Maintenance & Cleanup

Overview

Regular maintenance keeps the secrets repository lean and secure. This page documents cleanup procedures for backups, logs, and legacy files.

Backup Management

dsec automatically creates .backup files when editing secrets. These accumulate over time.

View Current Backups

# Count backup files
find ~/.secrets/environments -name "*.backup*" -type f | wc -l

# List with dates (oldest first)
find ~/.secrets/environments -name "*.backup*" -type f -printf '%T+ %p\n' | sort

# Show disk usage
du -sh ~/.secrets/environments/*/

Cleanup Commands

# Remove backups older than 7 days (RECOMMENDED)
find ~/.secrets/environments -name "*.backup*" -mtime +7 -delete

# Remove ALL backups (use with caution)
find ~/.secrets/environments -name "*.backup*" -delete

# Dry run - see what would be deleted
find ~/.secrets/environments -name "*.backup*" -mtime +7 -print

Automated Cleanup Script

Add to crontab for weekly cleanup:

# Edit crontab
crontab -e

# Add this line (runs every Sunday at 3am)
0 3 * * 0 find ~/.secrets/environments -name "*.backup*" -mtime +7 -delete

Binary Backups

When dsec is updated, backup copies may be created in ~/.secrets/bin/.

# List binary backups
ls -la ~/.secrets/bin/*.backup* 2>/dev/null

# Remove old dsec backups (keep current only)
rm ~/.secrets/bin/dsec.backup.*

Legacy Files

Pre-Age Templates

The templates/archive-pre-age/ directory contains templates from before Age encryption migration.

# View contents
ls -la ~/.secrets/templates/archive-pre-age/

# Remove if no longer needed
rm -rf ~/.secrets/templates/archive-pre-age/

Audit Log Rotation

If audit logging is enabled, rotate logs periodically:

# Check log size
wc -l ~/.secrets/audit.log 2>/dev/null

# Rotate - keep last 1000 entries
tail -1000 ~/.secrets/audit.log > ~/.secrets/audit.log.tmp
mv ~/.secrets/audit.log.tmp ~/.secrets/audit.log

# Archive old logs
gzip -c ~/.secrets/audit.log > ~/.secrets/audit.log.$(date +%Y%m%d).gz

Full Maintenance Checklist

Table 1. Weekly Maintenance
Task Command

Remove old backups

find ~/.secrets/environments -name ".backup" -mtime +7 -delete

Check disk usage

du -sh ~/.secrets/

Verify Age key

age-keygen -y ~/.age/identities/personal.key
Table 2. Monthly Maintenance
Task Command

Rotate audit log

tail -1000 ~/.secrets/audit.log > /tmp/al && mv /tmp/al ~/.secrets/audit.log

Review domains

dsec list

Test decryption

dsec show d000 dev/network | head -5

Quick Cleanup Script

Save as ~/.secrets/bin/cleanup-backups:

#!/bin/bash
# Secrets Repository Cleanup Script

set -e

SECRETS_DIR="${HOME}/.secrets"
DAYS_OLD="${1:-7}"

echo "=== Secrets Cleanup (files older than ${DAYS_OLD} days) ==="

# Count before
BEFORE=$(find "$SECRETS_DIR/environments" -name "*.backup*" -type f 2>/dev/null | wc -l)
echo "Backup files found: $BEFORE"

# Dry run first
echo ""
echo "Files to remove:"
find "$SECRETS_DIR/environments" -name "*.backup*" -mtime +${DAYS_OLD} -type f 2>/dev/null

read -p "Proceed with deletion? [y/N] " confirm
if [[ "$confirm" =~ ^[Yy]$ ]]; then
    find "$SECRETS_DIR/environments" -name "*.backup*" -mtime +${DAYS_OLD} -delete
    AFTER=$(find "$SECRETS_DIR/environments" -name "*.backup*" -type f 2>/dev/null | wc -l)
    echo "Removed: $((BEFORE - AFTER)) files"
    echo "Remaining: $AFTER files"
fi

# Binary backups
if ls "$SECRETS_DIR/bin"/*.backup.* &>/dev/null; then
    echo ""
    echo "Binary backups found:"
    ls -la "$SECRETS_DIR/bin"/*.backup.*
    read -p "Remove binary backups? [y/N] " confirm
    if [[ "$confirm" =~ ^[Yy]$ ]]; then
        rm "$SECRETS_DIR/bin"/*.backup.*
        echo "Binary backups removed"
    fi
fi

echo ""
echo "=== Cleanup Complete ==="

Make executable: chmod +x ~/.secrets/bin/cleanup-backups

See Also