{"id":49606146,"url":"https://github.com/alvarezops/sovereign-vault","last_synced_at":"2026-05-04T13:04:31.894Z","repository":{"id":326852959,"uuid":"1107281884","full_name":"alvarezops/sovereign-vault","owner":"alvarezops","description":"Automated 3-2-1 Encrypted Backup Architecture (Home Lab). #Windows #RaspberryPi #Cloud ","archived":false,"fork":false,"pushed_at":"2025-12-12T08:00:29.000Z","size":7700,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-04T12:43:30.782Z","etag":null,"topics":["automation","backup-script","backup-tool","cloud","encryption-decryption","googledrive","homelab-automation","raspberrypi","rclone","syncthing","synctrayzor","windows"],"latest_commit_sha":null,"homepage":"https://www.linkedin.com/in/jadomin/","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alvarezops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-30T22:57:26.000Z","updated_at":"2026-04-15T22:17:09.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/alvarezops/sovereign-vault","commit_stats":null,"previous_names":["jalvarez-netdev/sovereign-vault","alvarezdevnet/sovereign-vault","alvarezops/sovereign-vault"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/alvarezops/sovereign-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarezops%2Fsovereign-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarezops%2Fsovereign-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarezops%2Fsovereign-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarezops%2Fsovereign-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alvarezops","download_url":"https://codeload.github.com/alvarezops/sovereign-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alvarezops%2Fsovereign-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32608323,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-04T10:08:07.713Z","status":"ssl_error","status_checked_at":"2026-05-04T10:08:02.005Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","backup-script","backup-tool","cloud","encryption-decryption","googledrive","homelab-automation","raspberrypi","rclone","syncthing","synctrayzor","windows"],"created_at":"2026-05-04T13:04:29.683Z","updated_at":"2026-05-04T13:04:31.888Z","avatar_url":"https://github.com/alvarezops.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🛡️ Sovereign Vault: Automated 3-2-1 Encrypted Backup System\n\n![Docker](https://img.shields.io/badge/Docker-2496ED?style=for-the-badge\u0026logo=docker\u0026logoColor=white)\n![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge\u0026logo=linux\u0026logoColor=black)\n![Raspberry Pi](https://img.shields.io/badge/Raspberry%20Pi-A22846?style=for-the-badge\u0026logo=Raspberry%20Pi\u0026logoColor=white)\n![Bash](https://img.shields.io/badge/Shell_Script-121011?style=for-the-badge\u0026logo=gnu-bash\u0026logoColor=white)\n\n![intro](assets/intro.png)\n# Sovereign-Vault Project\n\n---\n\n## 1. Introduction\n\n### 1.1. Project Objective\n\nCreate an automated security infrastructure that complies with the **3-2-1** strategy (3 copies, 2 media, 1 offsite location) respecting data sovereignty.\n\n- **Source:** Windows 11 PC (Daily work).\n- **Local Server:** Raspberry Pi 4 + SSD (Fast/immediate copy).\n- **Cloud:** Google Drive (Encrypted nightly copy).\n\n---\n\n## 2. Prerequisites\n\n### 2.1. Necessary Hardware\n\n- PC with Windows 10/11.\n- Raspberry Pi 4 (4GB/8GB RAM).\n- External SSD disk (Samsung T5) mounted on the Raspberry Pi.\n\n### 2.2. Necessary Software \u0026 Downloads\n\n**💻 For the Client (Windows):**\n\n- **SyncTrayzor:** Syncthing client with GUI for Windows.\n    - 📥 [Download here (GitHub Releases)](https://github.com/canton7/SyncTrayzor/releases)\n- **Git for Windows:** Necessary to clone the repository.\n    - 📥 [Download here](https://git-scm.com/download/win)\n\n**🍓 For the Server (Raspberry Pi / Ubuntu):**\n\n- **Docker Engine:** Installed via terminal.\n    - 📄 [Official Documentation](https://docs.docker.com/engine/install/ubuntu/)\n- **Rclone:** Cloud management tool.\n    - 📥 [Official installation script](https://rclone.org/install/)\n\n---\n## FLOW CHART\n\n![diagram](assets/diagram.png)\n\n---\n\n\u003e ⚠️ IMPORTANT NOTE ON USERNAMES\n\u003e \n\u003e When running these commands on your own system, you **MUST replace `youruser`** with your actual Linux username (e.g., `ubuntu`, `pi`, `john`, etc.).\n\u003e To find out your current username, type `whoami` in the terminal.\n\u003e \n\n## 3. Step 1: Server (Raspberry Pi)\n\n### 3.1. Environment Preparation\n\nWe connect via SSH to our Raspberry Pi.\n\nCommands executed in the SSH terminal to create the folder structure and assign permissions.\n\n```bash\nmkdir -p /home/youruser/docker/syncthing\nmkdir -p /home/youruser/Backups\nmkdir -p /home/youruser/scripts\nsudo chown -R youruser:youruser /home/youruser/\n```\n\n### 3.2. Infrastructure Definition (Docker)\n\nFile `docker-compose.yml` created in `/home/youruser/docker/syncthing/`.\n\n```yaml\nservices:\n  syncthing:\n    image: lscr.io/linuxserver/syncthing:latest\n    container_name: syncthing\n    hostname: userver-sync\n    environment:\n      - PUID=1000\n      - PGID=1000\n      - TZ=Europe/Madrid\n    volumes:\n      - ./config:/config\n      - /home/youruser/Backups:/data1\n    ports:\n      - 8384:8384\n      - 22000:22000/tcp\n      - 22000:22000/udp\n      - 21027:21027/udp\n    restart: unless-stopped\n```\n\n### 3.3. Service Deployment\n\nCommand to raise the container:\n\n```bash\ncd /home/youruser/docker/syncthing\ndocker compose up -d\n```\n\n### 3.4. Visual Validation\n\n- **Action:** Enter `http://\u003cRPI -IP\u003e` from the browser. X = the IP number of your Rpi.\n- **Result:** Syncthing web interface loaded correctly.\n\n![Syncthing Web UI](assets/image1.png)\n\nOk, now we are in the Raspberry pi via web in the browser\n\nDo this **right now** on that Raspberry screen (`\u003cRPI -IP\u003e`):\n\n1. Go to top right: **Actions** button \u003e **Show ID**.\n2. You will get a QR code and below a long code of letters and numbers.\n3. **Copy that long code** and paste it in a temporary notepad (or leave it copied).\n\n![Device ID](assets/image2.png)\n\n---\n\n## 4. Client Configuration (Windows) and Pairing\n\n### Step 4.1: Add the Server from Windows\n\n1. Open **SyncTrayzor** on your PC.\n2. Bottom right, click the **\"Add Remote Device\"** button.\n3. A window will open.\n    - **Device ID:** Paste the long code you copied before from the Raspberry Pi.\n    - **Device Name:** Write `Raspberry Pi Server`.\n\n![Add Device](assets/image3.png)\n\n### Step 4.2: Accept the connection on the Server\n\n1. Go back to the browser where you have the Raspberry Pi (`\u003cRPI -IP\u003e`).\n2. Wait a few seconds. A yellow notice will appear at the top saying: **\"New Device XXXXX wants to connect\"**.\n\n![Accept Device](assets/image4.png)\n\nThe server receives the pairing request. It is necessary to manually approve it for security.\n\n1. Click the green **Add Device** button.\n2. In the window that appears:\n    - **Device Name:** Write `PC Windows`.\n    - Click **Save**.\n\n1. Now, on both computers, the status **\"Connected\"** or \"Unused\" should appear in green.\n\n![Connected](assets/image6.png)\n\n### Step 4.3: Create the shared folder (PC)\n\n1. Find the folder to share or create one with the desired name.\n2. Go back to **SyncTrayzor** on your PC.\n3. On the left, click **\"Add Folder\"**.\n4. Fill this in:\n    - **1. Folder Label:** name of the folder you created\n    - **Folder Path:** full path to your folder\n\n\u003e ⚠️ Warning: you must put the path without (“”) or you will have folder identification problems.\n\n1. Go to the top tab **\"Sharing\"**.\n2. Check the box **\"Raspberry Pi Server\"**.\n3. Click **Save**.\n\n![Folder Setup](assets/image8.png)\n\n---\n\n### Step 4.4: Map the volume on the Server (CRITICAL)\n\nThis is the most important technical step.\n\n1. Go back to the Raspberry Pi browser (`\u003cRPI -IP\u003e`).\n2. You will see another yellow notice at the top: **\"PC Windows wants to share folder 'xxxxxxxxx\"**.\n3. Click **Add**.\n\n![Folder Request](assets/image9.png)\n\n1. A configuration window opens. Look where it says **\"Folder Path\"**.\n    - By default it will say something like `/home/user` or `/config/...`.\n    - **DELETE THAT.**\n    - Write exactly: `/data1/yourname`\n    - *(Remember: `/data1` is the magic door that connects to your SSD hard drive thanks to Docker).*\n\n\u003e ⚠️ IMPORTANT: We modify the destination path to `/data1/` to ensure data is written to the persistent Docker volume (the SSD) and not the SD card.\n\n1. Click **Save**.\n\n---\n\n## 5. Encrypted Cloud Configuration (Rclone)\n\n### Step 5.0: Preparation on the PC (Necessary for the token)\n\nTo connect the Pi to Google, you need to generate a \"permit\" (token) from your Windows PC.\n\n1. Download **Rclone for Windows**: [Direct ZIP link](https://downloads.rclone.org/v1.68.2/rclone-v1.68.2-windows-amd64.zip).\n2. Open the ZIP and enter the folder.\n3. In the address bar of that folder, write `cmd` and hit Enter. (A black terminal will open in that folder).\n4. **Leave it open**, we will use it in a minute.\n\n![CMD](assets/image10.png)\n\n### Step 5.1: Create the connection (SSH on the Pi)\n\nGo back to your Raspberry Pi terminal (`ssh youruser@...`).\n\n1. Run: `rclone config`\n2. Write `n` (New remote) \u003e Enter.\n3. **Name:** `gdrive` \u003e Enter.\n4. **Storage:** Write `drive` \u003e Enter.\n5. **Client ID:** Leave empty \u003e Enter.\n6. **Client Secret:** Leave empty \u003e Enter.\n7. **Scope:** Write `1` (Full access) \u003e Enter.\n8. **Service Account:** Leave empty \u003e Enter.\n9. **Edit advanced config:** `n` \u003e Enter.\n10. **Use web browser?:** ⚠️ **IMPORTANT:** Write **`n`** (NO).\n\n\n### Step 5.2: The Authentication Bridge\n\nNow the Pi terminal will tell you something like:\n*\"Execute the following on the machine with the web browser...\"*\nand give you a command starting with `rclone authorize \"drive\" \"...\"`.\n\n![Auth Command](assets/image12.png)\n\n1. **Copy** all that command the Pi gives you.\n2. Go to the **black terminal of your Windows PC** (from Step 5.0).\n3. **Paste** the command and hit Enter.\n4. Your browser will open. Log in with your Google account and click **Allow**.\n5. Go back to the Windows black terminal. It will have spat out a giant code (token).\n6. **Copy the giant code** (starts and ends with brackets `{...}`).\n7. Go back to the **Raspberry Pi** and paste it where it says `config_token\u003e`.\n8. **Shared Drive:** `n`.\n9. **Keep this remote:** `y`.\n\n---\n\n### Step 5.3: Create the Safe (Encryption)\n\nDo not exit the `rclone config` menu. Now we are going to create the security layer.\n\n1. Write `n` (New remote).\n2. **Name:** `gcrypt`\n3. **Storage:** Write `crypt`.\n4. **Remote:** `gdrive:/Backupyourfolder` *(This will create that folder in your Drive).*\n5. **Filename Encryption:** `1` (Standard).\n6. **Directory Name Encryption:** `1` (True).\n7. **Password:** `y` (Yes).\n    - **Invent a password** (NOT the Gmail one, a new one to encrypt).\n    - ⚠️ **WRITE IT DOWN**. If you lose it, goodbye data.\n8. **Salt:** Leave empty \u003e Enter.\n9. **Keep this remote:** `y`.\n10. Exit the menu with `q`.\n\n---\n\n### Step 5.4: Test and Capture\n\n1. Create a test file on the Pi: `touch secret_test.txt`\n2. Upload it: `rclone copy secret_test.txt gcrypt:/`\n3. If no error, go to your Google Drive in the PC browser.\n4. Find the folder `Backupyourfolder`.\n\n\u003e Verification of 'Zero Knowledge': The uploaded file appears in Google Drive with the name and content encrypted.\n\u003e \n![txt](assets/image13.png)\n---\n\n## 6. Automation (Script + Cron)\n\n### Step 6.1: Create the \"Brain\" (The Script)\n\nWe are going to write the small program that makes the decisions.\nIn your Raspberry Pi terminal (`ssh`):\n\n6.1.1. Create/Open the file:\n\n`nano /home/youruser/scripts/upload_cloud.sh`\n\n**6.1.2. Copy and paste** this exact code (it is the improved version with activity log):\n\n```bash\n#!/bin/bash\n# Sovereign Vault - Script de Backup Automático\n\n# CONFIGURACIÓN\nORIGEN=\"/home/youruser/Backups\"\nDESTINO=\"gcrypt:/\"\nLOGFILE=\"/home/youruser/scripts/upload.log\"\n\necho \"------------------------------------------------\" \u003e\u003e $LOGFILE\necho \"INICIO BACKUP: $(date)\" \u003e\u003e $LOGFILE\n\n# COMANDO DE SINCRONIZACIÓN\n# -v: Verbose (escribe detalles en el log)\n# --transfers=4: Sube 4 archivos a la vez para ir más rápido\nrclone sync $ORIGEN $DESTINO -v --transfers=4 \u003e\u003e $LOGFILE 2\u003e\u00261\n\n# COMPROBACIÓN DE ERRORES\nif [ $? -eq 0 ]; then\n    echo \"ESTADO: ÉXITO - $(date)\" \u003e\u003e $LOGFILE\nelse\n    echo \"ESTADO: ERROR - $(date)\" \u003e\u003e $LOGFILE\nfi\necho \"------------------------------------------------\" \u003e\u003e $LOGFILE\n```\n\n6.1.3. Save (`Ctrl + O`, `Enter`) and exit (`Ctrl + X`).\n\n---\n\n### Step 6.2: Give Permissions (Make it Executable)\n\nRight now it is just a text file. We have to convert it into a program.\n\nExecute:\n\n```bash\nchmod +x /home/youruser/scripts/upload_cloud.sh\n```\n\n---\n\n### Step 6.3: Schedule the Clock (Cron)\n\nWe are going to tell Linux: \"Run this every day at 04:00 AM\".\n\n1. Open the task editor:\n\n```bash\ncrontab -e\n```\n\n1. Go to the very end of the file and paste this line:\n\n```bash\n0 4 * * * /home/youruser/scripts/upload_cloud.sh\n```\n\n1. Save and exit\n\n---\n\n### Step 6.4: The Final Test (Verify the Log)\n\nTo be calm that the script works (and not wait until 4 AM), we are going to launch it manually once.\n\n1. Execute the script:\n\n```bash\n/home/youruser/scripts/upload_cloud.sh\n```\n\n1. Read the log to see the result\n\n```bash\ncat /home/youruser/scripts/upload.log\n```\n\n**What should you see?**\nAt the end of the text it should say: **`ESTADO: ÉXITO`**.\n\n![Success](assets/image17.png)\n\n# 🔐 Data Recovery Protocol (Sovereign Vault)\n\nAnd of course, to wrap up for now while I imagine potential updates, let's explain how to recover your encrypted data from the Google Drive server.\n\nDon't worry: even if you download the data copy, **the service remains active and everything continues as if nothing happened**... except that you now have your decrypted copy of your data in your possession. :)\n\nI'll be happy to answer any suggestions or comments!\n\n---\n\n\u003e ⚠️ IMPORTANT NOTE ON USERNAMES\n\u003e \n\u003e \n\u003e In the following examples, you will see the username **`youruser`**. This is the specific user for my home lab.\n\u003e \n\u003e When running these commands on your own system, you **MUST replace `youruser`** with your actual Linux username (e.g., `ubuntu`, `pi`, `john`, etc.).\n\u003e To find out your current username, type `whoami` in the terminal.\n\u003e \n\n---\n\n## 1. Preparation \u0026 Dependencies (Server Side)\n\n### 1.1. Install Critical Dependency (FUSE)\n\nThis component is essential on minimal Linux distributions (like Ubuntu Server) to allow Rclone to create a virtual filesystem. **This step prevents the \"daemon exited with error code 1\" error.**\n\nBash\n\n```bash\nsudo apt update\nsudo apt install fuse libfuse2 -y\n```\n\n*(Note: On newer Ubuntu versions, you might need `fuse3` instead of `libfuse2`).*\n\n### 1.2. Create Mount Point \u0026 Fix Permissions\n\nWe create the folder and **transfer ownership to the user** so we can write to it without root privileges.\n\nBash\n\n```bash\n# 1. Create the folder (as root)\nsudo mkdir -p /mnt/vault_mount\n\n# 2. Give ownership to your user (CRITICAL STEP)\n# Replace 'youruser' with YOUR username\nsudo chown youruser:youruser /mnt/vault_mount\n```\n\n---\n\n## 2. Mounting \u0026 Accessing Data\n\n### 2.1. Mount the Encrypted Remote (Live Decryption)\n\nConnect the cloud remote (`gcrypt:`) to the local folder. Decryption happens in real-time using the CPU.\n\n```bash\nrclone mount gcrypt: /mnt/vault_mount --daemon\n```\n\n\u003e 💡 Note: The --daemon flag ensures the process runs in the background, keeping your terminal free for other commands.\n\u003e \n\n### 2.2. Verify Content\n\nCheck that you can see your files in clear text within the virtual folder.\n\nBash\n\n```bash\n# You should see your folders (Backup_diario, etc.)\nls -lh /mnt/vault_mount/\n```\n\n### 2.3. Copy to Final Location\n\nThe mounted folder is virtual. To actually \"recover\" the data permanently, copy the files to a standard directory in your user home.\n\nBash\n\n```bash\n# Create a destination folder in your home\nmkdir -p $HOME/RESTORED_VAULT\n\n# Copy the files recursively\n# (Adjust 'Backup_diario' to match your folder name)\ncp -r /mnt/vault_mount/Backup_diario $HOME/RESTORED_VAULT/\n```\n\n---\n\n## 3. Finalization \u0026 Unmounting\n\n### 3.1. Unmount the Remote\n\nIt is **mandatory** to disconnect the virtual drive after the copy process to release system resources and maintain security.\n\nBash\n\n```bash\nfusermount -u /mnt/vault_mount\n```\n\n**Final Result:**\nYour files are now restored, decrypted, and ready to use in the `$HOME/RESTORED_VAULT/` folder. The automated backup service continues to run in the background undisturbed\n\n## 🔒 Security \u0026 Privacy Philosophy\n\nThis project adheres to the principle of **Data Sovereignty**.\n\n* **No Vendor Lock-in:** The local copy is always accessible via standard file systems.\n* **Privacy by Design:** Google Drive (or any cloud provider) never sees the actual files, only encrypted blobs.\n* **Resilience:** Protection against Ransomware (via versioning) and hardware failure.\n\n---\n\n## 🚀 Roadmap\n\nFuture improvements planned for this infrastructure:\n- [ ] Add Telegram/Discord notifications on backup failure.\n- [ ] Implement a Grafana Dashboard to visualize disk usage and sync status.\n- [ ] Add a second offsite location (S3 or MinIO) for redundancy.\n\n---\n\n## 🙌 Acknowledgements \u0026 Credits\n\nThis project relies on fantastic Open Source software. Special thanks to the creators:\n\n* **[SyncTrayzor](https://github.com/canton7/SyncTrayzor):** Thanks to **Antony Male (@canton7)** for creating the best Syncthing wrapper for Windows.\n* **[Syncthing](https://syncthing.net/):** The continuous file synchronization program.\n* **[Rclone](https://rclone.org/):** \"Rsync for cloud storage\", created by **Nick Craig-Wood**.\n\n---\n\n## 👤 Author\n\n**José Álvarez** *| Microcomputer Systems \u0026 Networks Technician | Network Automation*\n\n* 📧 [contacto@youruser.io](mailto:contacto@youruser.io)\n* 💼 [LinkedIn Profile](https://www.linkedin.com/in/jadomin/)\n* 🐙 [GitHub Profile](https://github.com/JAlvarez-NetDev)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falvarezops%2Fsovereign-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falvarezops%2Fsovereign-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falvarezops%2Fsovereign-vault/lists"}