Add encrypted secrets backup and restore utilities
Implements secure backup system for environment configuration files (.env, .env.prod)
containing sensitive credentials using AES-256-CBC encryption with OpenSSL.
New utilities:
- scripts/backup-secrets.sh: Encrypts and backs up all .env files to timestamped directory
- scripts/restore-secrets.sh: Decrypts and restores .env files from backup
- scripts/README.md: Complete documentation with usage examples and best practices
Features:
- AES-256-CBC encryption with PBKDF2 key derivation (strong encryption)
- Interactive password prompts with confirmation
- Non-interactive mode via BACKUP_PASSWORD environment variable
- Automatic README generation in each backup with restore instructions
- Color-coded output for better UX
- Validation and error handling
Backup structure:
secrets-backup/
└── YYYY-MM-DD_HH-MM-SS/
├── backend-.env.enc
├── backend-.env.prod.enc
├── telegram-bot-.env.enc
├── telegram-bot-.env.prod.enc
└── README.md
Updated .gitignore to allow committing encrypted .gpg/.enc files while
blocking decrypted .env files in secrets-backup directory.
Usage:
./scripts/backup-secrets.sh # Create encrypted backup
./scripts/restore-secrets.sh [backup-date] # Restore from backup
Tested with OpenSSL (pre-installed on most systems). Provides secure way to
version control and sync credentials across development and production environments.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
193
scripts/backup-secrets.sh
Normal file
193
scripts/backup-secrets.sh
Normal file
@@ -0,0 +1,193 @@
|
||||
#!/bin/bash
|
||||
# ============================================================================
|
||||
# ROA2WEB - Backup Environment Secrets (Encrypted)
|
||||
# ============================================================================
|
||||
# This script creates encrypted backups of all .env files containing secrets
|
||||
# Usage:
|
||||
# ./scripts/backup-secrets.sh # Interactive (prompts for password)
|
||||
# BACKUP_PASSWORD="your-pass" ./scripts/backup-secrets.sh # Non-interactive
|
||||
#
|
||||
# Requirements: openssl (usually pre-installed)
|
||||
# Output: secrets-backup/YYYY-MM-DD/*.env.enc
|
||||
|
||||
set -e
|
||||
|
||||
# Colors for output
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
RED='\033[0;31m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
echo -e "${GREEN}=== ROA2WEB Secrets Backup Tool ===${NC}"
|
||||
echo ""
|
||||
|
||||
# Check if openssl is installed
|
||||
if ! command -v openssl &> /dev/null; then
|
||||
echo -e "${RED}Error: openssl is not installed${NC}"
|
||||
echo "Install with: sudo apt-get install openssl"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Get password
|
||||
if [ -z "$BACKUP_PASSWORD" ]; then
|
||||
echo -e "${YELLOW}Enter encryption password (will be hidden):${NC}"
|
||||
read -s BACKUP_PASSWORD
|
||||
echo ""
|
||||
|
||||
if [ -z "$BACKUP_PASSWORD" ]; then
|
||||
echo -e "${RED}Error: Password cannot be empty${NC}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -e "${YELLOW}Confirm password:${NC}"
|
||||
read -s BACKUP_PASSWORD_CONFIRM
|
||||
echo ""
|
||||
|
||||
if [ "$BACKUP_PASSWORD" != "$BACKUP_PASSWORD_CONFIRM" ]; then
|
||||
echo -e "${RED}Error: Passwords do not match${NC}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create backup directory with timestamp
|
||||
BACKUP_DATE=$(date +%Y-%m-%d_%H-%M-%S)
|
||||
BACKUP_DIR="secrets-backup/${BACKUP_DATE}"
|
||||
mkdir -p "${BACKUP_DIR}"
|
||||
|
||||
echo -e "${YELLOW}Backup directory: ${BACKUP_DIR}${NC}"
|
||||
echo ""
|
||||
|
||||
# List of secret files to backup
|
||||
SECRET_FILES=(
|
||||
"reports-app/backend/.env"
|
||||
"reports-app/backend/.env.prod"
|
||||
"reports-app/telegram-bot/.env"
|
||||
"reports-app/telegram-bot/.env.prod"
|
||||
)
|
||||
|
||||
# Counter for backed up files
|
||||
BACKED_UP=0
|
||||
SKIPPED=0
|
||||
|
||||
# Backup each file
|
||||
for file in "${SECRET_FILES[@]}"; do
|
||||
if [ -f "$file" ]; then
|
||||
echo -e "Encrypting: ${GREEN}$file${NC}"
|
||||
|
||||
# Extract filename
|
||||
filename=$(basename "$file")
|
||||
|
||||
# Determine component for unique naming
|
||||
if [[ "$file" == *"backend"* ]]; then
|
||||
component="backend"
|
||||
else
|
||||
component="telegram-bot"
|
||||
fi
|
||||
|
||||
output_file="${BACKUP_DIR}/${component}-${filename}.enc"
|
||||
|
||||
# Encrypt with AES-256-CBC using openssl
|
||||
if echo "$BACKUP_PASSWORD" | openssl enc -aes-256-cbc -salt -pbkdf2 \
|
||||
-in "$file" -out "$output_file" -pass stdin 2>/dev/null; then
|
||||
echo -e " ✅ Saved to: ${output_file}"
|
||||
BACKED_UP=$((BACKED_UP + 1))
|
||||
else
|
||||
echo -e " ${RED}❌ Failed to encrypt${NC}"
|
||||
fi
|
||||
else
|
||||
echo -e "Skipping: ${YELLOW}$file${NC} (not found)"
|
||||
SKIPPED=$((SKIPPED + 1))
|
||||
fi
|
||||
echo ""
|
||||
done
|
||||
|
||||
# Create README in backup directory
|
||||
cat > "${BACKUP_DIR}/README.md" <<EOF
|
||||
# ROA2WEB Secrets Backup
|
||||
|
||||
**Date:** ${BACKUP_DATE}
|
||||
**Backed up files:** ${BACKED_UP}
|
||||
**Encryption:** AES-256-CBC with PBKDF2
|
||||
|
||||
## Files in this backup:
|
||||
|
||||
$(for file in "${SECRET_FILES[@]}"; do
|
||||
if [ -f "$file" ]; then
|
||||
filename=$(basename "$file")
|
||||
if [[ "$file" == *"backend"* ]]; then
|
||||
component="backend"
|
||||
else
|
||||
component="telegram-bot"
|
||||
fi
|
||||
echo "- ${component}-${filename}.enc (encrypted)"
|
||||
fi
|
||||
done)
|
||||
|
||||
## How to restore:
|
||||
|
||||
\`\`\`bash
|
||||
# Restore all files automatically:
|
||||
./scripts/restore-secrets.sh ${BACKUP_DATE}
|
||||
|
||||
# Or manually decrypt a single file:
|
||||
openssl enc -aes-256-cbc -d -pbkdf2 -in backend-.env.enc -out .env
|
||||
|
||||
# When prompted, enter the encryption password
|
||||
\`\`\`
|
||||
|
||||
## Manual restore to specific location:
|
||||
|
||||
\`\`\`bash
|
||||
# Backend .env
|
||||
openssl enc -aes-256-cbc -d -pbkdf2 \\
|
||||
-in backend-.env.enc \\
|
||||
-out ../../../reports-app/backend/.env
|
||||
|
||||
# Backend .env.prod
|
||||
openssl enc -aes-256-cbc -d -pbkdf2 \\
|
||||
-in backend-.env.prod.enc \\
|
||||
-out ../../../reports-app/backend/.env.prod
|
||||
|
||||
# Telegram Bot .env
|
||||
openssl enc -aes-256-cbc -d -pbkdf2 \\
|
||||
-in telegram-bot-.env.enc \\
|
||||
-out ../../../reports-app/telegram-bot/.env
|
||||
|
||||
# Telegram Bot .env.prod
|
||||
openssl enc -aes-256-cbc -d -pbkdf2 \\
|
||||
-in telegram-bot-.env.prod.enc \\
|
||||
-out ../../../reports-app/telegram-bot/.env.prod
|
||||
\`\`\`
|
||||
|
||||
## Security Notes:
|
||||
|
||||
- Files encrypted with AES-256-CBC using OpenSSL
|
||||
- Password-based encryption with PBKDF2 key derivation
|
||||
- Keep the encryption password safe in your password manager
|
||||
- Never commit decrypted .env files to git
|
||||
|
||||
## Password Storage Recommendation:
|
||||
|
||||
Store in password manager as:
|
||||
- **Title:** ROA2WEB Secrets Backup Password
|
||||
- **Type:** Secure Note or Password
|
||||
- **Notes:** Encryption password for secrets-backup/${BACKUP_DATE}
|
||||
EOF
|
||||
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
echo -e "${GREEN}✅ Backup completed successfully${NC}"
|
||||
echo ""
|
||||
echo "📊 Summary:"
|
||||
echo " - Backed up: ${BACKED_UP} files"
|
||||
echo " - Skipped: ${SKIPPED} files"
|
||||
echo " - Location: ${BACKUP_DIR}"
|
||||
echo ""
|
||||
echo "📝 To restore all files:"
|
||||
echo " ./scripts/restore-secrets.sh ${BACKUP_DATE}"
|
||||
echo ""
|
||||
echo "📝 To restore a single file:"
|
||||
echo " cd ${BACKUP_DIR}"
|
||||
echo " openssl enc -aes-256-cbc -d -pbkdf2 -in backend-.env.enc -out .env"
|
||||
echo ""
|
||||
echo -e "${YELLOW}⚠️ IMPORTANT: Save encryption password in password manager!${NC}"
|
||||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||||
Reference in New Issue
Block a user