Code Trips & Tips

In the world of data management, ensuring the security and integrity of your files is paramount. Creating regular snapshots of important folders not only provides a backup but also allows for easy recovery in case of data loss.

However, backup files are vulnerable to attack and, if exfiltrated, could expose sensitive information and data to attackers: thus, it is always advisable to store them securely encrypted.

In this blog post, we will explore a powerful and secure way to automate this process using a Shell script and a Python utility (the underlying encryption is done using Open SSL).

For the complete source code of the script, please refer to the GitHub Gist.

Prerequisites and Dependencies

Before diving into the script, make sure you have the following prerequisites and dependencies in place:

• zsh Shell: The script is written for the zsh shell. Make sure you have it installed.
• filecrypt Utility: This script utilizes the filecrypt utility for encryption, which is installed via the crytto Python package. You can find the filecrypt utility at filecrypt GitHub repository.
• Python Virtual Environment: The script activates a Python virtual environment named crytto. Make sure you have Python installed and create the virtual environment with the crytto package installed (pip install crytto).
• common-utils Repository: The script references the common-utils repository. You can find it here. Make sure it’s installed as described there and the installation path (${COMMON_UTILS}) is set as expected by the script (source ${COMMON_UTILS}/utils).

Understanding the Script

The provided Bash script automates the process of archiving and encrypting files from specified source folders into a destination folder. Let’s break down its functionality and understand how it works.

Script Overview

The script starts by defining a usage function, which provides information on how to use the script, including available options and arguments. It then defines a check_mount function to verify if the destination folder is properly mounted.

Validation Process

The validate function ensures that the necessary tools and variables are in place. Let’s go through the validation checks in detail:

• Checking filecrypt: The function verifies the presence of the filecrypt executable in the crytto virtual environment.
• Validating Source and Destination Paths: It checks if at least one source folder is specified and ensures the destination path has no file extension.
• Checking Destination File Existence: If the destination file ${DEST}.tar.gz.enc already exists, it prompts for confirmation to overwrite unless the non-interactive mode (-n option) is enabled.

Script Execution

The script processes the options using the getopts command. It checks for the -n option to enable non-interactive mode. After processing the options, the script expects two mandatory arguments: DEST (destination folder) and SOURCES (source folders to be archived and encrypted).

Once the validation is successful, the script creates a temporary plaintext tarball of the specified source folders. It then encrypts the tarball using the filecrypt utility and moves the encrypted file to the specified destination.

Encryption with filecrypt

The following line demonstrates how the filecrypt utility is invoked for encryption:

msg "Encrypting ${TARBALL} to ${TARBALL}.enc"
filecrypt -o ${TARBALL}.enc ${TARBALL}

In this line, ${TARBALL} represents the plaintext tarball, and filecrypt encrypts it, producing the encrypted file ${TARBALL}.enc.

Use filecrypt -h for a full list of all available options (including how to decrypt the archive to restore the data).

Usage Examples

Here are some usage examples of the script:

• Interactive Mode:

  ./snapshot.sh /path/to/destination /path/to/source1 /path/to/source2

In this mode, the script prompts for confirmation if the destination file already exists.

• Non-Interactive Mode:

  ./snapshot.sh -n /path/to/destination /path/to/source1 /path/to/source2

In this mode, the script aborts if the destination file already exists.

Conclusion

Automating the process of archiving and encrypting files is crucial for data security and management. This Bash script simplifies this process, allowing you to create secure snapshots of your important data with ease. By understanding its functionality and usage, you can seamlessly incorporate it into your backup strategies, ensuring the safety of your valuable files. For more details and the complete source code, please refer to the GitHub repository.