Make encryption mandatory — archive contains all secrets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-05 20:37:55 +00:00
parent dbc87be2bd
commit b75cf663de
+19 -18
View File
@@ -28,7 +28,7 @@ VPS_USER="root"
VPS_BACKUP_DIR="/opt/backups/vm-apps"
KEEP_BACKUPS=7
BACKUP_PASSWORD="" # Set this to encrypt the archive, or leave blank to skip encryption
BACKUP_PASSWORD="" # Leave blank to be prompted each run (recommended)
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz"
ENCRYPTED_NAME="${ARCHIVE_NAME}.enc"
@@ -59,12 +59,19 @@ docker ps | grep -q rv50x-postgres || error "rv50x-postgres is not running — s
info "Preflight OK"
# ── Prompt for backup password if not set ────────────────────────────────────
# ── Require backup password ──────────────────────────────────────────────────
if [ -z "$BACKUP_PASSWORD" ]; then
echo ""
read -rsp "Enter backup encryption password (leave blank to skip encryption): " BACKUP_PASSWORD
while true; do
read -rsp "Enter backup encryption password: " BACKUP_PASSWORD
echo ""
[ -n "$BACKUP_PASSWORD" ] && break
warn "Password cannot be blank — the archive contains all secrets and must be encrypted"
done
read -rsp "Confirm password: " BACKUP_PASSWORD_CONFIRM
echo ""
[ "$BACKUP_PASSWORD" = "$BACKUP_PASSWORD_CONFIRM" ] || error "Passwords do not match"
fi
# ── Stage files ──────────────────────────────────────────────────────────────
@@ -113,22 +120,16 @@ tar -czf "$WORK_DIR/$ARCHIVE_NAME" -C "$STAGE" .
ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1)
info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)"
# ── Encrypt (optional) ───────────────────────────────────────────────────────
# ── Encrypt ──────────────────────────────────────────────────────────────────
if [ -n "$BACKUP_PASSWORD" ]; then
section "Encrypting archive"
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
-in "$WORK_DIR/$ARCHIVE_NAME" \
-out "$WORK_DIR/$ENCRYPTED_NAME" \
-pass pass:"$BACKUP_PASSWORD"
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
UPLOAD_NAME="$ENCRYPTED_NAME"
info "Archive encrypted"
else
warn "No password set — archive will NOT be encrypted"
UPLOAD_FILE="$WORK_DIR/$ARCHIVE_NAME"
UPLOAD_NAME="$ARCHIVE_NAME"
fi
section "Encrypting archive"
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
-in "$WORK_DIR/$ARCHIVE_NAME" \
-out "$WORK_DIR/$ENCRYPTED_NAME" \
-pass pass:"$BACKUP_PASSWORD"
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
UPLOAD_NAME="$ENCRYPTED_NAME"
info "Archive encrypted"
# ── Upload to VPS ────────────────────────────────────────────────────────────