Add encrypted secrets backup and restore utilities
Implements secure backup system for environment configuration files (.env, .env.prod)
containing sensitive credentials using AES-256-CBC encryption with OpenSSL.
New utilities:
- scripts/backup-secrets.sh: Encrypts and backs up all .env files to timestamped directory
- scripts/restore-secrets.sh: Decrypts and restores .env files from backup
- scripts/README.md: Complete documentation with usage examples and best practices
Features:
- AES-256-CBC encryption with PBKDF2 key derivation (strong encryption)
- Interactive password prompts with confirmation
- Non-interactive mode via BACKUP_PASSWORD environment variable
- Automatic README generation in each backup with restore instructions
- Color-coded output for better UX
- Validation and error handling
Backup structure:
secrets-backup/
└── YYYY-MM-DD_HH-MM-SS/
├── backend-.env.enc
├── backend-.env.prod.enc
├── telegram-bot-.env.enc
├── telegram-bot-.env.prod.enc
└── README.md
Updated .gitignore to allow committing encrypted .gpg/.enc files while
blocking decrypted .env files in secrets-backup directory.
Usage:
./scripts/backup-secrets.sh # Create encrypted backup
./scripts/restore-secrets.sh [backup-date] # Restore from backup
Tested with OpenSSL (pre-installed on most systems). Provides secure way to
version control and sync credentials across development and production environments.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
15
.gitignore
vendored
15
.gitignore
vendored
@@ -465,3 +465,18 @@ TELEGRAM_EMAIL_AUTH_PLAN*.md
|
||||
|
||||
# Weird pip artifacts
|
||||
=*
|
||||
|
||||
# ============================================================================
|
||||
# 🔒 ENCRYPTED SECRETS BACKUP (Optional)
|
||||
# ============================================================================
|
||||
# Encrypted backups created by scripts/backup-secrets.sh
|
||||
# Option 1: Commit encrypted .gpg files (safe, password-protected)
|
||||
# Option 2: Ignore all backups (keep only local)
|
||||
|
||||
# Uncomment to ignore all backups (Option 2):
|
||||
# secrets-backup/
|
||||
|
||||
# Keep only encrypted files, ignore decrypted ones (Option 1):
|
||||
secrets-backup/**/*.env
|
||||
secrets-backup/**/.env.*
|
||||
!secrets-backup/**/*.gpg
|
||||
|
||||
Reference in New Issue
Block a user