#!/bin/bash # Safely handle backup files containing secrets # Options: encrypt, move to secure location, or delete (with confirmation) set -euo pipefail # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } PROJECT_ROOT="${PROJECT_ROOT:-/home/intlc/projects}" ACTION="${ACTION:-list}" # list, encrypt, move, delete SECURE_DIR="${SECURE_DIR:-$HOME/.secure-secrets-backups}" DRY_RUN="${DRY_RUN:-true}" echo "═══════════════════════════════════════════════════════════" echo " Backup Files Handler" echo "═══════════════════════════════════════════════════════════" echo "" # Find all backup files log_info "Scanning for backup files..." BACKUP_FILES=$(find "$PROJECT_ROOT" -type f \( -name "*.env.backup*" -o -name ".env.backup*" \) ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null) if [ -z "$BACKUP_FILES" ]; then log_success "No backup files found" exit 0 fi # Identify files with secrets FILES_WITH_SECRETS=() while IFS= read -r backup_file; do if [ -z "$backup_file" ]; then continue fi if grep -qE "^(PRIVATE_KEY|API_KEY|SECRET|PASSWORD|TOKEN|CLOUDFLARE)" "$backup_file" 2>/dev/null; then FILES_WITH_SECRETS+=("$backup_file") fi done <<< "$BACKUP_FILES" if [ ${#FILES_WITH_SECRETS[@]} -eq 0 ]; then log_success "No backup files with secrets found" exit 0 fi echo "Found ${#FILES_WITH_SECRETS[@]} backup file(s) with secrets:" echo "" for file in "${FILES_WITH_SECRETS[@]}"; do echo " - $file" # Show first secret type found secret_type=$(grep -hE "^(PRIVATE_KEY|API_KEY|SECRET|PASSWORD|TOKEN|CLOUDFLARE)" "$file" 2>/dev/null | head -1 | cut -d'=' -f1) if [ -n "$secret_type" ]; then echo " Contains: $secret_type" fi done echo "" case "$ACTION" in list) log_info "Mode: LIST (no changes)" log_info "" log_info "Available actions:" log_info " ACTION=encrypt - Encrypt and move to secure location" log_info " ACTION=move - Move to secure location (unencrypted)" log_info " ACTION=delete - Delete files (with confirmation)" ;; encrypt) log_info "Mode: ENCRYPT and move to secure location" if [ "$DRY_RUN" = "true" ]; then log_warn "DRY RUN - No changes will be made" fi # Create secure directory if [ "$DRY_RUN" = "false" ]; then mkdir -p "$SECURE_DIR" chmod 700 "$SECURE_DIR" fi for file in "${FILES_WITH_SECRETS[@]}"; do filename=$(basename "$file") dirname=$(dirname "$file") relative_path="${dirname#$PROJECT_ROOT/}" secure_path="$SECURE_DIR/${relative_path//\//_}_${filename}.enc" log_info "Processing: $file" if [ "$DRY_RUN" = "false" ]; then # Encrypt using openssl if command -v openssl &> /dev/null; then openssl enc -aes-256-cbc -salt -pbkdf2 -in "$file" -out "$secure_path" 2>/dev/null || { log_error "Failed to encrypt $file" continue } chmod 600 "$secure_path" log_success " Encrypted to: $secure_path" # Remove original rm "$file" log_success " Removed original: $file" else log_error "openssl not found. Cannot encrypt." exit 1 fi else log_info " Would encrypt to: $secure_path" log_info " Would remove: $file" fi done if [ "$DRY_RUN" = "false" ]; then log_success "Encryption complete!" log_info "Encrypted files stored in: $SECURE_DIR" log_info "To decrypt: openssl enc -d -aes-256-cbc -pbkdf2 -in -out " fi ;; move) log_info "Mode: MOVE to secure location" if [ "$DRY_RUN" = "true" ]; then log_warn "DRY RUN - No changes will be made" fi # Create secure directory if [ "$DRY_RUN" = "false" ]; then mkdir -p "$SECURE_DIR" chmod 700 "$SECURE_DIR" fi for file in "${FILES_WITH_SECRETS[@]}"; do filename=$(basename "$file") dirname=$(dirname "$file") relative_path="${dirname#$PROJECT_ROOT/}" secure_path="$SECURE_DIR/${relative_path//\//_}_${filename}" log_info "Processing: $file" if [ "$DRY_RUN" = "false" ]; then cp "$file" "$secure_path" chmod 600 "$secure_path" log_success " Moved to: $secure_path" # Remove original rm "$file" log_success " Removed original: $file" else log_info " Would move to: $secure_path" log_info " Would remove: $file" fi done if [ "$DRY_RUN" = "false" ]; then log_success "Move complete!" log_info "Files stored in: $SECURE_DIR" fi ;; delete) log_warn "Mode: DELETE" log_warn "This will permanently delete backup files with secrets!" echo "" if [ "$DRY_RUN" = "true" ]; then log_warn "DRY RUN - No files will be deleted" for file in "${FILES_WITH_SECRETS[@]}"; do log_info "Would delete: $file" done else read -p "Are you sure you want to delete these files? (yes/no): " confirm if [ "$confirm" != "yes" ]; then log_info "Cancelled" exit 0 fi for file in "${FILES_WITH_SECRETS[@]}"; do log_info "Deleting: $file" rm "$file" log_success " Deleted: $file" done log_success "Deletion complete!" fi ;; *) log_error "Unknown action: $ACTION" log_info "Valid actions: list, encrypt, move, delete" exit 1 ;; esac echo "" echo "═══════════════════════════════════════════════════════════"