Backups
How to backup your secrets with Keystone
Keystone stores your secrets the least amount of time possible. Default is 7 days. Your secrets are stored as a single message per recipient per environment, removal happens when:
- the recipient has successfully fetched the last secrets
- the time-to-live has expired which is 7 days by default
From a security standpoint, it’s nice as the secrets lives in the system just the time needed for the exchange.
But it means Keystone is not (and will never be) a backup service for storing your secrets. You will need to handle the backup on your own.
Fortunately, a hook is available each time secrets are fetched by the Keystone CLI.
It’s a neat way to handle backups each time you sync a project.
To do so, use the command ks hook add <path-to-your-executable>.
Your executable will receive the project UUID and the path to the .keystone folder as parameters.
Below a bash script example creating encrypted backups to a Dropbox folder.
#!/bin/bash
# Backup secrets managed with Keystone in a Dropbox folder
BACKUP_ROOT_FOLDER="/Users/<my_user>/Dropbox/KEYSTONE_BACKUPS"
project_name="$1"
project_id="$2"
project_path="$3"
current_user="$(ks whoami)"
status=$?
# check that we are logged in
if [ $status -eq 0 ]; then
echo "Logged as $current_user, creating backup..."
cd "$project_path" || exit
# create encrypted keystone backup
backup_path=$(ks backup --short -p "<password_for_encryption")
# check if the project folder exist
# and create it otherwise
target_folder="$BACKUP_ROOT_FOLDER/$project_name - $project_id"
if [ ! -d "$target_folder" ]; then
mkdir "$target_folder"
fi
echo "Moving backup to $target_folder"
mv "$backup_path" "$target_folder"
else
echo "You need to be logged in in order to create a Keystone backup."
fi
How to manage hooks?
You can check if you have an active hook with the command ks hook. You can remove one with ks hook rm.