A universal CLI tool for creating post-quantum encrypted database backups that are automatically emailed to recipients. Supports Supabase, MongoDB, MySQL, and PostgreSQL.
- 🔐 Post-Quantum Encryption: Uses
@profullstack/post-quantum-helperfor quantum-resistant encryption - 🗄️ Multi-Database Support: Works with Supabase, MongoDB, MySQL, and PostgreSQL
- 💾 Automated Backups: Seamlessly integrates with native database CLIs
- 🔄 Full Restore: Decrypt and restore backups to any supported database
- 📧 Email Delivery: Automatically sends encrypted backups via email
- 🔒 Secure Key Management: You control your encryption keys - they're never stored or shared
- 📦 Compressed Archives: Creates ZIP archives before encryption for efficient storage
- 🧹 Clean Workflow: Automatically cleans up intermediate files
| Database | CLI Tool | Backup Command | Restore Command |
|---|---|---|---|
| Supabase | pnpx supabase |
db dump |
db reset |
| MongoDB | mongodump |
mongodump --archive |
mongorestore --archive |
| MySQL | mysqldump |
mysqldump |
mysql |
| PostgreSQL | pg_dump |
pg_dump --format=custom |
pg_restore |
- Node.js 20 or newer
- SMTP credentials for email delivery
- At least one database CLI installed:
- Supabase:
pnpm add -g supabase - MongoDB: MongoDB Database Tools
- MySQL: MySQL Client
- PostgreSQL: PostgreSQL Client
- Supabase:
# Install globally from npm (when published)
pnpm add -g @profullstack/quantum-database-backups
# Or install from local directory
cd quantum-database-backups
pnpm install
pnpm link --global
# Now you can use 'qdb' from anywhere
qdb --help# Clone the repository
git clone <repository-url>
cd quantum-database-backups
# Install dependencies
pnpm install
# Run locally with node
node src/cli.js --helpRun the interactive setup wizard to configure QDB:
qdb initThis will prompt you for:
- Path to encryption keys file
- Default recipient email
- Default database name
- Working directory for backups
- SMTP server settings (host, port, credentials)
Configuration is saved to ~/.config/quantum-database-backups/config.json with secure permissions (0600).
Alternatively, you can configure via environment variables:
export SMTP_USER="[email protected]"
export SMTP_PASS="your-app-password"
export SMTP_HOST="smtp.gmail.com" # Optional
export SMTP_PORT="587" # OptionalYou need to generate your post-quantum encryption keys. Create a keys.json file:
{
"publicKey": "your-public-key-here",
"privateKey": "your-private-key-here"
}keys.json file secure and backed up separately. Without it, you cannot decrypt your backups!
For Gmail SMTP, use an App Password.
# Using saved configuration
qdb backup
# With explicit options
qdb backup \
--email [email protected] \
--keys ./keys.json \
--db-name mydbqdb backup \
--provider mongodb \
--email [email protected] \
--keys ./keys.json \
--db-name mydb \
--uri mongodb://localhost:27017qdb backup \
--provider mysql \
--email [email protected] \
--keys ./keys.json \
--db-name mydb \
--host localhost \
--port 3306 \
--user root \
--password mypasswordqdb backup \
--provider postgres \
--email [email protected] \
--keys ./keys.json \
--db-name mydb \
--host localhost \
--port 5432 \
--user postgres \
--password mypassword-e, --email <email>- Recipient email address-k, --keys <path>- Path to keys.json file-d, --db-name <name>- Database name for filename-p, --provider <name>- Database provider (supabase, mongodb, mysql, postgres)-w, --work-dir <path>- Working directory for backups (default:./backups)--keep-files- Keep intermediate files (default: false)--no-email- Skip sending email
Provider-Specific Options:
--host <host>- Database host (MySQL, PostgreSQL)--port <port>- Database port (MySQL, PostgreSQL)--user <user>- Database user (MySQL, PostgreSQL)--password <password>- Database password (MySQL, PostgreSQL)--uri <uri>- Connection URI (MongoDB)
qdb restore \
--input ./backups/backup.encrypted \
--keys ./keys.json \
--provider supabaseqdb restore \
--input ./backups/backup.encrypted \
--keys ./keys.json \
--provider mongodb \
--uri mongodb://localhost:27017 \
--database mydb \
--dropqdb restore \
--input ./backups/backup.encrypted \
--keys ./keys.json \
--provider mysql \
--host localhost \
--port 3306 \
--user root \
--password mypassword \
--database mydbqdb restore \
--input ./backups/backup.encrypted \
--keys ./keys.json \
--provider postgres \
--host localhost \
--port 5432 \
--user postgres \
--password mypassword \
--database mydb \
--clean-i, --input <path>- Path to encrypted backup file (required)-k, --keys <path>- Path to keys.json file (required)-p, --provider <name>- Database provider (supabase, mongodb, mysql, postgres) (default: supabase)--host <host>- Database host (MySQL, PostgreSQL)--port <port>- Database port (MySQL, PostgreSQL)--user <user>- Database user (MySQL, PostgreSQL)--password <password>- Database password (MySQL, PostgreSQL)--database <name>- Database name--uri <uri>- Connection URI (MongoDB)--drop- Drop existing data before restore (MongoDB/PostgreSQL)--clean- Clean database before restore (PostgreSQL)
qdb decrypt \
--input ./backups/supabase-backup-20241006-123456-mydb.zip.encrypted \
--output ./restored-backup.zip \
--keys ./keys.json-i, --input <path>- Path to encrypted file (required)-o, --output <path>- Path for decrypted output file (required)-k, --keys <path>- Path to keys.json file (required)
qdb infoThis displays your current configuration and available commands.
QDB uses the following priority order for configuration:
- Command-line arguments (highest priority)
- Saved configuration (
~/.config/quantum-database-backups/config.json) - Environment variables
- Default values (lowest priority)
This allows you to:
- Set defaults with
qdb init - Override per-backup with CLI flags
- Use environment variables for sensitive data
The backup process follows these steps:
- Load Configuration: Merges CLI args, saved config, and env vars
- Load Keys: Reads your encryption keys from configured path
- Database Dump: Executes
pnpx supabase db dumpto create SQL backup - Create Archive: Compresses the SQL file into a ZIP archive
- Encrypt: Encrypts the ZIP file using post-quantum cryptography
- Email: Sends the encrypted file to the specified recipient
- Cleanup: Removes intermediate files (unless
--keep-filesis used)
Backup files follow this naming pattern:
supabase-backup-{YYYYMMDD-HHMMSS}-{dbname}.{extension}
Example: supabase-backup-20241006-143022-production.zip.encrypted
- Never commit keys.json: Add it to
.gitignore - Store keys separately: Keep backups of your keys in a secure location separate from your encrypted backups
- Use strong SMTP passwords: Use app-specific passwords when available
- Rotate keys periodically: Generate new keys and re-encrypt old backups
- Test decryption: Regularly verify you can decrypt your backups
# Run all tests
pnpm test
# Run with coverage
pnpm test -- --coverage# Check code style
pnpm run lint
# Format code
pnpm run format
# Check formatting without changes
pnpm run format:checkquantum-database-backups/
├── src/
│ ├── cli.js # CLI entry point
│ ├── backup.js # Database backup logic
│ ├── encrypt.js # Post-quantum encryption
│ ├── email.js # Email functionality
│ └── utils.js # Helper functions
├── tests/
│ └── utils.test.js # Test files
├── .eslintrc.json # ESLint configuration
├── .prettierrc.json # Prettier configuration
├── package.json # Project dependencies
└── README.md # This file
Make sure you've set the SMTP_USER and SMTP_PASS environment variables:
export SMTP_USER="[email protected]"
export SMTP_PASS="your-password"Ensure:
- Supabase CLI is installed:
pnpm add -g supabase - You're in a directory with a Supabase project
- Your Supabase project is properly configured
Your keys.json file must contain both publicKey and privateKey fields:
{
"publicKey": "...",
"privateKey": "..."
}MIT
Contributions are welcome! Please follow these guidelines:
- Follow the existing code style (ESLint + Prettier)
- Write tests for new features
- Update documentation as needed
- Keep commits focused and descriptive
For issues and questions, please open an issue on the GitHub repository.
© Profullstack, Inc. https://profullstck.com