PGP backup encryption

staser · staser · commit 96e1ab55a9cd · 2021-01-03T00:39:45.000+03:00
diff --git a/README.md b/README.md
@@ -10,8 +10,8 @@ Docker image to backup Postgres database to S3 using pg_dump and compress using
 - [x] Compression is done with pigz (parallel gzip)
 - [x] Creates bucket if it's not created
 - [x] Can be run in Kubernetes or Docker
-- [>] TODO: Add possibility to detect and backup all databases [planned]
-- [ ] TODO: OpenSSL encryption
+- [ ] TODO: Add possibility to detect and backup all databases [planned]
+- [x] PGP encryption
 - [ ] TODO: Add other compression methods
 - [ ] TODO: Add other dbs (e.g. postgres, mysql)
 
@@ -21,6 +21,8 @@ S3_BUCK=postgres1-backups
 S3_NAME=folder-name/backup-name-prefix
 S3_URI=https://s3-key:s3-secret@s3.host.tld
 PG_URI=postgres://mongo-host:5432/db-name
+GPG_KEYSERVER=keyserver.ubuntu.com # your hpks keyserver
+GPG_KEYID=<key_id> # recipient key, backup will be encrypted if added
 ```
 
 Or see `docker-compose.yml` file to run this container with Docker.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     image: backuptools/postgres-backup-s3
     build: .
     environment:
-      - S3_BUCK=mongo1-backups
+      - S3_BUCK=postgres1-backups
       - S3_NAME=folder-name/backup-name-prefix
       - S3_URI=https://s3-key:s3-secret@s3.host.tld
       - PG_URI=postgres://pg-user:pg-password@postgres-host:5432/db-name
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -7,12 +7,30 @@ get_date () {
 }
 
 # Script
+: ${GPG_KEYSERVER:='keyserver.ubuntu.com'}
+: ${GPG_KEYID:=''}
+
+if [ -z "$GPG_KEYID" ]
+then
+    echo "$(get_date) !WARNING! It's strongly recommended to encrypt your backups."
+else
+    echo "$(get_date) Preparing keys: importing from keyserver"
+    gpg --keyserver ${GPG_KEYSERVER} --recv-keys ${GPG_KEYID}
+fi
+
 echo "$(get_date) Postgres backup started"
 
 export MC_HOST_backup=$S3_URI
 
 mc mb backup/${S3_BUCK} --insecure
 
-pg_dump $PG_URI | pigz -9 | mc pipe backup/${S3_BUCK}/${S3_NAME}-`date +%Y-%m-%d_%H-%M-%S`.pgdump --insecure
+if [ -z "$GPG_KEYID" ]
+then
+    pg_dump $PG_URI | pigz -9 | mc pipe backup/${S3_BUCK}/${S3_NAME}-`date +%Y-%m-%d_%H-%M-%S`.pgdump --insecure
+else
+    pg_dump $PG_URI | pigz -9 \
+     | gpg --encrypt -z 0 --recipient ${GPG_KEYID} --trust-model always \
+     | mc pipe backup/${S3_BUCK}/${S3_NAME}-`date +%Y-%m-%d_%H-%M-%S`.pgdump.pgp --insecure
+fi
 
 echo "$(get_date) Postgres backup completed successfully"
