Security Best Practices

Keep your secrets safe when automating FileFortress

Essential 20 minutes

Why This Matters

When automating FileFortress, you'll need to provide sensitive information like AWS keys, Backblaze secrets, and encryption passwords. If not handled properly, these secrets can end up in command history, log files, or version control - exposing your data to unauthorized access.

Secret Management Methods

Choose the right approach for your use case

1. Interactive Mode (Most Secure for Manual Use)

Secrets are masked as you type and never appear in command history. This is the default mode.

filefortress remotes add s3

Best for: One-time setup, manual configuration

2. Environment Variables (Recommended for Automation)

FileFortress automatically reads from standard environment variables in non-interactive mode.

# PowerShell

$env:FILEFORTRESS_S3_SECRET_KEY = "your-secret"

filefortress remotes add s3 --non-interactive --access-key AKID

Best for: CI/CD pipelines, Docker containers, automated systems

3. Secret Files (Recommended for Local Scripts)

Store secrets in files with restricted permissions.

# Bash

echo -n "your-secret" > ~/.secrets/s3.key

chmod 600 ~/.secrets/s3.key

filefortress remotes add s3 --non-interactive --access-key AKID --secret-key-file ~/.secrets/s3.key

Best for: Local automation scripts, development environments

4. Custom Environment Variables

Use your own variable names for flexibility.

$env:MY_AWS_SECRET = "your-secret"

filefortress remotes add s3 --non-interactive --access-key AKID --secret-key-env MY_AWS_SECRET

Best for: Integration with existing secret management systems

Standard Environment Variables

FileFortress auto-detects these variables

Variable Name Purpose Used By
FILEFORTRESS_S3_SECRET_KEY AWS S3 Secret Access Key remotes add s3
FILEFORTRESS_B2_APPLICATION_KEY Backblaze B2 Application Key remotes add backblaze
FILEFORTRESS_ENCRYPTION_PASSWORD Remote encryption password All remotes add commands with encryption

How to Create Secret Files

Platform-specific instructions

Windows (PowerShell)

# Create secrets directory

New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.secrets"

# Save secret (no trailing newline!)

"your-secret-value" | Out-File -FilePath "$env:USERPROFILE\.secrets\my-secret.key" -NoNewline -Encoding utf8

# Verify it was created

Get-Content "$env:USERPROFILE\.secrets\my-secret.key"

Linux / macOS (Bash)

# Create secrets directory

mkdir -p ~/.secrets

# Save secret (no trailing newline!)

echo -n "your-secret-value" > ~/.secrets/my-secret.key

# Set restrictive permissions (user read-only)

chmod 600 ~/.secrets/my-secret.key

# Verify permissions

ls -la ~/.secrets/my-secret.key

Important Notes

  • Always use -NoNewline (PowerShell) or -n (Bash) to avoid trailing newlines
  • Secret files are plain text - FileFortress does NOT encrypt them
  • On Unix systems, use chmod 600 to restrict access to owner only
  • Store secret files outside of your git repositories
  • Add .secrets/ to your .gitignore

CI/CD Integration

Using FileFortress in automated pipelines

GitHub Actions

# .github/workflows/scan.yml

- name: Scan remotes

  env:

    FILEFORTRESS_S3_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}

  run: |

    filefortress remotes add s3 --access-key ${{ secrets.AWS_ACCESS_KEY }} --non-interactive

    filefortress remotes scan --all --non-interactive

GitLab CI/CD

# .gitlab-ci.yml

scan_job:

  variables:

    FILEFORTRESS_S3_SECRET_KEY: $AWS_SECRET_KEY

  script:

    - filefortress remotes add s3 --access-key $AWS_ACCESS_KEY --non-interactive

    - filefortress remotes scan --all --non-interactive

Azure DevOps

# azure-pipelines.yml

- task: PowerShell@2

  env:

    FILEFORTRESS_S3_SECRET_KEY: $(AWS_SECRET_KEY)

  inputs:

    targetType: 'inline'

    script: |

      filefortress remotes add s3 --access-key $(AWS_ACCESS_KEY) --non-interactive

      filefortress remotes scan --all --non-interactive

Database Encryption

Understanding password vs key-file options

FileFortress encrypts its local database. You have three options:

1. Automatic Encryption (Default)

Machine-bound encryption. No password needed, but database can't be moved to another machine.

filefortress setup

2. Password-Based Encryption

Use a password. Database is portable but password must be provided each time.

filefortress setup

3. Key File (Recommended for Automation)

Password stored in a file. Best for scripts and automation.

filefortress setup

filefortress remotes scan --key-file ~/.filefortress.key --all

What NOT to Do

  • Don't commit secret files to version control (git)
  • Don't use world-readable permissions on secret files
  • Don't hardcode secrets in scripts that are shared or committed
  • Don't log commands that contain secrets
  • Don't share secret files via email or messaging apps
  • Don't reuse the same secrets across multiple environments

Method Comparison

Method Security Convenience Best Use Case
Interactive ⭐⭐⭐⭐⭐ ⭐⭐⭐ Manual setup
Environment Variables ⭐⭐⭐⭐ ⭐⭐⭐⭐⭐ CI/CD, Docker
Secret Files ⭐⭐⭐⭐ ⭐⭐⭐⭐ Local scripts
Direct CLI Args ⭐⭐⭐⭐⭐ ❌ Not recommended

Ready to Automate Securely?

Check out our automation guide for complete examples:

Automation Guide First-Time Setup