AES encryption for dump files

Author: jan-di

CHANGELOG.md

@@ -6,8 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Added
-- Add options to change the internal network name/target alias
-- Add option to change gzip compression level. Default: 6
+- AES Encryption of dump files
+- Option to change gzip compression level. Default: 6
+- Options to change the internal network name/target alias
 
 ## [0.1.0] - 2021-09-04
 ### Added

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-alpine
+FROM python:3.9-alpine AS base
 
 LABEL org.opencontainers.image.ref.name="jan-di/database-backup"
 
@@ -8,15 +8,27 @@ RUN set -eux; \
  postgresql-client \
  tzdata
 
+FROM base AS python-deps
+
 RUN set -eux; \
+ apk --no-cache add \
+ # cryptography
+ gcc musl-dev python3-dev libffi-dev openssl-dev cargo \
+ ; \
  pip install pipenv
 
-WORKDIR /app
-
 COPY Pipfile .
 COPY Pipfile.lock .
+ENV PIPENV_VENV_IN_PROJECT=1
 RUN set -eux; \
- pipenv install --system
+ pipenv install --deploy
+
+FROM base
+
+COPY --from=python-deps /.venv /.venv
+ENV PATH="/.venv/bin:$PATH"
+
+WORKDIR /app
 
 RUN set -eux; \
  mkdir -p /dump

Pipfile

@@ -7,6 +7,7 @@ name = "pypi"
 docker = "*"
 humanize = "*"
 requests = "*"
+pyaescrypt = "*"
 
 [dev-packages]
 

Pipfile.lock

@@ -43,6 +43,8 @@ Name | Default | Description
 `port` | `auto` | Port (inside container). Possible values: `auto` or a valid port number. Auto gets the default port corresponding to the type.
 `compress` | `false` | Compress SQL Dump with gzip
 `compression_level` | `6` | Gzip compression level (1-9)
+`encrypt` | `false` | Encrypt SQL Dump with AES
+`encryption_key` | (none) | Key/Passphrase used to encrypt
 
 ## Example
 

README.md

@@ -5,6 +5,7 @@
 import time
 import sys
 
+import pyAesCrypt
 import humanize
 
 from src.database import Database, DatabaseType
@@ -47,6 +48,8 @@
 
  for i, container in enumerate(containers):
  database = Database(container, global_labels)
+ dump_file = f"/dump/{container.name}.sql"
+ failed = False
 
  logging.info(
  "[{}/{}] Processing container {} {} ({})".format(
@@ -58,25 +61,22 @@
  )
  )
 
+ if database.type == DatabaseType.unknown:
+ logging.error(
+ "FAILED: Cannot read database type. Please specify via label."
+ )
+ failed = True
+
  logging.debug(
  "Login {}@host:{} using Password: {}".format(
  database.username,
  database.port,
  "YES" if len(database.password) > 0 else "NO",
  )
  )
- if database.compress:
- logging.debug("Compressing backup")
-
- if database.type == DatabaseType.unknown:
- logging.error(
- "FAILED: Cannot read database type. Please specify via label."
- )
 
+ # Create dump
  network.connect(container, aliases=[config.docker_target_name])
- dumpFile = f"/dump/{container.name}.sql"
- error_code = 0
- error_text = ""
 
  try:
  env = os.environ.copy()
@@ -95,7 +95,7 @@
  f" --ignore-database=mysql"
  f" --ignore-database=information_schema"
  f" --ignore-database=performance_schema"
- f" > {dumpFile}"
+ f" > {dump_file}"
  ),
  shell=True,
  text=True,
@@ -109,53 +109,92 @@
  f"pg_dumpall"
  f" --host={config.docker_target_name}"
  f" --username={database.username}"
- f" > {dumpFile}"
+ f" > {dump_file}"
  ),
  shell=True,
  text=True,
  capture_output=True,
  env=env,
  ).check_returncode()
  except subprocess.CalledProcessError as e:
- error_code = e.returncode
  error_text = f"\n{e.stderr.strip()}".replace("\n", "\n> ").strip()
+ logging.error(
+ f"FAILED. Error while crating dump. Return Code: {e.returncode}; Error Output:"
+ )
+ logging.error(f"{error_text}")
+ failed = True
+
+ if not failed and not os.path.exists(dump_file):
+ logging.error(
+ f"FAILED: Dump cannot be created due to an unknown error!"
+ )
+ failed = True
 
  network.disconnect(container)
 
- if error_code > 0:
- logging.error(f"FAILED. Return Code: {error_code}; Error Output:")
- logging.error(f"{error_text}")
- elif os.path.exists(dumpFile):
- dump_size = os.path.getsize(dumpFile)
+ dump_size = os.path.getsize(dump_file)
+
+ # Compress pump
+ if not failed and database.compress and dump_size > 0:
+ logging.debug(f"Compressing dump (level: {database.compression_level})")
+ compressed_dump_file = f"{dump_file}.gz"
+
+ try:
+ if os.path.exists(compressed_dump_file):
+ os.remove(compressed_dump_file)
 
- # Compress pump
- if database.compress and dump_size > 0:
- if os.path.exists(dumpFile + ".gz"):
- os.remove(dumpFile + ".gz")
  subprocess.check_output(
- f'gzip -{database.compression_level} "{dumpFile}"', shell=True
+ f'gzip -{database.compression_level} "{dump_file}"', shell=True
+ )
+ except Exception as e:
+ logging.error(f"FAILED: Error while compressing: {e}")
+ failed = True
+
+ processed_dump_size = os.path.getsize(compressed_dump_file)
+ dump_file = compressed_dump_file
+ else:
+ database.compress = False
+
+ # Encrypt dump
+ if not failed and database.encrypt and dump_size > 0:
+ logging.debug(f"Encrypting dump")
+ encrypted_dump_file = f"{dump_file}.aes"
+
+ try:
+ if os.path.exists(encrypted_dump_file):
+ os.remove(encrypted_dump_file)
+
+ pyAesCrypt.encryptFile(
+ dump_file, encrypted_dump_file, database.encryption_key
  )
- dumpFile = dumpFile + ".gz"
- compressed_size = os.path.getsize(dumpFile)
- else:
- database.compress = False
+ os.remove(dump_file)
+ except Exception as e:
+ logging.error(f"FAILED: Error while encrypting: {e}")
+ failed = True
+
+ processed_dump_size = os.path.getsize(encrypted_dump_file)
+ dump_file = encrypted_dump_file
 
+ else:
+ database.encrypt = False
+
+ if not failed:
  # Change Owner of dump
  os.chown(
- dumpFile, config.dump_uid, config.dump_gid
+ dump_file, config.dump_uid, config.dump_gid
  ) # pylint: disable=maybe-no-member
 
  successful_count += 1
  logging.info(
  "SUCCESS. Size: {}{}".format(
  humanize.naturalsize(dump_size),
- " (" + humanize.naturalsize(compressed_size) + " compressed)"
- if database.compress
+ " ("
+ + humanize.naturalsize(processed_dump_size)
+ + " compressed/encrypted)"
+ if database.compress or database.encrypt
  else "",
  )
  )
- else:
- logging.error("Dump file not found!")
 
  network.disconnect(own_container.id)
  network.remove()

main.py

@@ -56,8 +56,10 @@ def _load_labels(self, values):
  if "port" in values: self.port = values["port"]
  if "username" in values: self.username = values["username"]
  if "password" in values: self.password = values["password"]
- if "compress" in values: self.compress = values["compress"]
+ if "compress" in values: self.compress = distutils.util.strtobool(values["compress"])
  if "compression_level" in values: self.compression_level = values["compression_level"]
+ if "encrypt" in values: self.encrypt = distutils.util.strtobool(values["encrypt"])
+ if "encryption_key" in values: self.encryption_key = values["encryption_key"]
 
  def _get_labels_from_container(self, container):
  labels = {}
@@ -92,5 +94,4 @@ def _resolve_labels(self, container):
  self.port = defaults.get("port")
  else:
  self.port = int(self.port)
- 
- self.compress = distutils.util.strtobool(self.compress)
+

src/database.py

@@ -21,7 +21,9 @@
  "type": "auto",
  "port": "auto",
  "compress": "false",
- "compression_level": 6
+ "compression_level": 6,
+ "encrypt": "true",
+ "encryption_key": None
 }
 
 class Config: