Feature: PGP Asymmetric Encryption (#456)

* feat: asym encryption * tests * docs * refactor * logs & errs * comment * Update docs/reference/index.md use correct env var in example Co-authored-by: Frederik Ring <frederik.ring@gmail.com> * Update cmd/backup/encrypt_archive.go use errwarp for initial error msg Co-authored-by: Frederik Ring <frederik.ring@gmail.com> * rm orphaned code in encryption functions * inline readArmoredKeys * naming -GPG_PUBLIC_KEYS- to GPG_PUBLIC_KEY_RING * add eror handling for closing func * use dynamically generated keys for testing * rm explicit gpg-agent start * rm unnecessary private_key export * pass PASSPHRASE correctly to the decryption command * capture defer errors * log & err msg --------- Co-authored-by: Frederik Ring <frederik.ring@gmail.com>
2026-04-19 07:22:39 +02:00 · 2024-08-11 10:11:23 +02:00
parent f97ce11734
commit 8a64da4b0b
8 changed files with 191 additions and 15 deletions
--- a/test/Dockerfile
+++ b/test/Dockerfile
@@ -4,6 +4,7 @@ RUN apk add \
  coreutils \
  curl \
  gpg \
+  gpg-agent \
  jq \
  moreutils \
  tar \
--- a/test/gpg-asym/docker-compose.yml
+++ b/test/gpg-asym/docker-compose.yml
@@ -0,0 +1,25 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      GPG_PUBLIC_KEY_RING_FILE: /keys/public_key.asc
+    volumes:
+      - ${KEY_DIR:-.}/public_key.asc:/keys/public_key.asc
+      - ${LOCAL_DIR:-./local}:/archive
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:
--- a/test/gpg-asym/run.sh
+++ b/test/gpg-asym/run.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+export KEY_DIR=$(mktemp -d)
+
+export PASSPHRASE="test"
+
+gpg --batch --gen-key <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: offen
+Name-Email: docker-volume-backup@local
+Expire-Date: 0
+Passphrase: $PASSPHRASE
+%commit
+EOF
+
+gpg --export --armor --batch --yes --pinentry-mode loopback --passphrase $PASSPHRASE --output $KEY_DIR/public_key.asc
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose exec backup backup
+
+expect_running_containers "2"
+
+TMP_DIR=$(mktemp -d)
+
+gpg -d --pinentry-mode loopback --yes --passphrase $PASSPHRASE "$LOCAL_DIR/test.tar.gz.gpg" > "$LOCAL_DIR/decrypted.tar.gz"
+
+tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C $TMP_DIR
+
+if [ ! -f $TMP_DIR/backup/app_data/offen.db ]; then
+  fail "Could not find expected file in untared archive."
+fi
+rm "$LOCAL_DIR/decrypted.tar.gz"
+
+pass "Found relevant files in decrypted and untared local backup."
+
+if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.gpg" ]; then
+  fail "Could not find local symlink to latest encrypted backup."
+fi