Make encryption mandatory — archive contains all secrets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -28,7 +28,7 @@ VPS_USER="root"
|
||||
VPS_BACKUP_DIR="/opt/backups/vm-apps"
|
||||
KEEP_BACKUPS=7
|
||||
|
||||
BACKUP_PASSWORD="" # Set this to encrypt the archive, or leave blank to skip encryption
|
||||
BACKUP_PASSWORD="" # Leave blank to be prompted each run (recommended)
|
||||
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
|
||||
ARCHIVE_NAME="vm-apps-backup_${TIMESTAMP}.tar.gz"
|
||||
ENCRYPTED_NAME="${ARCHIVE_NAME}.enc"
|
||||
@@ -59,12 +59,19 @@ docker ps | grep -q rv50x-postgres || error "rv50x-postgres is not running — s
|
||||
|
||||
info "Preflight OK"
|
||||
|
||||
# ── Prompt for backup password if not set ────────────────────────────────────
|
||||
# ── Require backup password ──────────────────────────────────────────────────
|
||||
|
||||
if [ -z "$BACKUP_PASSWORD" ]; then
|
||||
echo ""
|
||||
read -rsp "Enter backup encryption password (leave blank to skip encryption): " BACKUP_PASSWORD
|
||||
while true; do
|
||||
read -rsp "Enter backup encryption password: " BACKUP_PASSWORD
|
||||
echo ""
|
||||
[ -n "$BACKUP_PASSWORD" ] && break
|
||||
warn "Password cannot be blank — the archive contains all secrets and must be encrypted"
|
||||
done
|
||||
read -rsp "Confirm password: " BACKUP_PASSWORD_CONFIRM
|
||||
echo ""
|
||||
[ "$BACKUP_PASSWORD" = "$BACKUP_PASSWORD_CONFIRM" ] || error "Passwords do not match"
|
||||
fi
|
||||
|
||||
# ── Stage files ──────────────────────────────────────────────────────────────
|
||||
@@ -113,22 +120,16 @@ tar -czf "$WORK_DIR/$ARCHIVE_NAME" -C "$STAGE" .
|
||||
ARCHIVE_SIZE=$(du -sh "$WORK_DIR/$ARCHIVE_NAME" | cut -f1)
|
||||
info "Archive created: $ARCHIVE_NAME ($ARCHIVE_SIZE)"
|
||||
|
||||
# ── Encrypt (optional) ───────────────────────────────────────────────────────
|
||||
# ── Encrypt ──────────────────────────────────────────────────────────────────
|
||||
|
||||
if [ -n "$BACKUP_PASSWORD" ]; then
|
||||
section "Encrypting archive"
|
||||
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
|
||||
-in "$WORK_DIR/$ARCHIVE_NAME" \
|
||||
-out "$WORK_DIR/$ENCRYPTED_NAME" \
|
||||
-pass pass:"$BACKUP_PASSWORD"
|
||||
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
|
||||
UPLOAD_NAME="$ENCRYPTED_NAME"
|
||||
info "Archive encrypted"
|
||||
else
|
||||
warn "No password set — archive will NOT be encrypted"
|
||||
UPLOAD_FILE="$WORK_DIR/$ARCHIVE_NAME"
|
||||
UPLOAD_NAME="$ARCHIVE_NAME"
|
||||
fi
|
||||
section "Encrypting archive"
|
||||
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 \
|
||||
-in "$WORK_DIR/$ARCHIVE_NAME" \
|
||||
-out "$WORK_DIR/$ENCRYPTED_NAME" \
|
||||
-pass pass:"$BACKUP_PASSWORD"
|
||||
UPLOAD_FILE="$WORK_DIR/$ENCRYPTED_NAME"
|
||||
UPLOAD_NAME="$ENCRYPTED_NAME"
|
||||
info "Archive encrypted"
|
||||
|
||||
# ── Upload to VPS ────────────────────────────────────────────────────────────
|
||||
|
||||
|
||||
Reference in New Issue
Block a user