UUXO/dbbackup
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 28 Wiki Activity

feat: Phase 4 Tasks 3-4 - CLI encryption integration

Browse Source 
Integrated encryption into backup workflow:

cmd/encryption.go:
- loadEncryptionKey() - loads from file or env var
- Supports base64-encoded keys (32 bytes)
- Supports raw 32-byte keys
- Supports passphrases (PBKDF2 derivation)
- Priority: --encryption-key-file > DBBACKUP_ENCRYPTION_KEY

cmd/backup_impl.go:
- encryptLatestBackup() - finds and encrypts single backups
- encryptLatestClusterBackup() - encrypts cluster backups
- findLatestBackup() - locates most recent backup file
- findLatestClusterBackup() - locates cluster backup
- Encryption applied after successful backup
- Integrated into all backup modes (cluster, single, sample)

internal/backup/encryption.go:
- EncryptBackupFile() - encrypts backup in-place
- DecryptBackupFile() - decrypts to new file
- IsBackupEncrypted() - checks metadata/file format
- Updates .meta.json with encryption info
- Replaces original with encrypted version

internal/metadata/metadata.go:
- Added Encrypted bool field
- Added EncryptionAlgorithm string field
- Tracks encryption status in backup metadata

internal/metadata/save.go:
- Helper to save BackupMetadata to .meta.json

tests/encryption_smoke_test.sh:
- Basic smoke test for encryption/decryption
- Verifies data integrity
- Tests with env var key source

CLI Flags (already existed):
--encrypt                      Enable encryption
--encryption-key-file PATH     Key file path
--encryption-key-env VAR       Env var name (default: DBBACKUP_ENCRYPTION_KEY)

Usage Examples:
  # Encrypt with key file
  ./dbbackup backup single mydb --encrypt --encryption-key-file /path/to/key

  # Encrypt with env var
  export DBBACKUP_ENCRYPTION_KEY="base64_encoded_key"
  ./dbbackup backup single mydb --encrypt

  # Cluster backup with encryption
  ./dbbackup backup cluster --encrypt --encryption-key-file key.txt

Features:
 Post-backup encryption (doesn't slow down backup itself)
 In-place encryption (overwrites original)
 Metadata tracking (encrypted flag)
 Multiple key sources (file/env/passphrase)
 Base64 and raw key support
 PBKDF2 for passphrases
 Automatic latest backup detection
 Works with all backup modes

Status: ENCRYPTION FULLY INTEGRATED 
Next: Task 5 - Restore decryption integration
This commit is contained in:
Renz
2025-11-26 07:54:25 +00:00
parent 872f21c8cd
commit c620860de3
6 changed files with 488 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
cmd/backup_impl.go
View File

@@ -4,6 +4,9 @@ import (
"context"
"fmt"
"os"
"path/filepath"
"strings"
"time"
"dbbackup/internal/backup"
"dbbackup/internal/config"
@@ -80,6 +83,15 @@ func runClusterBackup(ctx context.Context) error {
return err
}
// Apply encryption if requested
if isEncryptionEnabled() {
if err := encryptLatestClusterBackup(); err != nil {
log.Error("Failed to encrypt backup", "error", err)
return fmt.Errorf("backup succeeded but encryption failed: %w", err)
}
log.Info("Cluster backup encrypted successfully")
}
// Audit log: backup success
auditLogger.LogBackupComplete(user, "all_databases", cfg.BackupDir, 0)
@@ -218,6 +230,15 @@ func runSingleBackup(ctx context.Context, databaseName string) error {
return backupErr
}
// Apply encryption if requested
if isEncryptionEnabled() {
if err := encryptLatestBackup(databaseName); err != nil {
log.Error("Failed to encrypt backup", "error", err)
return fmt.Errorf("backup succeeded but encryption failed: %w", err)
}
log.Info("Backup encrypted successfully")
}
// Audit log: backup success
auditLogger.LogBackupComplete(user, databaseName, cfg.BackupDir, 0)
@@ -338,6 +359,15 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
return err
}
// Apply encryption if requested
if isEncryptionEnabled() {
if err := encryptLatestBackup(databaseName); err != nil {
log.Error("Failed to encrypt backup", "error", err)
return fmt.Errorf("backup succeeded but encryption failed: %w", err)
}
log.Info("Sample backup encrypted successfully")
}
// Audit log: backup success
auditLogger.LogBackupComplete(user, databaseName, cfg.BackupDir, 0)
@@ -353,4 +383,125 @@ func runSampleBackup(ctx context.Context, databaseName string) error {
}
return nil
}
}
// encryptLatestBackup finds and encrypts the most recent backup for a database
func encryptLatestBackup(databaseName string) error {
// Load encryption key
key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
if err != nil {
return err
}
// Find most recent backup file for this database
backupPath, err := findLatestBackup(cfg.BackupDir, databaseName)
if err != nil {
return err
}
// Encrypt the backup
return backup.EncryptBackupFile(backupPath, key, log)
}
// encryptLatestClusterBackup finds and encrypts the most recent cluster backup
func encryptLatestClusterBackup() error {
// Load encryption key
key, err := loadEncryptionKey(encryptionKeyFile, encryptionKeyEnv)
if err != nil {
return err
}
// Find most recent cluster backup
backupPath, err := findLatestClusterBackup(cfg.BackupDir)
if err != nil {
return err
}
// Encrypt the backup
return backup.EncryptBackupFile(backupPath, key, log)
}
// findLatestBackup finds the most recently created backup file for a database
func findLatestBackup(backupDir, databaseName string) (string, error) {
entries, err := os.ReadDir(backupDir)
if err != nil {
return "", fmt.Errorf("failed to read backup directory: %w", err)
}
var latestPath string
var latestTime time.Time
prefix := "db_" + databaseName + "_"
for _, entry := range entries {
if entry.IsDir() {
continue
}
name := entry.Name()
// Skip metadata files and already encrypted files
if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
continue
}
// Match database backup files
if strings.HasPrefix(name, prefix) && (strings.HasSuffix(name, ".dump") ||
strings.HasSuffix(name, ".dump.gz") || strings.HasSuffix(name, ".sql.gz")) {
info, err := entry.Info()
if err != nil {
continue
}
if info.ModTime().After(latestTime) {
latestTime = info.ModTime()
latestPath = filepath.Join(backupDir, name)
}
}
}
if latestPath == "" {
return "", fmt.Errorf("no backup found for database: %s", databaseName)
}
return latestPath, nil
}
// findLatestClusterBackup finds the most recently created cluster backup
func findLatestClusterBackup(backupDir string) (string, error) {
entries, err := os.ReadDir(backupDir)
if err != nil {
return "", fmt.Errorf("failed to read backup directory: %w", err)
}
var latestPath string
var latestTime time.Time
for _, entry := range entries {
if entry.IsDir() {
continue
}
name := entry.Name()
// Skip metadata files and already encrypted files
if strings.HasSuffix(name, ".meta.json") || strings.HasSuffix(name, ".encrypted") {
continue
}
// Match cluster backup files
if strings.HasPrefix(name, "cluster_") && strings.HasSuffix(name, ".tar.gz") {
info, err := entry.Info()
if err != nil {
continue
}
if info.ModTime().After(latestTime) {
latestTime = info.ModTime()
latestPath = filepath.Join(backupDir, name)
}
}
}
if latestPath == "" {
return "", fmt.Errorf("no cluster backup found")
}
return latestPath, nil
}