GH-160: Encrypt database archive

acteng · Oct 4, 2024 · 27a4c11 · 27a4c11
1 parent 303e4d8
commit 27a4c11
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/cold-backup.sh b/cold-backup.sh
@@ -73,6 +73,12 @@ docker run --rm \
 
 gzip ${ARCHIVE}
 
+# Encrypt archive
+
+bw get password "Schemes Database Backup Passphrase" \
+	| gpg --batch --symmetric --passphrase-fd 0 ${ARCHIVE}.gz \
+		&& rm ${ARCHIVE}.gz
+
 # Stop Cloud SQL Auth proxy
 
 docker stop cloud-sql-proxy

diff --git a/docs/database.md b/docs/database.md
@@ -24,16 +24,38 @@
 
 To download the latest database backup for storing offline:
 
-```bash
-./cold-backup.sh $ENVIRONMENT
-```
+1. Unlock your Bitwarden vault for the encryption passphrase:
 
-This will create a compressed PostgreSQL custom-format archive `schemes-$ENVIRONMENT.dump.gz`.
+   ```bash
+   bw unlock
+   ```
+
+1. Download the backup:
+
+   ```bash
+   ./cold-backup.sh $ENVIRONMENT
+   ```
+
+This will create an encrypted compressed PostgreSQL custom-format archive `schemes-$ENVIRONMENT.dump.gz.gpg`.
 
 ## Restoring a cold backup
 
 To restore a backup to a local or proxied database:
 
+1. Unlock your Bitwarden vault for the encryption passphrase:
+
+   ```bash
+   bw unlock
+   ```
+
+1. Decrypt the archive:
+
+   ```bash
+   bw get password "Schemes Database Backup Passphrase" \
+       | gpg --batch --decrypt --passphrase-fd 0 --output schemes-$ENVIRONMENT.dump.gz schemes-$ENVIRONMENT.dump.gz.gpg \
+           && rm schemes-$ENVIRONMENT.dump.gz.gpg
+   ```
+
 1. Uncompress the archive:
 
    ```bash