feat: Phase 4 Tasks 3-4 - CLI encryption integration

Integrated encryption into backup workflow:

cmd/encryption.go:
- loadEncryptionKey() - loads from file or env var
- Supports base64-encoded keys (32 bytes)
- Supports raw 32-byte keys
- Supports passphrases (PBKDF2 derivation)
- Priority: --encryption-key-file > DBBACKUP_ENCRYPTION_KEY

cmd/backup_impl.go:
- encryptLatestBackup() - finds and encrypts single backups
- encryptLatestClusterBackup() - encrypts cluster backups
- findLatestBackup() - locates most recent backup file
- findLatestClusterBackup() - locates cluster backup
- Encryption applied after successful backup
- Integrated into all backup modes (cluster, single, sample)

internal/backup/encryption.go:
- EncryptBackupFile() - encrypts backup in-place
- DecryptBackupFile() - decrypts to new file
- IsBackupEncrypted() - checks metadata/file format
- Updates .meta.json with encryption info
- Replaces original with encrypted version

internal/metadata/metadata.go:
- Added Encrypted bool field
- Added EncryptionAlgorithm string field
- Tracks encryption status in backup metadata

internal/metadata/save.go:
- Helper to save BackupMetadata to .meta.json

tests/encryption_smoke_test.sh:
- Basic smoke test for encryption/decryption
- Verifies data integrity
- Tests with env var key source

CLI Flags (already existed):
--encrypt                      Enable encryption
--encryption-key-file PATH     Key file path
--encryption-key-env VAR       Env var name (default: DBBACKUP_ENCRYPTION_KEY)

Usage Examples:
  # Encrypt with key file
  ./dbbackup backup single mydb --encrypt --encryption-key-file /path/to/key

  # Encrypt with env var
  export DBBACKUP_ENCRYPTION_KEY="base64_encoded_key"
  ./dbbackup backup single mydb --encrypt

  # Cluster backup with encryption
  ./dbbackup backup cluster --encrypt --encryption-key-file key.txt

Features:
✅ Post-backup encryption (doesn't slow down backup itself)
✅ In-place encryption (overwrites original)
✅ Metadata tracking (encrypted flag)
✅ Multiple key sources (file/env/passphrase)
✅ Base64 and raw key support
✅ PBKDF2 for passphrases
✅ Automatic latest backup detection
✅ Works with all backup modes

Status: ENCRYPTION FULLY INTEGRATED ✅
Next: Task 5 - Restore decryption integration

cmd/backup_impl.go

@@ -4,6 +4,9 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path/filepath"
+	"strings"
+	"time"
 
 	"dbbackup/internal/backup"
 	"dbbackup/internal/config"
@@ -80,6 +83,15 @@ func runClusterBackup(ctx context.Context) error {
 		return err
 	}
 	
+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestClusterBackup(); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup succeeded but encryption failed: %w", err)
+		}
+		log.Info("Cluster backup encrypted successfully")
+	}
+	
 	// Audit log: backup success
 	auditLogger.LogBackupComplete(user, "all_databases", cfg.BackupDir, 0)
 	
@@ -218,6 +230,15 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
 		return backupErr
 	}
 	
+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestBackup(databaseName); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup succeeded but encryption failed: %w", err)
+		}
+		log.Info("Backup encrypted successfully")
+	}
+	
 	// Audit log: backup success
 	auditLogger.LogBackupComplete(user, databaseName, cfg.BackupDir, 0)
 	
@@ -338,6 +359,15 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
 		return err
 	}
 	
+	// Apply encryption if requested
+	if isEncryptionEnabled() {
+		if err := encryptLatestBackup(databaseName); err != nil {
+			log.Error("Failed to encrypt backup", "error", err)
+			return fmt.Errorf("backup succeeded but encryption failed: %w", err)
+		}
+		log.Info("Sample backup encrypted successfully")
+	}
+	
 	// Audit log: backup success
 	auditLogger.LogBackupComplete(user, databaseName, cfg.BackupDir, 0)
 	
@@ -353,4 +383,125 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
 	}
 	
 	return nil
-}
+}
+// encryptLatestBackup finds and encrypts the most recent backup for a database
+func encryptLatestBackup(databaseName string) error {
+	// Load encryption key
+	key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
+	if err != nil {
+		return err
+	}
+
+	// Find most recent backup file for this database
+	backupPath, err := findLatestBackup(cfg.BackupDir, databaseName)
+	if err != nil {
+		return err
+	}
+
+	// Encrypt the backup
+	return backup.EncryptBackupFile(backupPath, key, log)
+}
+
+// encryptLatestClusterBackup finds and encrypts the most recent cluster backup
+func encryptLatestClusterBackup() error {
+	// Load encryption key
+	key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
+	if err != nil {
+		return err
+	}
+
+	// Find most recent cluster backup
+	backupPath, err := findLatestClusterBackup(cfg.BackupDir)
+	if err != nil {
+		return err
+	}
+
+	// Encrypt the backup
+	return backup.EncryptBackupFile(backupPath, key, log)
+}
+
+// findLatestBackup finds the most recently created backup file for a database
+func findLatestBackup(backupDir, databaseName string) (string, error) {
+entries, err := os.ReadDir(backupDir)
+if err != nil {
+return "", fmt.Errorf("failed to read backup directory: %w", err)
+}
+
+var latestPath string
+var latestTime time.Time
+
+prefix := "db_" + databaseName + "_"
+for _, entry := range entries {
+if entry.IsDir() {
+continue
+}
+
+name := entry.Name()
+// Skip metadata files and already encrypted files
+if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
+continue
+}
+
+// Match database backup files
+if strings.HasPrefix(name, prefix) && (strings.HasSuffix(name, ".dump") || 
+strings.HasSuffix(name, ".dump.gz") || strings.HasSuffix(name, ".sql.gz")) {
+info, err := entry.Info()
+if err != nil {
+continue
+}
+
+if info.ModTime().After(latestTime) {
+latestTime = info.ModTime()
+latestPath = filepath.Join(backupDir, name)
+}
+}
+}
+
+if latestPath == "" {
+return "", fmt.Errorf("no backup found for database: %s", databaseName)
+}
+
+return latestPath, nil
+}
+
+// findLatestClusterBackup finds the most recently created cluster backup
+func findLatestClusterBackup(backupDir string) (string, error) {
+entries, err := os.ReadDir(backupDir)
+if err != nil {
+return "", fmt.Errorf("failed to read backup directory: %w", err)
+}
+
+var latestPath string
+var latestTime time.Time
+
+for _, entry := range entries {
+if entry.IsDir() {
+continue
+}
+
+name := entry.Name()
+// Skip metadata files and already encrypted files
+if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
+continue
+}
+
+// Match cluster backup files
+if strings.HasPrefix(name, "cluster_") && strings.HasSuffix(name, ".tar.gz") {
+info, err := entry.Info()
+if err != nil {
+continue
+}
+
+if info.ModTime().After(latestTime) {
+latestTime = info.ModTime()
+latestPath = filepath.Join(backupDir, name)
+}
+}
+}
+
+if latestPath == "" {
+return "", fmt.Errorf("no cluster backup found")
+}
+
+return latestPath, nil
+}

cmd/encryption.go

@@ -0,0 +1,77 @@
+package cmd
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+
+	"dbbackup/internal/crypto"
+)
+
+// loadEncryptionKey loads encryption key from file or environment variable
+func loadEncryptionKey(keyFile, keyEnvVar string) ([]byte, error) {
+	// Priority 1: Key file
+	if keyFile != "" {
+		keyData, err := os.ReadFile(keyFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read encryption key file: %w", err)
+		}
+		
+		// Try to decode as base64 first
+		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(string(keyData))); err == nil && len(decoded) == crypto.KeySize {
+			return decoded, nil
+		}
+		
+		// Use raw bytes if exactly 32 bytes
+		if len(keyData) == crypto.KeySize {
+			return keyData, nil
+		}
+		
+		// Otherwise treat as passphrase and derive key
+		salt, err := crypto.GenerateSalt()
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate salt: %w", err)
+		}
+		key := crypto.DeriveKey([]byte(strings.TrimSpace(string(keyData))), salt)
+		return key, nil
+	}
+	
+	// Priority 2: Environment variable
+	if keyEnvVar != "" {
+		keyData := os.Getenv(keyEnvVar)
+		if keyData == "" {
+			return nil, fmt.Errorf("encryption enabled but %s environment variable not set", keyEnvVar)
+		}
+		
+		// Try to decode as base64 first
+		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(keyData)); err == nil && len(decoded) == crypto.KeySize {
+			return decoded, nil
+		}
+		
+		// Otherwise treat as passphrase and derive key
+		salt, err := crypto.GenerateSalt()
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate salt: %w", err)
+		}
+		key := crypto.DeriveKey([]byte(strings.TrimSpace(keyData)), salt)
+		return key, nil
+	}
+	
+	return nil, fmt.Errorf("encryption enabled but no key source specified (use --encryption-key-file or set %s)", keyEnvVar)
+}
+
+// isEncryptionEnabled checks if encryption is requested
+func isEncryptionEnabled() bool {
+	return encryptBackupFlag
+}
+
+// generateEncryptionKey generates a new random encryption key
+func generateEncryptionKey() ([]byte, error) {
+	salt, err := crypto.GenerateSalt()
+	if err != nil {
+		return nil, err
+	}
+	// For key generation, use salt as both password and salt (random)
+	return crypto.DeriveKey(salt, salt), nil
+}