romfast/roa2web-service-auto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f99ee2fd06083d50f0f73a3dd8a461a872e2067
roa2web-service-auto/secrets-backup/2025-11-11_14-46-50/README.md
Marius Mutu 53d108e7c8 Add encrypted production secrets backup (2025-11-11) 
Initial encrypted backup of all sensitive configuration files and SSH keys
for version control and disaster recovery.

Contents:
- backend/.env and .env.prod (development and production config)
- telegram-bot/.env and .env.prod (bot configuration)
- secrets/ directory (SSH keys for Oracle server access)

Encryption: AES-256-CBC with PBKDF2 using OpenSSL
Total: 5 encrypted items (4 files + 1 directory archive)
Backup date: 2025-11-11 14:46:50

⚠️ IMPORTANT: Decryption password required for restore
Password format: ROA2WEB_Backup_2024_Secure_Key_YYYYMMDD

To restore:
./scripts/restore-secrets.sh 2025-11-11_14-46-50

All files are safely encrypted and can be committed to git without
exposing sensitive credentials. Decryption password must be stored
separately in password manager.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 14:47:34 +02:00

1.8 KiB
Raw Blame History

ROA2WEB Secrets Backup

Date: 2025-11-11_14-46-50 Backed up files: 5 Encryption: AES-256-CBC with PBKDF2

Files in this backup:

Environment Files:

  • backend-.env.enc (encrypted)
  • backend-.env.prod.enc (encrypted)
  • telegram-bot-.env.enc (encrypted)
  • telegram-bot-.env.prod.enc (encrypted)

Directories:

  • secrets.tar.enc (encrypted tar archive, 4 files)

How to restore:

# Restore all files automatically:
./scripts/restore-secrets.sh 2025-11-11_14-46-50

# Or manually decrypt a single file:
openssl enc -aes-256-cbc -d -pbkdf2 -in backend-.env.enc -out .env

# When prompted, enter the encryption password

Manual restore to specific location:

# Backend .env
openssl enc -aes-256-cbc -d -pbkdf2 \
  -in backend-.env.enc \
  -out ../../../reports-app/backend/.env

# Backend .env.prod
openssl enc -aes-256-cbc -d -pbkdf2 \
  -in backend-.env.prod.enc \
  -out ../../../reports-app/backend/.env.prod

# Telegram Bot .env
openssl enc -aes-256-cbc -d -pbkdf2 \
  -in telegram-bot-.env.enc \
  -out ../../../reports-app/telegram-bot/.env

# Telegram Bot .env.prod
openssl enc -aes-256-cbc -d -pbkdf2 \
  -in telegram-bot-.env.prod.enc \
  -out ../../../reports-app/telegram-bot/.env.prod

# Decrypt and extract secrets directory
openssl enc -aes-256-cbc -d -pbkdf2 -in secrets.tar.enc | \
  tar -xf - -C ../../..

Security Notes:

  • Files encrypted with AES-256-CBC using OpenSSL
  • Password-based encryption with PBKDF2 key derivation
  • Keep the encryption password safe in your password manager
  • Never commit decrypted .env files to git

Password Storage Recommendation:

Store in password manager as:

  • Title: ROA2WEB Secrets Backup Password
  • Type: Secure Note or Password
  • Notes: Encryption password for secrets-backup/2025-11-11_14-46-50