diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d5fddb4..dd6d780 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,9 +6,7 @@ jobs: sh-checker: runs-on: ubuntu-latest steps: - - name: Checkout Repository - uses: actions/checkout@v2 - - name: Run sh-checker - uses: luizm/action-sh-checker@master + - uses: actions/checkout@v2 + - uses: luizm/action-sh-checker@master env: SHFMT_OPTS: -i 4 -d diff --git a/.gitignore b/.gitignore index e43b0f9..89feb18 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ .DS_Store +*.gz +*.sql diff --git a/CHANGELOG.md b/CHANGELOG.md index 47a209b..095f848 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # CHANGELOG +## v1.0.0 (2023-08-25) + +- Now uses `-md sha512 -pbkdf2` flags for openssl commands when encrypting and decrypting databases to fix deprecation warning + - **NOTE:** Exported databases prior to v1.0.0 will not be able to be decrypted with this version due to the new flags, if older/newer database files need (d)encypring, you may need to change versions of this tool to match the one the original file was generated with +- Passes the `-c` command to gzip to supress the `unknown compression format` error + ## v0.10.0 (2023-01-12) - Consolidates `SRVINFRA_WEBSITES_DIR` and `SRVINFRA_SERVICES_DIR` into `SRVINFRA_SERVICES_DIR` diff --git a/README.md b/README.md index c114df9..d9fcacb 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ srvinfra deploy justintime50/server-infra/plex srvinfra deploy_all # Decrypt a compressed SQL backup file +# The BACKUP_SECRET is assumed to be the same as the database ROOT_PASSWORD srvinfra decrypt_database_backup PATH_TO_SQL_FILE BACKUP_SECRET # Export a SQL database from a Docker container @@ -63,7 +64,7 @@ srvinfra import_database DATABASE_CONTAINER_NAME ROOT_PASSWORD DATABASE_NAME PAT # Import an encrypted & compressed SQL database to a Docker container (command combines `decrypt_database_backup` and `import_database` commands) # Note: May need to quote `ROOT_PASSWORD` -# ROOT_PASSWORD is assumed to be the same as the database secret used to encrypt it +# ROOT_PASSWORD is assumed to be the same as the database root password srvinfra import_encrypted_database DATABASE_CONTAINER_NAME ROOT_PASSWORD DATABASE_NAME PATH_TO_SQL_FILE # Get the status of a Docker container by name diff --git a/src/srvinfra.sh b/src/srvinfra.sh index 201c80f..ec08cd0 100755 --- a/src/srvinfra.sh +++ b/src/srvinfra.sh @@ -11,49 +11,46 @@ decrypt_database_backup() { local output_sql_name output_sql_name="$(echo "$1" | cut -d. -f1)" - openssl enc -aes-256-cbc -d -in "$1" -k "$2" | gzip -d >"$output_sql_name".sql + openssl enc -aes-256-cbc -md sha512 -pbkdf2 -d -in "$1" -k "$2" | gzip -c -d >"$output_sql_name".sql } export_database() { # Parameters - # 1. container name + # 1. database container name # 2. root password # 3. database name # 4. (optional) output sql file path local sql_filename sql_filename=${4:-"database.sql"} - # TODO: Don't send password on the CLI docker exec -i "$1" mysqldump -uroot -p"$2" "$3" >"$sql_filename" } export_database_secure() { # Parameters - # 1. container name + # 1. database container name # 2. root password # 3. database name # 4. (optional) output sql file path local sql_filename sql_filename=${4:-"database.enc.gz"} - # TODO: Don't send password on the CLI - docker exec -i "$1" mysqldump -uroot -p"$2" "$3" | gzip | openssl enc -aes-256-cbc -k "$2" >"$sql_filename" + docker exec -i "$1" mysqldump -uroot -p"$2" "$3" | gzip -c | openssl enc -aes-256-cbc -md sha512 -pbkdf2 -k "$2" >"$sql_filename" } import_database() { # Parameters - # 1. container name + # 1. database container name # 2. root password # 3. database name # 4. sql file path - # TODO: Don't send password on the CLI docker exec -i "$1" mysql -uroot -p"$2" "$3" <"$4" } import_encrypted_database() { # Parameters - # 1. container name + # 1. database container name # 2. root password (assumed to be the same as the encrypted database secret) # 3. database name # 4. sql file path