Skip to content

Commit 0b2c783

Browse files
tiredofittiredofit
committed
Release 4.0.8 - See CHANGELOG.md
1 parent 535e011 commit 0b2c783

File tree

3 files changed

+43
-21
lines changed

3 files changed

+43
-21
lines changed

CHANGELOG.md

+8
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
## 4.0.8 2023-11-11 <dave at tiredofit dot ca>
2+
3+
### Changed
4+
- Tidy up file_encryption() routines
5+
- Change environment variable _ENCRYPTION_PUBKEY to _ENCRYPTION_PUBLIC_KEY
6+
- Add new environment variable _ENCRYPTION_PRIVATE_KEY
7+
8+
19
## 4.0.7 2023-11-11 <dave at tiredofit dot ca>
210

311
### Added

README.md

+15-12
Original file line numberDiff line numberDiff line change
@@ -214,12 +214,13 @@ If these are set and no other defaults or variables are set explicitly, they wil
214214

215215
Encryption occurs after compression and the encrypted filename will have a `.gpg` suffix
216216

217-
| Variable | Description | Default |
218-
| ---------------------------- | ------------------------------------------- | ------- |
219-
| `DEFAULT_ENCRYPT` | Encrypt file after backing up with GPG | `FALSE` |
220-
| `DEFAULT_ENCRYPT_PASSPHRASE` | Passphrase to encrypt file with GPG | |
221-
| *or* | | |
222-
| `DEFAULT_ENCRYPT_PUBKEY` | Path of public key to encrypt file with GPG | |
217+
| Variable | Description | Default | `_FILE` |
218+
| ----------------------------- | -------------------------------------------- | ------- | ------- |
219+
| `DEFAULT_ENCRYPT` | Encrypt file after backing up with GPG | `FALSE` | |
220+
| `DEFAULT_ENCRYPT_PASSPHRASE` | Passphrase to encrypt file with GPG | | x |
221+
| *or* | | | |
222+
| `DEFAULT_ENCRYPT_PUBLIC_KEY` | Path of public key to encrypt file with GPG | | x |
223+
| `DEFAULT_ENCRYPT_PRIVATE_KEY` | Path of private key to encrypt file with GPG | | x |
223224

224225
##### Scheduling Options
225226

@@ -476,12 +477,14 @@ Otherwise, override them per backup job. Additional backup jobs can be scheduled
476477

477478
Encryption will occur after compression and the resulting filename will have a `.gpg` suffix
478479

479-
| Variable | Description | Default |
480-
| ------------------------- | ------------------------------------------- | ------- |
481-
| `DB01_ENCRYPT` | Encrypt file after backing up with GPG | `FALSE` |
482-
| `DB01_ENCRYPT_PASSPHRASE` | Passphrase to encrypt file with GPG | |
483-
| *or* | | |
484-
| `DB01_ENCRYPT_PUBKEY` | Path of public key to encrypt file with GPG | |
480+
481+
| Variable | Description | Default | `_FILE` |
482+
| -------------------------- | -------------------------------------------- | ------- | ------- |
483+
| `DB01_ENCRYPT` | Encrypt file after backing up with GPG | `FALSE` | |
484+
| `DB01_ENCRYPT_PASSPHRASE` | Passphrase to encrypt file with GPG | | x |
485+
| *or* | | | |
486+
| `DB01_ENCRYPT_PUBLIC_KEY` | Path of public key to encrypt file with GPG | | x |
487+
| `DB01_ENCRYPT_PRIVATE_KEY` | Path of private key to encrypt file with GPG | | x |
485488

486489
##### Scheduling Options
487490

install/assets/functions/10-db-backup

+20-9
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,8 @@ bootstrap_variables() {
4848
DEFAULT_USER \
4949
DEFAULT_PASS \
5050
DEFAULT_ENCRYPT_PASSPHRASE \
51-
DEFAULT_ENCRYPT_PUBKEY \
51+
DEFAULT_ENCRYPT_PUBLIC_KEY \
52+
DEFAULT_ENCRYPT_PRIVATE_KEY \
5253
DEFAULT_MONGO_CUSTOM_URI \
5354
DEFAULT_MYSQL_TLS_CA_FILE \
5455
DEFAULT_MYSQL_TLS_CERT_FILE \
@@ -74,7 +75,8 @@ bootstrap_variables() {
7475
DB"${backup_instance_number}"_USER \
7576
DB"${backup_instance_number}"_PASS \
7677
DB"${backup_instance_number}"_ENCRYPT_PASSPHRASE \
77-
DB"${backup_instance_number}"_ENCRYPT_PUBKEY \
78+
DB"${backup_instance_number}"_ENCRYPT_PUBLIC_KEY \
79+
DB"${backup_instance_number}"_ENCRYPT_PRIVATE_KEY \
7880
DB"${backup_instance_number}"_MONGO_CUSTOM_URI \
7981
DB"${backup_instance_number}"_MYSQL_TLS_CA_FILE \
8082
DB"${backup_instance_number}"_MYSQL_TLS_CERT_FILE \
@@ -185,7 +187,8 @@ bootstrap_variables() {
185187
transform_backup_instance_variable "${backup_instance_number}" ENABLE_PARALLEL_COMPRESSION backup_job_parallel_compression
186188
transform_backup_instance_variable "${backup_instance_number}" ENCRYPT backup_job_encrypt
187189
transform_backup_instance_variable "${backup_instance_number}" ENCRYPT_PASSPHRASE backup_job_encrypt_passphrase
188-
transform_backup_instance_variable "${backup_instance_number}" ENCRYPT_PUBKEY backup_job_encrypt_pubkey
190+
transform_backup_instance_variable "${backup_instance_number}" ENCRYPT_PRIVATE_KEY backup_job_encrypt_private_key
191+
transform_backup_instance_variable "${backup_instance_number}" ENCRYPT_PUBLIC_KEY backup_job_encrypt_public_key
189192
transform_backup_instance_variable "${backup_instance_number}" EXTRA_DUMP_OPTS backup_job_extra_dump_opts
190193
transform_backup_instance_variable "${backup_instance_number}" EXTRA_ENUMERATION_OPTS backup_job_extra_enumeration_opts
191194
transform_backup_instance_variable "${backup_instance_number}" EXTRA_OPTS backup_job_extra_opts
@@ -1237,21 +1240,26 @@ file_encryption() {
12371240
if [ "${exit_code}" = "0" ] ; then
12381241
print_debug "[file_encryption] Encrypting"
12391242
output_off
1240-
if [ -n "${backup_job_encrypt_passphrase}" ] && [ -n "${backup_job_encrypt_pubkey}" ]; then
1243+
if [ -n "${backup_job_encrypt_passphrase}" ] && [ -n "${backup_job_encrypt_public_key}" ]; then
12411244
print_error "Can't encrypt as both ENCRYPT_PASSPHRASE and ENCRYPT_PUBKEY exist!"
12421245
return
1243-
elif [ -n "${backup_job_encrypt_passphrase}" ] && [ -z "${backup_job_encrypt_pubkey}" ]; then
1246+
elif [ -n "${backup_job_encrypt_passphrase}" ] && [ -z "${backup_job_encrypt_public_key}" ]; then
12441247
print_notice "Encrypting with GPG Passphrase"
12451248
encrypt_routines_start_time=$(date +'%s')
12461249
encrypt_tmp_dir=$(run_as_user mktemp -d)
12471250
echo "${backup_job_encrypt_passphrase}" | silent run_as_user ${play_fair} gpg --batch --home ${encrypt_tmp_dir} --yes --passphrase-fd 0 -c "${TEMP_PATH}"/"${backup_job_filename}"
12481251
rm -rf "${encrypt_tmp_dir}"
1249-
elif [ -z "${backup_job_encrypt_passphrase}" ] && [ -n "${backup_job_encrypt_pubkey}" ]; then
1250-
if [ -f "${backup_job_encrypt_pubkey}" ]; then
1252+
elif [ -z "${backup_job_encrypt_passphrase}" ] && [ -n "${backup_job_encrypt_public_key}" ] && [ -n "${backup_job_encrypt_private_key}" ]; then
1253+
if [ -f "${backup_job_encrypt_private_key}" ]; then
12511254
encrypt_routines_start_time=$(date +'%s')
1252-
print_notice "Encrypting with GPG Public Key"
1255+
print_notice "Encrypting with GPG Private Key"
12531256
encrypt_tmp_dir=$(run_as_user mktemp -d)
1254-
silent run_as_user ${play_fair} gpg --batch --yes --home ${encrypt_tmp_dir} --recipient-file "${backup_job_encrypt_pubkey}" -c "${TEMP_PATH}"/"${backup_job_filename}"
1257+
cat "${backup_job_encrypt_private_key}" | run_as_user tee "${encrypt_tmp_dir}"/private_key.asc > /dev/null
1258+
print_debug "[file_encryption] [key] Importing Private Key"
1259+
silent run_as_user gpg --home ${encrypt_tmp_dir} --batch --import "${encrypt_tmp_dir}"/private_key.asc
1260+
print_debug "[file_encryption] [key] Encrypting to Public Key"
1261+
cat "${backup_job_encrypt_public_key}" | run_as_user tee "${encrypt_tmp_dir}"/public_key.asc > /dev/null
1262+
silent run_as_user ${play_fair} gpg --batch --yes --home "${encrypt_tmp_dir}" --encrypt --recipient-file "${encrypt_tmp_dir}"/public_key.asc "${TEMP_PATH}"/"${backup_job_filename}"
12551263
rm -rf "${encrypt_tmp_dir}"
12561264
fi
12571265
fi
@@ -1266,6 +1274,9 @@ file_encryption() {
12661274
- dbbackup.backup.encrypt.duration.[${backup_job_db_host}.${backup_job_db_name}] ${encrypt_routines_total_time}
12671275
EOF
12681276
)
1277+
else
1278+
print_error "Encryption failed! Could not detect encrypted file"
1279+
return 99
12691280
fi
12701281
else
12711282
write_log error "Skipping encryption because backup did not complete successfully"

0 commit comments

Comments
 (0)