From fa88fe526cd70e7015f69cc4733e5ce8115b24da Mon Sep 17 00:00:00 2001
From: ITBM <22393016+itbm@users.noreply.github.com>
Date: Tue, 13 Nov 2018 08:50:05 +0000
Subject: [PATCH] Add backup encryption

---
 mysql-backup-s3/Dockerfile    |  1 +
 mysql-backup-s3/README.md     |  1 +
 mysql-backup-s3/backup.sh     | 11 +++++++++++
 mysql-backup-s3/install.sh    |  3 +++
 postgres-backup-s3/Dockerfile |  1 +
 postgres-backup-s3/README.md  |  3 +++
 postgres-backup-s3/backup.sh  | 18 ++++++++++++++++--
 postgres-backup-s3/install.sh |  3 +++
 8 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/mysql-backup-s3/Dockerfile b/mysql-backup-s3/Dockerfile
index 415abaf..b852249 100644
--- a/mysql-backup-s3/Dockerfile
+++ b/mysql-backup-s3/Dockerfile
@@ -20,6 +20,7 @@ ENV S3_PREFIX 'backup'
 ENV S3_FILENAME **None**
 ENV MULTI_FILES no
 ENV SCHEDULE **None**
+ENV ENCRYPTION_PASSWORD **None**
 
 ADD run.sh run.sh
 ADD backup.sh backup.sh
diff --git a/mysql-backup-s3/README.md b/mysql-backup-s3/README.md
index bb0d3f7..6bf2962 100644
--- a/mysql-backup-s3/README.md
+++ b/mysql-backup-s3/README.md
@@ -26,6 +26,7 @@ $ docker run -e S3_ACCESS_KEY_ID=key -e S3_SECRET_ACCESS_KEY=secret -e S3_BUCKET
 - `S3_S3V4` set to `yes` to enable AWS Signature Version 4, required for [minio](https://minio.io) servers (default: no)
 - `MULTI_FILES` Allow to have one file per database if set `yes` default: no)
 - `SCHEDULE` backup schedule time, see explainatons below
+- `ENCRYPTION_PASSWORD` password to encrypt the backup. Can be decrypted using `openssl aes-256-cbc -d -in backup.sql.gz.enc -out backup.sql.gz`
 
 ### Automatic Periodic Backups
 
diff --git a/mysql-backup-s3/backup.sh b/mysql-backup-s3/backup.sh
index eb604e4..a7e7f17 100644
--- a/mysql-backup-s3/backup.sh
+++ b/mysql-backup-s3/backup.sh
@@ -44,6 +44,17 @@ copy_s3 () {
   SRC_FILE=$1
   DEST_FILE=$2
 
+  if [ "${ENCRYPTION_PASSWORD}" != "**None**" ]; then
+    echo "Encrypting ${SRC_FILE}"
+    openssl enc -aes-256-cbc -in $SRC_FILE -out ${SRC_FILE}.enc -k $ENCRYPTION_PASSWORD
+    if [ $? != 0 ]; then
+      >&2 echo "Error encrypting ${SRC_FILE}"
+    fi
+    rm $SRC_FILE
+    SRC_FILE="${SRC_FILE}.enc"
+    DEST_FILE="${DEST_FILE}.enc"
+  fi
+
   if [ "${S3_ENDPOINT}" == "**None**" ]; then
     AWS_ARGS=""
   else
diff --git a/mysql-backup-s3/install.sh b/mysql-backup-s3/install.sh
index eda916a..8b04070 100644
--- a/mysql-backup-s3/install.sh
+++ b/mysql-backup-s3/install.sh
@@ -6,6 +6,9 @@ set -e
 
 apk update
 
+# install openssl
+apk add openssl
+
 # install mysqldump
 apk add mysql-client
 
diff --git a/postgres-backup-s3/Dockerfile b/postgres-backup-s3/Dockerfile
index d5eed1c..f6d3994 100644
--- a/postgres-backup-s3/Dockerfile
+++ b/postgres-backup-s3/Dockerfile
@@ -18,6 +18,7 @@ ENV S3_PATH 'backup'
 ENV S3_ENDPOINT **None**
 ENV S3_S3V4 no
 ENV SCHEDULE **None**
+ENV ENCRYPTION_PASSWORD **None**
 
 ADD run.sh run.sh
 ADD backup.sh backup.sh
diff --git a/postgres-backup-s3/README.md b/postgres-backup-s3/README.md
index a5339de..b96a7c4 100644
--- a/postgres-backup-s3/README.md
+++ b/postgres-backup-s3/README.md
@@ -40,3 +40,6 @@ You can additionally set the `SCHEDULE` environment variable like `-e SCHEDULE="
 
 More information about the scheduling can be found [here](http://godoc.org/github.com/robfig/cron#hdr-Predefined_schedules).
 
+### Encryption
+
+You can additionally set the `ENCRYPTION_PASSWORD` environment variable like `-e ENCRYPTION_PASSWORD="superstrongpassword"` to encrypt the backup. It can be decrypted using `openssl aes-256-cbc -d -in backup.sql.gz.enc -out backup.sql.gz`.
diff --git a/postgres-backup-s3/backup.sh b/postgres-backup-s3/backup.sh
index 6e5a7f0..19d8d6e 100644
--- a/postgres-backup-s3/backup.sh
+++ b/postgres-backup-s3/backup.sh
@@ -59,10 +59,24 @@ POSTGRES_HOST_OPTS="-h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER $POSTG
 
 echo "Creating dump of ${POSTGRES_DATABASE} database from ${POSTGRES_HOST}..."
 
-pg_dump $POSTGRES_HOST_OPTS $POSTGRES_DATABASE | gzip > dump.sql.gz
+SRC_FILE=dump.sql.gz
+DEST_FILE=${POSTGRES_DATABASE}_$(date +"%Y-%m-%dT%H:%M:%SZ").sql.gz
+
+pg_dump $POSTGRES_HOST_OPTS $POSTGRES_DATABASE | gzip > $SRC_FILE
+
+if [ "${ENCRYPTION_PASSWORD}" != "**None**" ]; then
+  echo "Encrypting ${SRC_FILE}"
+  openssl enc -aes-256-cbc -in $SRC_FILE -out ${SRC_FILE}.enc -k $ENCRYPTION_PASSWORD
+  if [ $? != 0 ]; then
+    >&2 echo "Error encrypting ${SRC_FILE}"
+  fi
+  rm $SRC_FILE
+  SRC_FILE="${SRC_FILE}.enc"
+  DEST_FILE="${DEST_FILE}.enc"
+fi
 
 echo "Uploading dump to $S3_BUCKET"
 
-cat dump.sql.gz | aws $AWS_ARGS s3 cp - s3://$S3_BUCKET/$S3_PREFIX/${POSTGRES_DATABASE}_$(date +"%Y-%m-%dT%H:%M:%SZ").sql.gz || exit 2
+cat $SRC_FILE | aws $AWS_ARGS s3 cp - s3://$S3_BUCKET/$S3_PREFIX/$DEST_FILE || exit 2
 
 echo "SQL backup uploaded successfully"
diff --git a/postgres-backup-s3/install.sh b/postgres-backup-s3/install.sh
index 16c7119..e4ca853 100644
--- a/postgres-backup-s3/install.sh
+++ b/postgres-backup-s3/install.sh
@@ -6,6 +6,9 @@ set -e
 
 apk update
 
+# install openssl
+apk add openssl
+
 # install pg_dump
 apk add postgresql