{"id":36553167,"url":"https://github.com/tomcz/s3backup","last_synced_at":"2026-04-11T15:03:40.366Z","repository":{"id":64304516,"uuid":"97351561","full_name":"tomcz/s3backup","owner":"tomcz","description":"No more custom backup scripts please.","archived":false,"fork":false,"pushed_at":"2026-04-07T05:15:25.000Z","size":15708,"stargazers_count":26,"open_issues_count":0,"forks_count":11,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-04-07T07:25:46.433Z","etag":null,"topics":["backup","backup-cli","backup-utility","encrypts","s3-bucket","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tomcz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-07-16T01:10:53.000Z","updated_at":"2026-04-07T05:04:19.000Z","dependencies_parsed_at":"2024-06-20T16:31:09.412Z","dependency_job_id":"53920a81-5602-485b-9be5-15a395dd3ea0","html_url":"https://github.com/tomcz/s3backup","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/tomcz/s3backup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomcz%2Fs3backup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomcz%2Fs3backup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomcz%2Fs3backup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomcz%2Fs3backup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tomcz","download_url":"https://codeload.github.com/tomcz/s3backup/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomcz%2Fs3backup/sbom","scorecard":{"id":114266,"data":{"date":"2025-08-04","repo":{"name":"github.com/tomcz/s3backup","commit":"cb006131e630a9a47aa04a55b87e163961bbe2cc"},"scorecard":{"version":"v5.2.1-28-gc1d103a9","commit":"c1d103a9bb9f635ec7260bf9aa0699466fa4be0e"},"score":3.4,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 1/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#code-review"}},{"name":"Maintained","score":5,"reason":"7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.5.3 not signed: https://api.github.com/repos/tomcz/s3backup/releases/176954832","Warn: release artifact v2.5.2 not signed: https://api.github.com/repos/tomcz/s3backup/releases/176801802","Warn: release artifact v2.5.1 not signed: https://api.github.com/repos/tomcz/s3backup/releases/171371293","Warn: release artifact v2.5.0 not signed: https://api.github.com/repos/tomcz/s3backup/releases/167440000","Warn: release artifact v2.4.0 not signed: https://api.github.com/repos/tomcz/s3backup/releases/82321435","Warn: release artifact v2.5.3 does not have provenance: https://api.github.com/repos/tomcz/s3backup/releases/176954832","Warn: release artifact v2.5.2 does not have provenance: https://api.github.com/repos/tomcz/s3backup/releases/176801802","Warn: release artifact v2.5.1 does not have provenance: https://api.github.com/repos/tomcz/s3backup/releases/171371293","Warn: release artifact v2.5.0 does not have provenance: https://api.github.com/repos/tomcz/s3backup/releases/167440000","Warn: release artifact v2.4.0 does not have provenance: https://api.github.com/repos/tomcz/s3backup/releases/82321435"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/build.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/tomcz/s3backup/release.yml/master?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T23:40:08.546Z","repository_id":64304516,"created_at":"2025-08-15T23:40:08.546Z","updated_at":"2025-08-15T23:40:08.546Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31684525,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-11T13:07:20.380Z","status":"ssl_error","status_checked_at":"2026-04-11T13:06:47.903Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backup","backup-cli","backup-utility","encrypts","s3-bucket","vault"],"created_at":"2026-01-12T06:37:36.547Z","updated_at":"2026-04-11T15:03:40.355Z","avatar_url":"https://github.com/tomcz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# S3 backup script in a single binary\n\nProvides a standard way of backing up an archive to a S3 bucket, and restoring the backed up archive from its S3 bucket. No more custom backup scripts please ...\n\nYou can download the latest release from [here](https://github.com/tomcz/s3backup/releases).\n\n## Upload process\n\n1. Encrypt the file to be backed up (optional but highly recommended). `s3backup` uses AES-256 encryption via a password of your choice (with argon2 key derivation), a Base64-encoded secret key, or a PEM-encoded RSA public key. If a public key is provided, `s3backup` will generate a random 256-bit symmetric key which will be encrypted using the public key and stored with the encrypted file. To make key creation easier, you can use the `keygen` commands as outlined [below](#backup-key-generation).\n\n2. Calculate SHA-256 checksum for the file to be uploaded. For encrypted uploads the checksum is calculated on the encrypted file.\n\n3. Upload to AWS S3 using concurrent uploads to handle large files and store the checksum with the uploaded file.\n\n## Download process\n\n1. Download file from AWS S3 using concurrent downloads to handle large files and retrieve the stored checksum of the uploaded file.\n\n2. Verify that the stored checksum matches the downloaded file.\n\n3. Optionally decrypt the downloaded file using either the same password or symmetric key that was used to encrypt it, or the RSA private key matching the RSA public key that was used for encryption.\n\n## Usage\n\n```\nNAME:\n   s3backup - S3 backup script in a single binary\n\nUSAGE:\n   s3backup [global options] [command [command options]]\n\nCOMMANDS:\n   put        Upload file to S3 bucket using local credentials\n   get        Download file from S3 bucket using local credentials\n   vault-put  Upload file to S3 bucket using credentials from vault\n   vault-get  Download file from S3 bucket using credentials from vault\n   keygen     Generate RSA and AES backup keys\n   encrypt    Encrypt a local file\n   decrypt    Decrypt a local file\n   version    Print version and exit\n   help, h    Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n   --help, -h     show help\n   --version, -v  print the version\n```\n\n### AWS S3 Credentials\n\nAWS S3 integration in `s3backup` can be configured from the command line, and/or an optional YAML configuration file provided by the `S3BACKUP_YAML` environment variable (in which its yaml key names match the option names), and using AWS environment variables and config files. [Click here](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html) for details on using default AWS credentials.\n\n#### s3backup put\n\n```\nNAME:\n   s3backup put - Upload file to S3 bucket using local credentials\n\nUSAGE:\n   s3backup put [options] local_file_path s3://bucket/objectkey \n\nOPTIONS:\n   --oldPass, --old, -o           Maintain password compatibility with older s3backup releases\n   --symKey string, --sym string  Password or base64-encoded key to use for symmetric AES\n                                  encryption. Use \"ask\" as the value to provide a password\n                                  via an interactive prompt\n   --pemKey FILE, --pem FILE      Path to PEM-encoded public key FILE\n   --accessKey string             AWS Access Key ID (if not using default AWS credentials)\n   --secretKey string             AWS Secret Key (required when accessKey is provided)\n   --token string                 AWS Token (effective only when accessKey is provided \u0026\n                                  only if required by your AWS setup)\n   --region string                AWS Region (we use AWS defaults if not provided)\n   --endpoint URL                 Custom AWS Endpoint URL (optional)\n   --nocheck                      Do not create backup checksums\n   --help, -h                     show help\n```\n\n#### s3backup get\n\n```\nNAME:\n   s3backup get - Download file from S3 bucket using local credentials\n\nUSAGE:\n   s3backup get [options] s3://bucket/objectkey local_file_path \n\nOPTIONS:\n   --symKey string, --sym string  Password or base64-encoded key to use for symmetric AES\n                                  decryption. Use \"ask\" as the value to provide a password\n                                  via an interactive prompt\n   --pemKey FILE, --pem FILE      Path to PEM-encoded private key FILE\n   --accessKey string             AWS Access Key ID (if not using default AWS credentials)\n   --secretKey string             AWS Secret Key (required when accessKey is provided)\n   --token string                 AWS Token (effective only when accessKey is provided \u0026\n                                  only if required by your AWS setup)\n   --region string                AWS Region (we use AWS defaults if not provided)\n   --endpoint URL                 Custom AWS Endpoint URL (optional)\n   --nocheck                      Do not verify backup checksums\n   --help, -h                     show help\n```\n\n### HashiCorp Vault\n\n`s3backup` provides `vault-put` and `vault-get` commands that allow it to be configured using secrets held by a [vault](https://www.vaultproject.io/) instance so that you can store encryption keys and AWS credentials in a secure manner. The secrets that you need to hold in vault for `s3backup` are described [here](https://github.com/tomcz/s3backup/blob/master/config/config.go).\n\nVault integration in `s3backup` can be configured from the command line, and/or an optional YAML configuration file provided by the `S3BACKUP_YAML` environment variable (in which its yaml key names match the option names), and using vault's own [environment variables](https://www.vaultproject.io/docs/commands/environment.html).\n\n#### s3backup vault-put\n\n```\nNAME:\n   s3backup vault-put - Upload file to S3 bucket using credentials from vault\n\nUSAGE:\n   s3backup vault-put [options] local_file_path s3://bucket/objectkey \n\nOPTIONS:\n   --path string    Vault secret path containing backup credentials (required)\n   --kv2            Vault secret path represents a key/value version 2 secrets engine\n   --mount string   Vault approle mount path (default: approle)\n   --role string    Vault role_id to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_ROLE_ID]\n   --secret string  Vault secret_id to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_SECRET_ID]\n   --token string   Vault token to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_TOKEN]\n   --caCert FILE    Vault root certificate FILE (optional, or use one of VAULT_CACERT,\n                    VAULT_CACERT_BYTES, VAULT_CAPATH env vars)\n   --vault URL      Vault service URL (or use VAULT_ADDR env var)\n   --nocheck        Do not create backup checksums\n   --help, -h       show help\n```\n\n#### s3backup vault-get\n\n```\nNAME:\n   s3backup vault-get - Download file from S3 bucket using credentials from vault\n\nUSAGE:\n   s3backup vault-get [options] s3://bucket/objectkey local_file_path \n\nOPTIONS:\n   --path string    Vault secret path containing backup credentials (required)\n   --kv2            Vault secret path represents a key/value version 2 secrets engine\n   --mount string   Vault approle mount path (default: approle)\n   --role string    Vault role_id to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_ROLE_ID]\n   --secret string  Vault secret_id to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_SECRET_ID]\n   --token string   Vault token to retrieve backup credentials\n                    (either role \u0026 secret, or token) [$VAULT_TOKEN]\n   --caCert FILE    Vault root certificate FILE (optional, or use one of VAULT_CACERT,\n                    VAULT_CACERT_BYTES, VAULT_CAPATH env vars)\n   --vault URL      Vault service URL (or use VAULT_ADDR env var)\n   --nocheck        Do not verify backup checksums\n   --help, -h       show help\n```\n\n## Backup key generation\n\nTo make things easier, `s3backup` also provides `keygen` commands to create 256-bit symmetric keys and 4096-bit RSA private/public key pairs suitable for use by `s3backup`.\n\n```\nNAME:\n   s3backup keygen - Generate RSA and AES backup keys\n\nUSAGE:\n   s3backup keygen [command [command options]]\n\nCOMMANDS:\n   aes  Generate and print AES key\n   rsa  Generate RSA key pair files\n\nOPTIONS:\n   --help, -h  show help\n```\n\n## Build\n\n1. Install Go 1.26 from https://golang.org/\n2. Build the binaries: `make build`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomcz%2Fs3backup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftomcz%2Fs3backup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomcz%2Fs3backup/lists"}