diff --git a/scripts/backup-secrets.sh b/scripts/backup-secrets.sh index 2b4f37a..6e5b129 100644 --- a/scripts/backup-secrets.sh +++ b/scripts/backup-secrets.sh @@ -65,6 +65,11 @@ SECRET_FILES=( "reports-app/telegram-bot/.env.prod" ) +# List of secret directories to backup (will backup all files inside) +SECRET_DIRS=( + "secrets" +) + # Counter for backed up files BACKED_UP=0 SKIPPED=0 @@ -101,6 +106,35 @@ for file in "${SECRET_FILES[@]}"; do echo "" done +# Backup directories +for dir in "${SECRET_DIRS[@]}"; do + if [ -d "$dir" ]; then + echo -e "Encrypting directory: ${GREEN}$dir${NC}" + + # Create tar archive of the directory + dir_name=$(basename "$dir") + output_file="${BACKUP_DIR}/${dir_name}.tar.enc" + + # Create tar and encrypt (pipe tar directly to openssl) + if tar -cf - "$dir" 2>/dev/null | \ + openssl enc -aes-256-cbc -salt -pbkdf2 \ + -out "$output_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null; then + echo -e " ✅ Saved to: ${output_file}" + BACKED_UP=$((BACKED_UP + 1)) + + # Count files in directory + file_count=$(find "$dir" -type f | wc -l) + echo -e " 📁 Included ${file_count} file(s) from directory" + else + echo -e " ${RED}❌ Failed to encrypt directory${NC}" + fi + else + echo -e "Skipping: ${YELLOW}$dir${NC} (not found)" + SKIPPED=$((SKIPPED + 1)) + fi + echo "" +done + # Create README in backup directory cat > "${BACKUP_DIR}/README.md" < "${BACKUP_DIR}/README.md" </dev/null | wc -l) + echo "- ${dir_name}.tar.enc (encrypted tar archive, ${file_count} files)" + fi +done) + ## How to restore: \`\`\`bash @@ -157,6 +201,10 @@ openssl enc -aes-256-cbc -d -pbkdf2 \\ openssl enc -aes-256-cbc -d -pbkdf2 \\ -in telegram-bot-.env.prod.enc \\ -out ../../../reports-app/telegram-bot/.env.prod + +# Decrypt and extract secrets directory +openssl enc -aes-256-cbc -d -pbkdf2 -in secrets.tar.enc | \\ + tar -xf - -C ../../.. \`\`\` ## Security Notes: diff --git a/scripts/restore-secrets.sh b/scripts/restore-secrets.sh index 273391e..2409f0c 100644 --- a/scripts/restore-secrets.sh +++ b/scripts/restore-secrets.sh @@ -63,21 +63,38 @@ echo "" # List encrypted files in backup ENCRYPTED_FILES=() +ENCRYPTED_DIRS=() + for file in "${BACKUP_DIR}"/*.enc; do if [ -f "$file" ]; then - ENCRYPTED_FILES+=("$file") + filename=$(basename "$file") + # Check if it's a tar archive (directory backup) + if [[ "$filename" == *.tar.enc ]]; then + ENCRYPTED_DIRS+=("$file") + else + ENCRYPTED_FILES+=("$file") + fi fi done -if [ ${#ENCRYPTED_FILES[@]} -eq 0 ]; then +if [ ${#ENCRYPTED_FILES[@]} -eq 0 ] && [ ${#ENCRYPTED_DIRS[@]} -eq 0 ]; then echo -e "${RED}Error: No encrypted files found in backup${NC}" exit 1 fi -echo "Found ${#ENCRYPTED_FILES[@]} encrypted file(s):" -for file in "${ENCRYPTED_FILES[@]}"; do - echo " - $(basename "$file")" -done +echo "Found in backup:" +if [ ${#ENCRYPTED_FILES[@]} -gt 0 ]; then + echo " 📄 ${#ENCRYPTED_FILES[@]} environment file(s):" + for file in "${ENCRYPTED_FILES[@]}"; do + echo " - $(basename "$file")" + done +fi +if [ ${#ENCRYPTED_DIRS[@]} -gt 0 ]; then + echo " 📁 ${#ENCRYPTED_DIRS[@]} directory archive(s):" + for file in "${ENCRYPTED_DIRS[@]}"; do + echo " - $(basename "$file")" + done +fi echo "" # Ask for confirmation @@ -145,6 +162,30 @@ for encrypted_file in "${ENCRYPTED_FILES[@]}"; do echo "" done +# Restore directory archives +for encrypted_file in "${ENCRYPTED_DIRS[@]}"; do + filename=$(basename "$encrypted_file" .enc) + dir_name=$(basename "$filename" .tar) + + echo -e "Decrypting directory: ${GREEN}$dir_name${NC}" + echo -e " Target: $dir_name/" + + # Decrypt and extract tar archive + if openssl enc -aes-256-cbc -d -pbkdf2 \ + -in "$encrypted_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null | tar -xf - 2>/dev/null; then + echo -e " ✅ Restored successfully" + RESTORED=$((RESTORED + 1)) + + # Count restored files + file_count=$(find "$dir_name" -type f 2>/dev/null | wc -l) + echo -e " 📁 Extracted ${file_count} file(s)" + else + echo -e " ${RED}❌ Failed to decrypt/extract (wrong password?)${NC}" + FAILED=$((FAILED + 1)) + fi + echo "" +done + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" if [ $FAILED -eq 0 ]; then echo -e "${GREEN}✅ Restore completed successfully${NC}"