Everyone has a backup script that takes a tarball/zipfile/etc and uploads it somewhere for safe-keeping. In a lot of places where I’ve worked, the “somewhere” winds up being an Amazon S3 bucket (or lately a DigitalOcean Space). These scripts are lovingly crafted and sometimes quite clever, using the aws cli or s3cmd, or something custom.
What I wanted was to encode my process for encrypting a backup and sending that backup to an S3 bucket. I wanted it to be reasonably flexible in terms of encryption, using either a symmetric key, or a public/private key pair. In addition I wanted to be able to use not only command-line arguments (or environment variables), but also allow me to use HashiCorp’s Vault in places where we already use it for storage of secrets like AWS access tokens and AES cipher keys.
Here’s my solution: s3backup. It is a single Go binary that I can distribute to systems that need to be backed up, configure it for either standalone or vault-based usage, and not have to think of how to chain encryption/decryption, upload/download … at least for now.
Comments, issues, and feedback, are all appreciated.