From f2739b583e83d77d186f6f5f08e0b0f3ec494e0f Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Sun, 22 Aug 2021 14:44:33 +0200 Subject: [PATCH] add gpg encryption --- go.mod | 4 ++-- go.sum | 4 ++++ src/main.go | 41 ++++++++++++++++++++++++++++++--- test/compose/docker-compose.yml | 2 +- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 7ecd836..f58a015 100644 --- a/go.mod +++ b/go.mod @@ -30,9 +30,9 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/rs/xid v1.2.1 // indirect github.com/sirupsen/logrus v1.8.1 // indirect - golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect + golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect - golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 // indirect + golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect golang.org/x/text v0.3.4 // indirect google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect google.golang.org/grpc v1.33.2 // indirect diff --git a/go.sum b/go.sum index 1399033..c61d375 100644 --- a/go.sum +++ b/go.sum @@ -631,6 +631,8 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -772,6 +774,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/src/main.go b/src/main.go index dfc68a6..456a56f 100644 --- a/src/main.go +++ b/src/main.go @@ -1,10 +1,12 @@ package main import ( + "bytes" "context" "errors" "fmt" "io" + "io/ioutil" "os" "os/exec" "path" @@ -21,6 +23,7 @@ import ( minio "github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7/pkg/credentials" "github.com/walle/targz" + "golang.org/x/crypto/openpgp" ) func main() { @@ -203,11 +206,43 @@ func (s *script) restartContainers() error { } func (s *script) encryptBackup() error { - key := os.Getenv("GPG_PASSPHRASE") - if key == "" { + passphrase := os.Getenv("GPG_PASSPHRASE") + if passphrase == "" { return nil } - return errors.New("encryptBackup: not implemented yet") + + buf := bytes.NewBuffer(nil) + _, name := path.Split(s.file) + pt, err := openpgp.SymmetricallyEncrypt(buf, []byte(passphrase), &openpgp.FileHints{ + IsBinary: true, + FileName: name, + }, nil) + if err != nil { + return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err) + } + + unencrypted, err := ioutil.ReadFile(s.file) + if err != nil { + pt.Close() + return fmt.Errorf("encryptBackup: error reading unencrypted backup file: %w", err) + } + _, err = pt.Write(unencrypted) + if err != nil { + pt.Close() + return fmt.Errorf("encryptBackup: error writing backup contents: %w", err) + } + pt.Close() + + gpgFile := fmt.Sprintf("%s.gpg", s.file) + if err := ioutil.WriteFile(gpgFile, buf.Bytes(), os.ModeAppend); err != nil { + return fmt.Errorf("encryptBackup: error writing encrypted version of backup: %w", err) + } + + if err := os.Remove(s.file); err != nil { + return fmt.Errorf("encryptBackup: error removing unencrpyted backup: %w", err) + } + s.file = gpgFile + return nil } func (s *script) copyBackup() error { diff --git a/test/compose/docker-compose.yml b/test/compose/docker-compose.yml index eaef3d5..26dbbb9 100644 --- a/test/compose/docker-compose.yml +++ b/test/compose/docker-compose.yml @@ -23,7 +23,7 @@ services: AWS_ENDPOINT: minio:9000 AWS_ENDPOINT_PROTO: http AWS_S3_BUCKET_NAME: backup - # BACKUP_FILENAME: test.tar.gz + BACKUP_FILENAME: test.tar.gz BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ? BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7} BACKUP_PRUNING_LEEWAY: 5s