Commit Graph

1 Commits

Author SHA1 Message Date
60346ff7da Add encrypted secrets backup and restore utilities
Implements secure backup system for environment configuration files (.env, .env.prod)
containing sensitive credentials using AES-256-CBC encryption with OpenSSL.

New utilities:
- scripts/backup-secrets.sh: Encrypts and backs up all .env files to timestamped directory
- scripts/restore-secrets.sh: Decrypts and restores .env files from backup
- scripts/README.md: Complete documentation with usage examples and best practices

Features:
- AES-256-CBC encryption with PBKDF2 key derivation (strong encryption)
- Interactive password prompts with confirmation
- Non-interactive mode via BACKUP_PASSWORD environment variable
- Automatic README generation in each backup with restore instructions
- Color-coded output for better UX
- Validation and error handling

Backup structure:
secrets-backup/
└── YYYY-MM-DD_HH-MM-SS/
    ├── backend-.env.enc
    ├── backend-.env.prod.enc
    ├── telegram-bot-.env.enc
    ├── telegram-bot-.env.prod.enc
    └── README.md

Updated .gitignore to allow committing encrypted .gpg/.enc files while
blocking decrypted .env files in secrets-backup directory.

Usage:
./scripts/backup-secrets.sh                    # Create encrypted backup
./scripts/restore-secrets.sh [backup-date]     # Restore from backup

Tested with OpenSSL (pre-installed on most systems). Provides secure way to
version control and sync credentials across development and production environments.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 12:36:43 +02:00