The easiest and most convenient way to securely backup files using the command line is with the AWS CLI (see aws s3 docs). S3 buckets support versioning and default encryption (which causes uploaded files to be encrypted at rest). If you’re already managing your passwords with LastPass, you have another option for securely backing up misfit text files.

LastPass users who typically interact with their vault via a browser plugin may be surprised to learn of an official command line utility called lpass that provides access to secure items. See the man page for subcommands and details.

Using lpass, a text file (or any content piped from stdin) can be stored as a LastPass secure note. As with S3, LastPass secure notes are versioned and can be selectively shared.


To get started, download the lpass utility and install it. You will also need to create a account if you do not have one.

Log In

Run the following command to start the agent. You will be prompted for your LastPass password.


This authentication scheme fits nicely into a developer workflow but is less well suited to fully automated tasks. The AWS CLI loads credentials from a predefined file which is more convenient for automation. Check out Vault by HashiCorp if you have more elaborate requirements for managing secrets and don’t mind running a standalone server instance.

Backup a File as a Secure Note

Run the following command to create or update a secure note named using the contents of config.json.

cat config.json | lpass edit --notes --non-interactive && \
lpass sync

I recommend adding the command to a Makefile or similar. Duplicate the first line for additional files (lpass sync only has to run once at the end).

LastPass expects note contents to be plain text and I don’t see a way to add attachments from the command line. It might be possible to use base64 encoded binary data but not very much of it. According to LastPass Support:

You can enter up to 45,000 characters in a secure note.

Restore a File from a Secure Note

Run the following command to write the contents of the secure note named to config.json.

lpass show --notes > config.json