From b75cf663de77233bebde434123c4db5a56c05cbc Mon Sep 17 00:00:00 2001 From: D Stephenson Date: Tue, 5 May 2026 20:37:55 +0000 Subject: [PATCH] =?UTF-8?q?Make=20encryption=20mandatory=20=E2=80=94=20arc?= =?UTF-8?q?hive=20contains=20all=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- backup.sh | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/backup.sh b/backup.sh index 1d948d4..3cddb9f 100755 --- a/backup.sh +++ b/backup.sh @@ -28,7 +28,7 @@ VPS_USER="root" VPS_BACKUP_DIR="/opt/backups/vm-apps" KEEP_BACKUPS=7 -BACKUP_PASSWORD="" # Set this to encrypt the archive, or leave blank to skip encryption +BACKUP_PASSWORD="" # Leave blank to be prompted each run (recommended) TIMESTAMP=$(date +"%Y%m%d_%H%M%S") ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz" ENCRYPTED_NAME="${ARCHIVE_NAME}.enc" @@ -59,12 +59,19 @@ docker ps | grep -q rv50x-postgres || error "rv50x-postgres is not running — s info "Preflight OK" -# ── Prompt for backup password if not set ──────────────────────────────────── +# ── Require backup password ────────────────────────────────────────────────── if [ -z "$BACKUP_PASSWORD" ]; then echo "" - read -rsp "Enter backup encryption password (leave blank to skip encryption): " BACKUP_PASSWORD + while true; do + read -rsp "Enter backup encryption password: " BACKUP_PASSWORD + echo "" + [ -n "$BACKUP_PASSWORD" ] && break + warn "Password cannot be blank — the archive contains all secrets and must be encrypted" + done + read -rsp "Confirm password: " BACKUP_PASSWORD_CONFIRM echo "" + [ "$BACKUP_PASSWORD" = "$BACKUP_PASSWORD_CONFIRM" ] || error "Passwords do not match" fi # ── Stage files ────────────────────────────────────────────────────────────── @@ -113,22 +120,16 @@ tar -czf "$WORK_DIR/$ARCHIVE_NAME" -C "$STAGE" . ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1) info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)" -# ── Encrypt (optional) ─────────────────────────────────────────────────────── +# ── Encrypt ────────────────────────────────────────────────────────────────── -if [ -n "$BACKUP_PASSWORD" ]; then - section "Encrypting archive" - openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \ - -in "$WORK_DIR/$ARCHIVE_NAME" \ - -out "$WORK_DIR/$ENCRYPTED_NAME" \ - -pass pass:"$BACKUP_PASSWORD" - UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME" - UPLOAD_NAME="$ENCRYPTED_NAME" - info "Archive encrypted" -else - warn "No password set — archive will NOT be encrypted" - UPLOAD_FILE="$WORK_DIR/$ARCHIVE_NAME" - UPLOAD_NAME="$ARCHIVE_NAME" -fi +section "Encrypting archive" +openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \ + -in "$WORK_DIR/$ARCHIVE_NAME" \ + -out "$WORK_DIR/$ENCRYPTED_NAME" \ + -pass pass:"$BACKUP_PASSWORD" +UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME" +UPLOAD_NAME="$ENCRYPTED_NAME" +info "Archive encrypted" # ── Upload to VPS ────────────────────────────────────────────────────────────