It’s been a while since I touched mbkp, the bash script for backing up MikroTik devices.
It does one thing well: it logs in, grabs a backup, encrypts it, and gets out.
But as with all “set and forget” tools, eventually you remember it exists and notice the cobwebs.
The v1.2 Release is about tightening security and making the logs actually useful.
Stronger Encryption#
The biggest change is shifting from des3 to aes-256-cbc.
In previous versions, I used Triple DES. It was fine for the time, but in 2024, AES-256 is the standard we should be using. The script now uses OpenSSL with the -aes-256-cbc flag for encrypting the exported configuration files.
If you are upgrading, make sure you update your decryption one-liners.
# Old (v1.1)
openssl des3 -d -salt -in backup.des3 -out backup.rsc
# New (v1.2)
openssl aes-256-cbc -d -salt -pbkdf2 -in backup.enc -out backup.rscNote: I also added -pbkdf2 for better key derivation security.
Better Observability#
When a backup fails, you want to know which device failed and why.
I’ve overhauled the logging. The script now captures detailed device metadata during the run:
DEVICE_HOSTNAMEDEVICE_MODELDEVICE_REVISIONDEVICE_SERIAL
This means your logs (and the filenames) now give you immediate context. No more guessing which “router-core” failed based solely on an IP address.
CI and Hygiene#
I spent some time cleaning up the repository itself.
- GitHub Actions: Bumped all workflow actions to their latest versions for security and speed.
- Tests: Updated
test.ymlto reflect the new encryption standards and verify the metadata extraction.
Why keep using Bash?#
I often get asked why I don’t rewrite this in Python or Go.
The answer is portability. mbkp runs on almost any unix-like system with ssh, scp, and openssl. Check out the repository if you need a zero-dependency backup solution for your RouterOS fleet.
Looking for a Senior DevOps or DevSecOps?
I help companies modernize their infrastructure, optimize Cloud/On-Premise costs, and build secure DevSecOps cultures.