#!/bin/bash # ============================================================================ # ROA2WEB - Backup Environment Secrets (Encrypted) # ============================================================================ # This script creates encrypted backups of all .env files containing secrets # Usage: # ./scripts/backup-secrets.sh # Interactive (prompts for password) # BACKUP_PASSWORD="your-pass" ./scripts/backup-secrets.sh # Non-interactive # # Requirements: openssl (usually pre-installed) # Output: secrets-backup/YYYY-MM-DD/*.env.enc set -e # Colors for output GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color echo -e "${GREEN}=== ROA2WEB Secrets Backup Tool ===${NC}" echo "" # Check if openssl is installed if ! command -v openssl &> /dev/null; then echo -e "${RED}Error: openssl is not installed${NC}" echo "Install with: sudo apt-get install openssl" exit 1 fi # Get password if [ -z "$BACKUP_PASSWORD" ]; then echo -e "${YELLOW}Enter encryption password (will be hidden):${NC}" read -s BACKUP_PASSWORD echo "" if [ -z "$BACKUP_PASSWORD" ]; then echo -e "${RED}Error: Password cannot be empty${NC}" exit 1 fi echo -e "${YELLOW}Confirm password:${NC}" read -s BACKUP_PASSWORD_CONFIRM echo "" if [ "$BACKUP_PASSWORD" != "$BACKUP_PASSWORD_CONFIRM" ]; then echo -e "${RED}Error: Passwords do not match${NC}" exit 1 fi fi # Create backup directory with timestamp BACKUP_DATE=$(date +%Y-%m-%d_%H-%M-%S) BACKUP_DIR="secrets-backup/${BACKUP_DATE}" mkdir -p "${BACKUP_DIR}" echo -e "${YELLOW}Backup directory: ${BACKUP_DIR}${NC}" echo "" # List of secret files to backup SECRET_FILES=( "reports-app/backend/.env" "reports-app/backend/.env.prod" "reports-app/telegram-bot/.env" "reports-app/telegram-bot/.env.prod" ) # Counter for backed up files BACKED_UP=0 SKIPPED=0 # Backup each file for file in "${SECRET_FILES[@]}"; do if [ -f "$file" ]; then echo -e "Encrypting: ${GREEN}$file${NC}" # Extract filename filename=$(basename "$file") # Determine component for unique naming if [[ "$file" == *"backend"* ]]; then component="backend" else component="telegram-bot" fi output_file="${BACKUP_DIR}/${component}-${filename}.enc" # Encrypt with AES-256-CBC using openssl if echo "$BACKUP_PASSWORD" | openssl enc -aes-256-cbc -salt -pbkdf2 \ -in "$file" -out "$output_file" -pass stdin 2>/dev/null; then echo -e " ✅ Saved to: ${output_file}" BACKED_UP=$((BACKED_UP + 1)) else echo -e " ${RED}❌ Failed to encrypt${NC}" fi else echo -e "Skipping: ${YELLOW}$file${NC} (not found)" SKIPPED=$((SKIPPED + 1)) fi echo "" done # Create README in backup directory cat > "${BACKUP_DIR}/README.md" <