Building an Automated Secure File Transfer Pipeline Using AES-256 Encryption, Linux Automation, and GitHub
Jibachh Singh is a Software Engineer and Full Stack Developer with a passion for DevOps, Docker, and cloud technologies. I completed my bachelor's degree in a B.Sc.CSIT from Tribhuvan University. With experience in Laravel, automation, and CI/CD, I Am currently taking the 90-Day DevOps Challenge to enhance my skills and enjoy building scalable applications and exploring new tech trends.
Introduction
In modern DevOps environments, automating repetitive tasks is essential for improving efficiency, reducing human errors, and ensuring security. In this project, I built a secure file transfer pipeline between two Linux servers where files are automatically encrypted, transferred, decrypted, and pushed to GitHub without any manual intervention.
The project demonstrates practical usage of:
Linux Automation
OpenSSL AES-256 Encryption
SSH Key Authentication
SCP File Transfer
Inotify File Monitoring
Git Automation
Systemd Services
By the end of this project, whenever a new file is created on Server A, it is automatically encrypted and transferred to Server B. Server B then decrypts the file and pushes it to a GitHub repository.
Project Architecture
The workflow is shown below:
+---------------------+
| Server A |
| (Private Network) |
+---------------------+
|
| Create File
| Encrypt File
| Transfer File
v
+---------------------+
| Server B |
+---------------------+
|
| Decrypt File
| Git Add
| Git Commit
| Git Push
v
+---------------------+
| GitHub |
+---------------------+
Project Requirements
Server A
Linux Server
OpenSSL Installed
SSH Access to Server B
inotify-tools
Server B
Linux Server
OpenSSL Installed
Git Installed
SSH Key Configured for GitHub
inotify-tools
Step 1: Configure Passwordless SSH Authentication
To allow automatic file transfer between servers, passwordless SSH authentication must be configured.
Generate SSH Key on Server A:
ssh-keygen -t rsa
Copy Public Key to Server B:
ssh-copy-id root@192.168.56.100
Verify SSH Login:
ssh root@192.168.56.100
If login works without asking for a password, the configuration is successful.
Step 2: Create Directories on Server A
Create directories to store input files and encrypted files.
mkdir -p /data/input
mkdir -p /data/encrypted
Directory Structure:
/data
├── input
└── encrypted
Step 3: Encrypt Files Using AES-256
Create a script named encrypt_send.sh.
nano encrypt_send.sh
Add the following code:
#!/bin/bash
SOURCE_DIR="/data/input" ENCRYPTED_DIR="/data/encrypted"
PASSWORD="mypassword"
for file in $SOURCE_DIR/*; do
[ -f "$file" ] || continue
filename=\((basename "\)file")
openssl enc -aes-256-cbc \
-salt \
-in "$file" \
-out "\(ENCRYPTED_DIR/\)filename.enc" \
-k "$PASSWORD"
scp "\(ENCRYPTED_DIR/\)filename.enc" user@SERVER_B:/data/encrypted/
rm -f "$file"
done
Make the script executable:
chmod +x encrypt_send.sh
This script:
Reads files from the input directory. Encrypts files using AES-256. Transfers encrypted files to Server B. Removes the original file.
Step 4: Automatically Detect New Files
Install Inotify:
sudo apt install inotify-tools
Create watcher.sh:
nano watcher.sh
#!/bin/bash
WATCH_DIR="/data/input"
inotifywait -m -e create "$WATCH_DIR" |
while read path action file
do
/root/encrypt_send.sh
done
Make executable:
chmod +x watcher.sh
Whenever a new file appears inside the input directory, the encryption process starts automatically.
Example:
echo "Hello DevOps" > /data/input/file1.txt
The file will immediately be encrypted and transferred.
Step 5: Configure Server B
Create required directories:
mkdir -p /data/encrypted
mkdir -p /data/decrypted
Directory Structure:
/data
├── encrypted
└── decrypted
Step 6: Decrypt Received Files
Create decrypt.sh:
nano decrypt.sh
#!/bin/bash
ENC_DIR="/data/encrypted"
DEC_DIR="/data/decrypted"
PASSWORD="mypassword"
for file in $ENC_DIR/*.enc; do
[ -f "$file" ] || continue
filename=\((basename "\)file" .enc)
openssl enc -aes-256-cbc \
-d \
-in "$file" \
-out "\(DEC_DIR/\)filename" \
-k "$PASSWORD"
rm -f "$file"
done
Make executable:
chmod +x decrypt.sh
The script automatically decrypts received files and stores them in the decrypted directory.
Step 7: Configure GitHub Repository
Clone your repository:
git clone https://github.com/username/repository.git
Move into the repository:
cd repository
Configure Git Identity:
git config --global user.name "Your Name"
git config --global user.email "your@email.com"
Configure GitHub Authentication using SSH keys or Personal Access Tokens.
Step 8: Automate Git Push
Create github_push.sh:
nano github_push.sh
#!/bin/bash
REPO="/root/repository"
SOURCE="/data/decrypted"
cp -r \(SOURCE/* \)REPO/
cd $REPO
git add .
git commit -m "Auto Commit $(date)"
git push origin main
Make executable:
chmod +x github_push.sh
This script:
Copies decrypted files to the repository.
Adds changes.
Creates a commit.
Pushes changes to GitHub.
Step 9: Monitor Incoming Encrypted Files
Create decrypt_watcher.sh:
nano decrypt_watcher.sh
#!/bin/bash
WATCH_DIR="/data/encrypted"
inotifywait -m -e create "$WATCH_DIR" |
while read path action file
do
/root/decrypt.sh
/root/github_push.sh
done
Make executable:
chmod +x decrypt_watcher.sh
Now Server B automatically decrypts incoming files and pushes them to GitHub.
Step 10: Configure Systemd Services
To ensure automation continues after reboots, configure Systemd services.
Server A Service
Create:
sudo nano /etc/systemd/system/filewatcher.service
[Unit]
Description=File Watcher Service
[Service]
ExecStart=/root/watcher.sh
Restart=always
[Install]
WantedBy=multi-user.target
Enable Service:
sudo systemctl daemon-reload
sudo systemctl enable filewatcher
sudo systemctl start filewatcher
Server B Service
Create:
sudo nano /etc/systemd/system/decryptwatcher.service
[Unit]
Description=Decrypt Watcher Service
[Service]
ExecStart=/root/decrypt_watcher.sh
Restart=always
[Install]
WantedBy=multi-user.target
Enable Service:
sudo systemctl daemon-reload
sudo systemctl enable decryptwatcher
sudo systemctl start decryptwatcher
Conclusion
This project demonstrates how Linux automation, encryption, file transfer, and Git version control can be combined to create a fully automated secure file delivery pipeline. The solution ensures that files remain encrypted during transfer, are automatically processed on the destination server, and are immediately version-controlled in GitHub.
This project is an excellent example of practical DevOps engineering because it combines security, automation, monitoring, and source control into a single workflow.
