megaproxy
61a7884ee5
Full-stack self-hosted finance app with FastAPI backend and React frontend. Features: - Accounts, transactions, budgets, investments with GBP base currency - CSV import with auto-detection for 10 UK bank formats - ML predictions: spending forecast, net worth projection, Monte Carlo - 7 selectable themes (Obsidian, Arctic, Midnight, Vault, Terminal, Synthwave, Ledger) - Receipt/document attachments on transactions (JPEG, PNG, WebP, PDF) - AES-256-GCM field encryption, RS256 JWT, TOTP 2FA, RLS, audit log - Encrypted nightly backups + key rotation script - Mobile-responsive layout with bottom nav Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
54 lines
1.8 KiB
Bash
Executable file
54 lines
1.8 KiB
Bash
Executable file
#!/bin/bash
|
|
# rotate_keys.sh — re-encrypt all AES-256-GCM fields with a new key.
|
|
# The application must be STOPPED before running.
|
|
#
|
|
# Usage:
|
|
# NEW_ENCRYPTION_KEY=$(python3 -c "import secrets; print(secrets.token_hex(32))")
|
|
# docker compose stop backend
|
|
# NEW_ENCRYPTION_KEY="$NEW_ENCRYPTION_KEY" ./scripts/rotate_keys.sh
|
|
# # On success, update ENCRYPTION_KEY in .env, then:
|
|
# docker compose up -d backend
|
|
set -euo pipefail
|
|
|
|
if [ -z "${NEW_ENCRYPTION_KEY:-}" ]; then
|
|
echo "ERROR: NEW_ENCRYPTION_KEY is not set"
|
|
echo "Generate with: python3 -c \"import secrets; print(secrets.token_hex(32))\""
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "${ENCRYPTION_KEY:-}" ]; then
|
|
# Try to load from .env in the project root
|
|
ENV_FILE="$(dirname "$0")/../.env"
|
|
if [ -f "${ENV_FILE}" ]; then
|
|
ENCRYPTION_KEY=$(grep -E '^ENCRYPTION_KEY=' "${ENV_FILE}" | cut -d= -f2- | tr -d '"' | tr -d "'")
|
|
fi
|
|
fi
|
|
|
|
if [ -z "${ENCRYPTION_KEY:-}" ]; then
|
|
echo "ERROR: ENCRYPTION_KEY (current key) could not be found in environment or .env"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "${ENCRYPTION_KEY}" = "${NEW_ENCRYPTION_KEY}" ]; then
|
|
echo "ERROR: NEW_ENCRYPTION_KEY is the same as the current key — nothing to do"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[rotate] This will re-encrypt ALL sensitive fields in the database."
|
|
echo "[rotate] Ensure the application containers are stopped before continuing."
|
|
read -r -p "[rotate] Type 'yes' to continue: " CONFIRM
|
|
if [ "${CONFIRM}" != "yes" ]; then
|
|
echo "[rotate] Aborted"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[rotate] Running key rotation inside the backend container…"
|
|
docker compose exec \
|
|
-e ENCRYPTION_KEY="${ENCRYPTION_KEY}" \
|
|
-e NEW_ENCRYPTION_KEY="${NEW_ENCRYPTION_KEY}" \
|
|
backend python -m app.core.key_rotation
|
|
|
|
echo ""
|
|
echo "[rotate] SUCCESS. Next steps:"
|
|
echo " 1. Update ENCRYPTION_KEY in .env to: ${NEW_ENCRYPTION_KEY}"
|
|
echo " 2. Restart the backend: docker compose up -d backend"
|