Make encryption mandatory — archive contains all secrets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -28,7 +28,7 @@ VPS_USER="root"
|
|||||||
VPS_BACKUP_DIR="/opt/backups/vm-apps"
|
VPS_BACKUP_DIR="/opt/backups/vm-apps"
|
||||||
KEEP_BACKUPS=7
|
KEEP_BACKUPS=7
|
||||||
|
|
||||||
BACKUP_PASSWORD="" # Set this to encrypt the archive, or leave blank to skip encryption
|
BACKUP_PASSWORD="" # Leave blank to be prompted each run (recommended)
|
||||||
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
|
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
|
||||||
ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz"
|
ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz"
|
||||||
ENCRYPTED_NAME="${ARCHIVE_NAME}.enc"
|
ENCRYPTED_NAME="${ARCHIVE_NAME}.enc"
|
||||||
@@ -59,12 +59,19 @@ docker ps | grep -q rv50x-postgres || error "rv50x-postgres is not running — s
|
|||||||
|
|
||||||
info "Preflight OK"
|
info "Preflight OK"
|
||||||
|
|
||||||
# ── Prompt for backup password if not set ────────────────────────────────────
|
# ── Require backup password ──────────────────────────────────────────────────
|
||||||
|
|
||||||
if [ -z "$BACKUP_PASSWORD" ]; then
|
if [ -z "$BACKUP_PASSWORD" ]; then
|
||||||
echo ""
|
echo ""
|
||||||
read -rsp "Enter backup encryption password (leave blank to skip encryption): " BACKUP_PASSWORD
|
while true; do
|
||||||
|
read -rsp "Enter backup encryption password: " BACKUP_PASSWORD
|
||||||
echo ""
|
echo ""
|
||||||
|
[ -n "$BACKUP_PASSWORD" ] && break
|
||||||
|
warn "Password cannot be blank — the archive contains all secrets and must be encrypted"
|
||||||
|
done
|
||||||
|
read -rsp "Confirm password: " BACKUP_PASSWORD_CONFIRM
|
||||||
|
echo ""
|
||||||
|
[ "$BACKUP_PASSWORD" = "$BACKUP_PASSWORD_CONFIRM" ] || error "Passwords do not match"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ── Stage files ──────────────────────────────────────────────────────────────
|
# ── Stage files ──────────────────────────────────────────────────────────────
|
||||||
@@ -113,9 +120,8 @@ tar -czf "$WORK_DIR/$ARCHIVE_NAME" -C "$STAGE" .
|
|||||||
ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1)
|
ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1)
|
||||||
info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)"
|
info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)"
|
||||||
|
|
||||||
# ── Encrypt (optional) ───────────────────────────────────────────────────────
|
# ── Encrypt ──────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
if [ -n "$BACKUP_PASSWORD" ]; then
|
|
||||||
section "Encrypting archive"
|
section "Encrypting archive"
|
||||||
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
|
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
|
||||||
-in "$WORK_DIR/$ARCHIVE_NAME" \
|
-in "$WORK_DIR/$ARCHIVE_NAME" \
|
||||||
@@ -124,11 +130,6 @@ if [ -n "$BACKUP_PASSWORD" ]; then
|
|||||||
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
|
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
|
||||||
UPLOAD_NAME="$ENCRYPTED_NAME"
|
UPLOAD_NAME="$ENCRYPTED_NAME"
|
||||||
info "Archive encrypted"
|
info "Archive encrypted"
|
||||||
else
|
|
||||||
warn "No password set — archive will NOT be encrypted"
|
|
||||||
UPLOAD_FILE="$WORK_DIR/$ARCHIVE_NAME"
|
|
||||||
UPLOAD_NAME="$ARCHIVE_NAME"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Upload to VPS ────────────────────────────────────────────────────────────
|
# ── Upload to VPS ────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user