Skip to content

redeuxx/devolutions-backup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.psd1.example
config.psd1.example
 
 
devolutions-backup.ps1
devolutions-backup.ps1
 
 

Repository files navigation

Devolutions Hub Export Script

PowerShell script that exports all accessible vaults from Devolutions Hub to a password-protected, header-encrypted .7z archive and a self-extracting .exe. Both archives are timestamped and raw export files are automatically cleaned up after archiving.

Prerequisites

Requirement Details
PowerShell 5.1 or later
7-Zip Installed at C:\Program Files\7-Zip\7z.exe (or update SevenZipPath in config.psd1)
Internet access Required to install the Devolutions PowerShell module from PSGallery
Devolutions Hub Application user with vault read permissions

Devolutions Hub Setup

1. Create an Application Identity

Application users are service accounts used for API and scripted access. They authenticate with a key/secret pair instead of a password.

  1. In Devolutions Hub, open Administration > Application Identities
  2. Click + on the upper right.
  3. Give it a descriptive name (e.g. backup-script)
  4. Click Add -- Hub will display the Application Key and Application Secret
  5. Copy both values immediately. The secret is only shown once and cannot be retrieved again
  6. Paste them into .env as APP_KEY and APP_SECRET

2. Grant Vault Permissions

The application user needs read access to each vault you want exported. By default it has no access to any vault.

For each vault:

  1. Open the vault in Devolutions Hub
  2. Go to Edit > Security (or Vault Settings > Permissions, depending on your Hub version)
  3. Under Application Users, find the user you created and assign the Reader role
  4. Save

Repeat for every vault that should be included in the backup. Vaults the application user cannot read will be silently excluded from the export.

Tip: If you want all current and future vaults covered without updating permissions each time, you can grant the application user the Reader role at the Hub system level under Administration > System Permissions.

Configuration

Copy .env.example to .env and fill in your values:

APP_KEY=your-app-key-here
APP_SECRET=your-app-secret-here
ZIP_PASSWORD=your-zip-password-here

Copy config.psd1.example to config.psd1 and update for your environment:

@{
    Url                  = 'https://your-org.devolutions.app'
    PathToExportedFolder = 'C:\Export\HubExport'
    ZipOutputDir         = 'C:\Export'
    SevenZipPath         = 'C:\Program Files\7-Zip\7z.exe'
}

Usage

.\export-devolutions.ps1

The script will:

  1. Create a temporary export folder
  2. Install the Devolutions.PowerShell module if not already present
  3. Authenticate to Devolutions Hub
  4. Export each accessible vault to a .json file (PAM vaults are skipped)
  5. Compress all files into a password-protected .7z archive
  6. Compress all files into a password-protected self-extracting .exe
  7. Delete the temporary export folder, leaving only the archives

Output

Two archives are saved to C:\Export\ per run, sharing the same timestamp:

devolutions_YYYY-MM-DD_HHmmss.7z
devolutions_YYYY-MM-DD_HHmmss.exe

Example: devolutions_2026-03-16_143022.7z / devolutions_2026-03-16_143022.exe

The .exe is a self-extracting archive that prompts for the password and extracts without requiring 7-Zip to be installed on the recipient's machine. Note that some antivirus/EDR tools may flag self-extracting .exe files as suspicious.

Security Notes

  • The .7z archive uses AES-256 encryption with header encryption (-mhe=on), which conceals filenames inside the archive in addition to file contents.
  • Secrets (APP_KEY, APP_SECRET, ZIP_PASSWORD) are stored in .env, which is gitignored. The .env file is still plaintext on disk -- for scheduled/unattended use, consider protecting it with NTFS permissions or pulling values from a secrets manager (e.g., Delinea Secret Server) instead.
  • Raw .json export files are always deleted after archiving, regardless of whether the archive completed successfully.

PAM Vaults

PAM vaults are not exportable via the Devolutions API and are automatically skipped with a warning message. All other vault types are exported.

Troubleshooting

Symptom Cause Fix
7-Zip not found error 7-Zip not installed or wrong path Install 7-Zip or update SevenZipPath in config.psd1
7-Zip exited with code 2 Bad password argument format Ensure password has no special characters that need escaping, or wrap in single quotes
Module install fails PSGallery not reachable Check internet access or proxy settings
Connect-HubAccount fails Invalid credentials Verify $appKey and $appSecret in Devolutions Hub under Application Users
Empty export files App user has no vault permissions Grant the application user read access to vaults in Hub

About

PowerShell script that exports all accessible vaults from Devolutions Cloud to a password-protected, header-encrypted .7z archive and a self-extracting .exe. Both archives are timestamped and raw export files are automatically cleaned up after archiving.

Topics

backup powershell ps1 devolutions

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages