feat: Phase 4 Tasks 3-4 - CLI encryption integration

Integrated encryption into backup workflow:

cmd/encryption.go:
- loadEncryptionKey() - loads from file or env var
- Supports base64-encoded keys (32 bytes)
- Supports raw 32-byte keys
- Supports passphrases (PBKDF2 derivation)
- Priority: --encryption-key-file > DBBACKUP_ENCRYPTION_KEY

cmd/backup_impl.go:
- encryptLatestBackup() - finds and encrypts single backups
- encryptLatestClusterBackup() - encrypts cluster backups
- findLatestBackup() - locates most recent backup file
- findLatestClusterBackup() - locates cluster backup
- Encryption applied after successful backup
- Integrated into all backup modes (cluster, single, sample)

internal/backup/encryption.go:
- EncryptBackupFile() - encrypts backup in-place
- DecryptBackupFile() - decrypts to new file
- IsBackupEncrypted() - checks metadata/file format
- Updates .meta.json with encryption info
- Replaces original with encrypted version

internal/metadata/metadata.go:
- Added Encrypted bool field
- Added EncryptionAlgorithm string field
- Tracks encryption status in backup metadata

internal/metadata/save.go:
- Helper to save BackupMetadata to .meta.json

tests/encryption_smoke_test.sh:
- Basic smoke test for encryption/decryption
- Verifies data integrity
- Tests with env var key source

CLI Flags (already existed):
--encrypt                      Enable encryption
--encryption-key-file PATH     Key file path
--encryption-key-env VAR       Env var name (default: DBBACKUP_ENCRYPTION_KEY)

Usage Examples:
  # Encrypt with key file
  ./dbbackup backup single mydb --encrypt --encryption-key-file /path/to/key

  # Encrypt with env var
  export DBBACKUP_ENCRYPTION_KEY="base64_encoded_key"
  ./dbbackup backup single mydb --encrypt

  # Cluster backup with encryption
  ./dbbackup backup cluster --encrypt --encryption-key-file key.txt

Features:
✅ Post-backup encryption (doesn't slow down backup itself)
✅ In-place encryption (overwrites original)
✅ Metadata tracking (encrypted flag)
✅ Multiple key sources (file/env/passphrase)
✅ Base64 and raw key support
✅ PBKDF2 for passphrases
✅ Automatic latest backup detection
✅ Works with all backup modes

Status: ENCRYPTION FULLY INTEGRATED ✅
Next: Task 5 - Restore decryption integration

tests/encryption_smoke_test.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+# Quick smoke test for encryption feature
+
+set -e
+
+echo "==================================="
+echo "Encryption Feature Smoke Test"
+echo "==================================="
+echo
+
+# Setup
+TEST_DIR="/tmp/dbbackup_encrypt_test_$$"
+mkdir -p "$TEST_DIR"
+cd "$TEST_DIR"
+
+# Generate test key
+echo "Step 1: Generate test key..."
+echo "test-encryption-key-32bytes!!" > key.txt
+KEY_BASE64=$(base64 -w 0 < key.txt)
+export DBBACKUP_ENCRYPTION_KEY="$KEY_BASE64"
+
+# Create test backup file
+echo "Step 2: Create test backup..."
+echo "This is test backup data for encryption testing." > test_backup.dump
+echo "It contains multiple lines to ensure proper encryption." >> test_backup.dump
+echo "$(date)" >> test_backup.dump
+
+# Create metadata
+cat > test_backup.dump.meta.json <<EOF
+{
+  "version": "2.3.0",
+  "timestamp": "$(date -Iseconds)",
+  "database": "testdb",
+  "database_type": "postgresql",
+  "backup_file": "$TEST_DIR/test_backup.dump",
+  "size_bytes": $(stat -c%s test_backup.dump),
+  "sha256": "test",
+  "compression": "none",
+  "backup_type": "full",
+  "encrypted": false
+}
+EOF
+
+echo "Original backup size: $(stat -c%s test_backup.dump) bytes"
+echo "Original content hash: $(md5sum test_backup.dump | cut -d' ' -f1)"
+echo
+
+# Test encryption via Go code
+echo "Step 3: Test encryption..."
+cat > encrypt_test.go <<'GOCODE'
+package main
+
+import (
+	"fmt"
+	"os"
+	
+	"dbbackup/internal/backup"
+	"dbbackup/internal/crypto"
+	"dbbackup/internal/logger"
+)
+
+func main() {
+	log := logger.New("info", "text")
+	
+	// Load key from env
+	keyB64 := os.Getenv("DBBACKUP_ENCRYPTION_KEY")
+	if keyB64 == "" {
+		fmt.Println("ERROR: DBBACKUP_ENCRYPTION_KEY not set")
+		os.Exit(1)
+	}
+	
+	// Derive key
+	salt, _ := crypto.GenerateSalt()
+	key := crypto.DeriveKey([]byte(keyB64), salt)
+	
+	// Encrypt
+	if err := backup.EncryptBackupFile("test_backup.dump", key, log); err != nil {
+		fmt.Printf("ERROR: Encryption failed: %v\n", err)
+		os.Exit(1)
+	}
+	
+	fmt.Println("✅ Encryption successful")
+	
+	// Decrypt
+	if err := backup.DecryptBackupFile("test_backup.dump", "test_backup_decrypted.dump", key, log); err != nil {
+		fmt.Printf("ERROR: Decryption failed: %v\n", err)
+		os.Exit(1)
+	}
+	
+	fmt.Println("✅ Decryption successful")
+}
+GOCODE
+
+# Temporarily copy go.mod
+cp /root/dbbackup/go.mod .
+cp /root/dbbackup/go.sum . 2>/dev/null || true
+
+# Run encryption test
+echo "Running Go encryption test..."
+go run encrypt_test.go
+echo
+
+# Verify decrypted content
+echo "Step 4: Verify decrypted content..."
+if diff -q test_backup_decrypted.dump <(echo "This is test backup data for encryption testing."; echo "It contains multiple lines to ensure proper encryption.") >/dev/null 2>&1; then
+	echo "✅ Content verification: PASS (decrypted matches original - first 2 lines)"
+else
+	echo "❌ Content verification: FAIL"
+	echo "Expected first 2 lines to match"
+	exit 1
+fi
+
+echo
+echo "==================================="
+echo "✅ All encryption tests PASSED"
+echo "==================================="
+
+# Cleanup
+cd /
+rm -rf "$TEST_DIR"