Add encrypted secrets backup and restore utilities

Implements secure backup system for environment configuration files (.env, .env.prod)
containing sensitive credentials using AES-256-CBC encryption with OpenSSL.

New utilities:
- scripts/backup-secrets.sh: Encrypts and backs up all .env files to timestamped directory
- scripts/restore-secrets.sh: Decrypts and restores .env files from backup
- scripts/README.md: Complete documentation with usage examples and best practices

Features:
- AES-256-CBC encryption with PBKDF2 key derivation (strong encryption)
- Interactive password prompts with confirmation
- Non-interactive mode via BACKUP_PASSWORD environment variable
- Automatic README generation in each backup with restore instructions
- Color-coded output for better UX
- Validation and error handling

Backup structure:
secrets-backup/
└── YYYY-MM-DD_HH-MM-SS/
    ├── backend-.env.enc
    ├── backend-.env.prod.enc
    ├── telegram-bot-.env.enc
    ├── telegram-bot-.env.prod.enc
    └── README.md

Updated .gitignore to allow committing encrypted .gpg/.enc files while
blocking decrypted .env files in secrets-backup directory.

Usage:
./scripts/backup-secrets.sh                    # Create encrypted backup
./scripts/restore-secrets.sh [backup-date]     # Restore from backup

Tested with OpenSSL (pre-installed on most systems). Provides secure way to
version control and sync credentials across development and production environments.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
2025-11-11 12:36:43 +02:00
parent 830c5c8181
commit 60346ff7da
4 changed files with 564 additions and 0 deletions

15
.gitignore vendored
View File

@@ -465,3 +465,18 @@ TELEGRAM_EMAIL_AUTH_PLAN*.md
# Weird pip artifacts
=*
# ============================================================================
# 🔒 ENCRYPTED SECRETS BACKUP (Optional)
# ============================================================================
# Encrypted backups created by scripts/backup-secrets.sh
# Option 1: Commit encrypted .gpg files (safe, password-protected)
# Option 2: Ignore all backups (keep only local)
# Uncomment to ignore all backups (Option 2):
# secrets-backup/
# Keep only encrypted files, ignore decrypted ones (Option 1):
secrets-backup/**/*.env
secrets-backup/**/.env.*
!secrets-backup/**/*.gpg