Make encryption mandatory — archive contains all secrets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-05 20:37:55 +00:00
parent dbc87be2bd
commit b75cf663de
+19 -18
View File
@@ -28,7 +28,7 @@ VPS_USER="root"
VPS_BACKUP_DIR="/opt/backups/vm-apps" VPS_BACKUP_DIR="/opt/backups/vm-apps"
KEEP_BACKUPS=7 KEEP_BACKUPS=7
BACKUP_PASSWORD="" # Set this to encrypt the archive, or leave blank to skip encryption BACKUP_PASSWORD="" # Leave blank to be prompted each run (recommended)
TIMESTAMP=$(date +"%Y%m%d_%H%M%S") TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz" ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz"
ENCRYPTED_NAME="${ARCHIVE_NAME}.enc" ENCRYPTED_NAME="${ARCHIVE_NAME}.enc"
@@ -59,12 +59,19 @@ docker ps | grep -q rv50x-postgres || error "rv50x-postgres is not running — s
info "Preflight OK" info "Preflight OK"
# ── Prompt for backup password if not set ──────────────────────────────────── # ── Require backup password ──────────────────────────────────────────────────
if [ -z "$BACKUP_PASSWORD" ]; then if [ -z "$BACKUP_PASSWORD" ]; then
echo "" echo ""
read -rsp "Enter backup encryption password (leave blank to skip encryption): " BACKUP_PASSWORD while true; do
read -rsp "Enter backup encryption password: " BACKUP_PASSWORD
echo ""
[ -n "$BACKUP_PASSWORD" ] && break
warn "Password cannot be blank — the archive contains all secrets and must be encrypted"
done
read -rsp "Confirm password: " BACKUP_PASSWORD_CONFIRM
echo "" echo ""
[ "$BACKUP_PASSWORD" = "$BACKUP_PASSWORD_CONFIRM" ] || error "Passwords do not match"
fi fi
# ── Stage files ────────────────────────────────────────────────────────────── # ── Stage files ──────────────────────────────────────────────────────────────
@@ -113,22 +120,16 @@ tar -czf "$WORK_DIR/$ARCHIVE_NAME" -C "$STAGE" .
ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1) ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1)
info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)" info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)"
# ── Encrypt (optional) ─────────────────────────────────────────────────────── # ── Encrypt ──────────────────────────────────────────────────────────────────
if [ -n "$BACKUP_PASSWORD" ]; then section "Encrypting archive"
section "Encrypting archive" openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \ -in "$WORK_DIR/$ARCHIVE_NAME" \
-in "$WORK_DIR/$ARCHIVE_NAME" \ -out "$WORK_DIR/$ENCRYPTED_NAME" \
-out "$WORK_DIR/$ENCRYPTED_NAME" \ -pass pass:"$BACKUP_PASSWORD"
-pass pass:"$BACKUP_PASSWORD" UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME" UPLOAD_NAME="$ENCRYPTED_NAME"
UPLOAD_NAME="$ENCRYPTED_NAME" info "Archive encrypted"
info "Archive encrypted"
else
warn "No password set — archive will NOT be encrypted"
UPLOAD_FILE="$WORK_DIR/$ARCHIVE_NAME"
UPLOAD_NAME="$ARCHIVE_NAME"
fi
# ── Upload to VPS ──────────────────────────────────────────────────────────── # ── Upload to VPS ────────────────────────────────────────────────────────────