feat: stronger database encryption

.github/workflows/build.yml

@@ -6,9 +6,7 @@ jobs:
   sh-checker:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v2
-      - name: Run sh-checker
-        uses: luizm/action-sh-checker@master
+      - uses: actions/checkout@v2
+      - uses: luizm/action-sh-checker@master
         env:
           SHFMT_OPTS: -i 4 -d

.gitignore

@@ -1 +1,3 @@
 .DS_Store
+*.gz
+*.sql

CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## v1.0.0 (2023-08-25)
+
+- Now uses `-md sha512 -pbkdf2` flags for openssl commands when encrypting and decrypting databases to fix deprecation warning
+  - **NOTE:** Exported databases prior to v1.0.0 will not be able to be decrypted with this version due to the new flags, if older/newer database files need (d)encypring, you may need to change versions of this tool to match the one the original file was generated with
+- Passes the `-c` command to gzip to supress the `unknown compression format` error
+
 ## v0.10.0 (2023-01-12)
 
 - Consolidates `SRVINFRA_WEBSITES_DIR` and `SRVINFRA_SERVICES_DIR` into `SRVINFRA_SERVICES_DIR`

README.md

@@ -45,6 +45,7 @@ srvinfra deploy justintime50/server-infra/plex
 srvinfra deploy_all
 
 # Decrypt a compressed SQL backup file
+# The BACKUP_SECRET is assumed to be the same as the database ROOT_PASSWORD
 srvinfra decrypt_database_backup PATH_TO_SQL_FILE BACKUP_SECRET
 
 # Export a SQL database from a Docker container
@@ -63,7 +64,7 @@ srvinfra import_database DATABASE_CONTAINER_NAME ROOT_PASSWORD DATABASE_NAME PAT
 
 # Import an encrypted & compressed SQL database to a Docker container (command combines `decrypt_database_backup` and `import_database` commands)
 # Note: May need to quote `ROOT_PASSWORD`
-# ROOT_PASSWORD is assumed to be the same as the database secret used to encrypt it
+# ROOT_PASSWORD is assumed to be the same as the database root password
 srvinfra import_encrypted_database DATABASE_CONTAINER_NAME ROOT_PASSWORD DATABASE_NAME PATH_TO_SQL_FILE
 
 # Get the status of a Docker container by name

src/srvinfra.sh

@@ -11,49 +11,46 @@ decrypt_database_backup() {
     local output_sql_name
     output_sql_name="$(echo "$1" | cut -d. -f1)"
 
-    openssl enc -aes-256-cbc -d -in "$1" -k "$2" | gzip -d >"$output_sql_name".sql
+    openssl enc -aes-256-cbc -md sha512 -pbkdf2 -d -in "$1" -k "$2" | gzip -c -d >"$output_sql_name".sql
 }
 
 export_database() {
     # Parameters
-    # 1. container name
+    # 1. database container name
     # 2. root password
     # 3. database name
     # 4. (optional) output sql file path
     local sql_filename
     sql_filename=${4:-"database.sql"}
 
-    # TODO: Don't send password on the CLI
     docker exec -i "$1" mysqldump -uroot -p"$2" "$3" >"$sql_filename"
 }
 
 export_database_secure() {
     # Parameters
-    # 1. container name
+    # 1. database container name
     # 2. root password
     # 3. database name
     # 4. (optional) output sql file path
     local sql_filename
     sql_filename=${4:-"database.enc.gz"}
 
-    # TODO: Don't send password on the CLI
-    docker exec -i "$1" mysqldump -uroot -p"$2" "$3" | gzip | openssl enc -aes-256-cbc -k "$2" >"$sql_filename"
+    docker exec -i "$1" mysqldump -uroot -p"$2" "$3" | gzip -c | openssl enc -aes-256-cbc -md sha512 -pbkdf2 -k "$2" >"$sql_filename"
 }
 
 import_database() {
     # Parameters
-    # 1. container name
+    # 1. database container name
     # 2. root password
     # 3. database name
     # 4. sql file path
 
-    # TODO: Don't send password on the CLI
     docker exec -i "$1" mysql -uroot -p"$2" "$3" <"$4"
 }
 
 import_encrypted_database() {
     # Parameters
-    # 1. container name
+    # 1. database container name
     # 2. root password (assumed to be the same as the encrypted database secret)
     # 3. database name
     # 4. sql file path