Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Allow for an asymmetric public key encryption #81

Merged
merged 5 commits into from
Mar 28, 2024
Merged

✨ Allow for an asymmetric public key encryption #81

merged 5 commits into from
Mar 28, 2024

Conversation

mykolasolodukha
Copy link
Contributor

@mykolasolodukha mykolasolodukha commented Mar 22, 2024
edited
Loading

What?

  • Allow using ENCRYPT_WITH_PUBLIC_KEY_ID env parameter to encrypt the backups with the User's GPG public key.
  • Update documentation accordingly.
  • [Extra] Allow using the S3-server default storage class (4b45089).
  • Fix the shfmt formatting.

Why?

  • By using asymmetric encryption, the data protection would still be insured even when a bad actor gains read access to the s3backup service configs and the access to the S3 storage. When the said actor gains write access, it's still a game over for whoever's trying to protect that data.

How to test?

  • It's backward-compatible, so everything that works now should also work in this version.
    1. Generate a new PGP key if you don't have one (instructions).
    2. Get your key ID (don't worry, it's public information). 
      gpg --list-secret-keys --keyid-format long
# [keyboxd]
# ---------
# sec   ed25519/7929C6D3BB256BCC 2024-03-22 [SC]
#       5815326E1FAB78E966837F287929C6D3BB256BCC  <-- THIS IS YOUR KEY ID
# uid                 [ultimate] Test Dokku Backup (one-time-key) <s3_backup_test@dokku.com>
# ssb   cv25519/4A947B3B74A421B7 2024-03-22 [E]

# export MY_PUBLIC_KEY_ID='5815326E1FAB78E966837F287929C6D3BB256BCC'
    3. Upload your keys to a keyserver: 
      gpg --send-keys --keyserver keyserver.ubuntu.com $MY_PUBLIC_KEY_ID
    4. (assuming you have the environment variables loaded to your shell) Run: 
      docker run -it \
    -e AWS_ACCESS_KEY_ID=ID \
    -e AWS_SECRET_ACCESS_KEY=KEY \
    -e BUCKET_NAME=backups \
    -e BACKUP_NAME=backup \
    -e ENCRYPT_WITH_PUBLIC_KEY_ID=$MY_PUBLIC_KEY_ID \
    -v /path/to/backup:/backup dokku/s3backup

Anything else?

  • Practise shows that Ubuntu's keyserver is sometimes buggy when it comes to uploading your public keys. So it might take some time (or you might use any other keyserver by passing the -e KEYSERVER=$YOUR_KEYSERVER to the docker run command.

@josegonzalez
Copy link
Member

Mind resolving the shfmt issues?

@mykolasolodukha mykolasolodukha force-pushed the feature/use-gpg-public-key-encryption branch from 4b45089 to c8dacd9 Compare March 24, 2024 18:17
@mykolasolodukha
✨ Allow for an asymmetric public key encryption
af3e176
@mykolasolodukha
🩹 Allow to avoid passing --storage-class
b57dc39 
So that the default one will be used. Important for GCP Storage buckets that have different STORAGE_CLASS IDs, hence incompatible with `aws-cli`.
@mykolasolodukha
🚨 Make sure shfmt lint passes
6ea7ec6
@mykolasolodukha mykolasolodukha force-pushed the feature/use-gpg-public-key-encryption branch from c8dacd9 to 6ea7ec6 Compare March 24, 2024 18:17
@mykolasolodukha
Copy link
Contributor Author

@josegonzalez feel free to push directly into the branch👌

It might take me a while to figure out what's wrong with the shfmt lint, so might be faster if you do it😅

@mykolasolodukha
Copy link
Contributor Author

@josegonzalez I think I've got this.

@mykolasolodukha
Copy link
Contributor Author

@josegonzalez any chance we can merge this?

@josegonzalez josegonzalez merged commit 3e2e2fa into dokku:master Mar 28, 2024
8 checks passed
@josegonzalez
Copy link
Member

This was merged and released.

mykolasolodukha added a commit to mykolasolodukha/dokku-postgres that referenced this pull request Apr 28, 2024
@mykolasolodukha
✨ Implement GPG Public Key encryption support
3d099fc 
First introduced in dokku/docker-s3backup#81.
@mykolasolodukha mykolasolodukha mentioned this pull request Apr 28, 2024
Merged
2 tasks
mykolasolodukha added a commit to mykolasolodukha/dokku-postgres that referenced this pull request Apr 28, 2024
@mykolasolodukha
✨ Implement GPG Public Key encryption support
50a7923 
First introduced in dokku/docker-s3backup#81.
mykolasolodukha added a commit to mykolasolodukha/dokku-postgres that referenced this pull request Jun 9, 2024
@mykolasolodukha
✨ Implement GPG Public Key encryption support
eb7a13b 
First introduced in dokku/docker-s3backup#81.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mykolasolodukha @josegonzalez