Add encrypted production secrets backup (2025-11-11)

Initial encrypted backup of all sensitive configuration files and SSH keys for version control and disaster recovery. Contents: - backend/.env and .env.prod (development and production config) - telegram-bot/.env and .env.prod (bot configuration) - secrets/ directory (SSH keys for Oracle server access) Encryption: AES-256-CBC with PBKDF2 using OpenSSL Total: 5 encrypted items (4 files + 1 directory archive) Backup date: 2025-11-11 14:46:50 ⚠️ IMPORTANT: Decryption password required for restore Password format: ROA2WEB_Backup_2024_Secure_Key_YYYYMMDD To restore: ./scripts/restore-secrets.sh 2025-11-11_14-46-50 All files are safely encrypted and can be committed to git without exposing sensitive credentials. Decryption password must be stored separately in password manager. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 14:47:34 +02:00
parent 71f0fcaab0
commit 53d108e7c8
6 changed files with 70 additions and 0 deletions
--- a/secrets-backup/2025-11-11_14-46-50/README.md
+++ b/secrets-backup/2025-11-11_14-46-50/README.md
@@ -0,0 +1,70 @@
+# ROA2WEB Secrets Backup
+
+**Date:** 2025-11-11_14-46-50
+**Backed up files:** 5
+**Encryption:** AES-256-CBC with PBKDF2
+
+## Files in this backup:
+
+### Environment Files:
+- backend-.env.enc (encrypted)
+- backend-.env.prod.enc (encrypted)
+- telegram-bot-.env.enc (encrypted)
+- telegram-bot-.env.prod.enc (encrypted)
+
+### Directories:
+- secrets.tar.enc (encrypted tar archive, 4 files)
+
+## How to restore:
+
+```bash
+# Restore all files automatically:
+./scripts/restore-secrets.sh 2025-11-11_14-46-50
+
+# Or manually decrypt a single file:
+openssl enc -aes-256-cbc -d -pbkdf2 -in backend-.env.enc -out .env
+
+# When prompted, enter the encryption password
+```
+
+## Manual restore to specific location:
+
+```bash
+# Backend .env
+openssl enc -aes-256-cbc -d -pbkdf2 \
+  -in backend-.env.enc \
+  -out ../../../reports-app/backend/.env
+
+# Backend .env.prod
+openssl enc -aes-256-cbc -d -pbkdf2 \
+  -in backend-.env.prod.enc \
+  -out ../../../reports-app/backend/.env.prod
+
+# Telegram Bot .env
+openssl enc -aes-256-cbc -d -pbkdf2 \
+  -in telegram-bot-.env.enc \
+  -out ../../../reports-app/telegram-bot/.env
+
+# Telegram Bot .env.prod
+openssl enc -aes-256-cbc -d -pbkdf2 \
+  -in telegram-bot-.env.prod.enc \
+  -out ../../../reports-app/telegram-bot/.env.prod
+
+# Decrypt and extract secrets directory
+openssl enc -aes-256-cbc -d -pbkdf2 -in secrets.tar.enc | \
+  tar -xf - -C ../../..
+```
+
+## Security Notes:
+
+- Files encrypted with AES-256-CBC using OpenSSL
+- Password-based encryption with PBKDF2 key derivation
+- Keep the encryption password safe in your password manager
+- Never commit decrypted .env files to git
+
+## Password Storage Recommendation:
+
+Store in password manager as:
+- **Title:** ROA2WEB Secrets Backup Password
+- **Type:** Secure Note or Password
+- **Notes:** Encryption password for secrets-backup/2025-11-11_14-46-50
--- a/secrets-backup/2025-11-11_14-46-50/backend-.env.enc
+++ b/secrets-backup/2025-11-11_14-46-50/backend-.env.enc
--- a/secrets-backup/2025-11-11_14-46-50/backend-.env.prod.enc
+++ b/secrets-backup/2025-11-11_14-46-50/backend-.env.prod.enc
--- a/secrets-backup/2025-11-11_14-46-50/secrets.tar.enc
+++ b/secrets-backup/2025-11-11_14-46-50/secrets.tar.enc
--- a/secrets-backup/2025-11-11_14-46-50/telegram-bot-.env.enc
+++ b/secrets-backup/2025-11-11_14-46-50/telegram-bot-.env.enc
--- a/secrets-backup/2025-11-11_14-46-50/telegram-bot-.env.prod.enc
+++ b/secrets-backup/2025-11-11_14-46-50/telegram-bot-.env.prod.enc