASSWORD=...
+myba clone ...  # Clone one of the known remotes
 myba checkout ".dotfile" # Restore backed up files in a space-efficient manner
 
 # When already cloned ...

myba.sh

@@ -80,6 +80,7 @@ usage () {
     echo "  checkout PATH...      Sparse-checkout and decrypt files into \$WORK_TREE"
     echo "  checkout COMMIT       Switch files to a commit of plain or encrypted repo"
     echo "  gc                    Garbage collect, remove synced encrypted packs"
+    echo "  pw                    Secure password input. Usage: PASSWORD=\"$(myba pw)\""
     echo "  git CMD [OPTS]        Inspect/execute raw git commands inside plain repo"
     echo "  git_enc CMD [OPTS]    Inspect/execute raw git commands inside encrypted repo"
     echo
@@ -118,18 +119,23 @@ _read_vars () {
     read -r "$@" || [ "$(eval echo '$'"$1")" ];
 }
 
+cmd_pw () {
+    stty -echo
+    {
+        IFS= read -p "Enter encryption PASSWORD=: " -r PASSWORD
+        echo
+        (
+            IFS= read -p "Repeat: " -r PASSWORD2
+            [ "$PASSWORD" = "$PASSWORD2" ] || { warn 'ERROR: Password mismatch!'; exit 1; }
+        )
+    } < /dev/tty
+    stty echo
+    echo
+    echo "$PASSWORD"
+}
 _ask_pw () {
     if [ -z "${PASSWORD+1}" ]; then
-        stty -echo
-        {
-            IFS= read -p "Enter encryption PASSWORD=: " -r PASSWORD
-            echo
-            (
-                IFS= read -p "Repeat: " -r PASSWORD2
-                [ "$PASSWORD" = "$PASSWORD2" ] || { warn 'ERROR: Password mismatch!'; exit 1; }
-            )
-        } < /dev/tty
-        stty echo
+        cmd_pw > /dev/null
     fi
 
     # Set up encryption via OpenSSL
@@ -831,6 +837,7 @@ case "$cmd" in
     largest) verbose cmd_largest "$@" ;;
     checkout) verbose cmd_checkout "$@" ;;
     gc) verbose cmd_gc "$@" ;;
+    pw) verbose cmd_pw "$@" ;;
     git_enc) verbose git_enc "$@" ;;
     git)
         # Handle buggy ls-files in bare plain repo