Merge pull request #429 from databacker/encrypt-option

add support to encrypt output files

Author: deitch

cmd/dump.go

@@ -2,7 +2,9 @@ package cmd
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/google/uuid"
@@ -13,6 +15,7 @@ import (
 	"github.com/databacker/api/go/api"
 	"github.com/databacker/mysql-backup/pkg/compression"
 	"github.com/databacker/mysql-backup/pkg/core"
+	"github.com/databacker/mysql-backup/pkg/encrypt"
 	"github.com/databacker/mysql-backup/pkg/storage"
 	"github.com/databacker/mysql-backup/pkg/util"
 )
@@ -132,6 +135,66 @@ func dumpCmd(passedExecs execs, cmdConfig *cmdConfiguration) (*cobra.Command, er
 				}
 			}
 
+			// encryption algorithm: check config, then CLI/env var overrides
+			var (
+				encryptionAlgo string
+				encryptionKey  []byte
+				encryptor      encrypt.Encryptor
+			)
+			if cmdConfig.configuration != nil && dumpConfig != nil && dumpConfig.Encryption != nil {
+				if dumpConfig.Encryption.Algorithm == nil {
+					return fmt.Errorf("encryption algorithm must be set in config file")
+				}
+				encryptionAlgo = string(*dumpConfig.Encryption.Algorithm)
+				switch {
+				case dumpConfig.Encryption.Key != nil && *dumpConfig.Encryption.Key != "" && dumpConfig.Encryption.KeyPath != nil && *dumpConfig.Encryption.KeyPath != "":
+					return fmt.Errorf("encryption key and path cannot both be set in config file")
+				case dumpConfig.Encryption.Key != nil && *dumpConfig.Encryption.Key == "" && dumpConfig.Encryption.KeyPath != nil && *dumpConfig.Encryption.KeyPath == "":
+					return fmt.Errorf("must set at least one of encryption key or path in config file")
+				case dumpConfig.Encryption.Key != nil && *dumpConfig.Encryption.Key != "":
+					encryptionKey, err = base64.StdEncoding.DecodeString(*dumpConfig.Encryption.Key)
+					if err != nil {
+						return fmt.Errorf("error decoding encryption key from config file: %v", err)
+					}
+				case dumpConfig.Encryption.KeyPath != nil && *dumpConfig.Encryption.KeyPath != "":
+					key, err := os.ReadFile(*dumpConfig.Encryption.KeyPath)
+					if err != nil {
+						return fmt.Errorf("error reading encryption key from path: %v", err)
+					}
+					encryptionKey = key
+				}
+			}
+			encryptionVar := v.GetString("encryption")
+			if encryptionVar != "" {
+				encryptionAlgo = encryptionVar
+			}
+			if encryptionAlgo != "" {
+				keyContent := v.GetString("encryption-key")
+				keyPath := v.GetString("encryption-key-path")
+				switch {
+				case keyContent != "" && keyPath != "":
+					return fmt.Errorf("encryption key and path cannot both be set in CLI")
+				case keyContent == "" && keyPath == "":
+					return fmt.Errorf("must set at least one of encryption key or path in CLI")
+				case keyContent != "":
+					encryptionKey, err = base64.StdEncoding.DecodeString(keyContent)
+					if err != nil {
+						return fmt.Errorf("error decoding encryption key from CLI flag: %v", err)
+					}
+				case keyPath != "":
+					key, err := os.ReadFile(keyPath)
+					if err != nil {
+						return fmt.Errorf("error reading encryption key from path: %v", err)
+					}
+					encryptionKey = key
+				}
+
+				encryptor, err = encrypt.GetEncryptor(encryptionAlgo, encryptionKey)
+				if err != nil {
+					return fmt.Errorf("failure to get encryptor '%s': %v", encryptionAlgo, err)
+				}
+			}
+
 			// retention, if enabled
 			retention := v.GetString("retention")
 			if retention == "" && cmdConfig.configuration != nil && cmdConfig.configuration.Prune != nil && cmdConfig.configuration.Prune.Retention != nil {
@@ -173,6 +236,7 @@ func dumpCmd(passedExecs execs, cmdConfig *cmdConfiguration) (*cobra.Command, er
 					DBNames:             include,
 					DBConn:              cmdConfig.dbconn,
 					Compressor:          compressor,
+					Encryptor:           encryptor,
 					Exclude:             exclude,
 					PreBackupScripts:    preBackupScripts,
 					PostBackupScripts:   postBackupScripts,
@@ -262,6 +326,10 @@ S3: If it is a URL of the format s3://bucketname/path then it will connect via S
 	// retention
 	flags.String("retention", "", "Retention period for backups. Optional. If not specified, no pruning will be done. Can be number of backups or time-based. For time-based, the format is: 1d, 1w, 1m, 1y for days, weeks, months, years, respectively. For number-based, the format is: 1c, 2c, 3c, etc. for the count of backups to keep.")
 
+	// encryption options
+	flags.String("encryption", "", fmt.Sprintf("Encryption algorithm to use, none if blank. Supported are: %s. Format must match the specific algorithm.", strings.Join(encrypt.All, ", ")))
+	flags.String("encryption-key", "", "Encryption key to use, base64-encoded. Useful for debugging, not recommended for production. If encryption is enabled, and both are provided or neither is provided, returns an error.")
+	flags.String("encryption-key-path", "", "Path to encryption key file. If encryption is enabled, and both are provided or neither is provided, returns an error.")
 	return cmd, nil
 }
 

go.mod

@@ -31,7 +31,7 @@ require (
 )
 
 require (
-	github.com/databacker/api/go/api v0.0.0-20241202154620-01b0380f21cb
+	github.com/databacker/api/go/api v0.0.0-20250418100420-12e1adda1303
 	github.com/google/go-cmp v0.6.0
 	go.opentelemetry.io/otel v1.31.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0
@@ -41,10 +41,13 @@ require (
 )
 
 require (
+	filippo.io/age v1.2.1 // indirect
+	github.com/InfiniteLoopSpace/go_S-MIME v0.0.0-20181221134359-3f58f9a4b2b6 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/github/smimesign v0.2.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -107,11 +110,11 @@ require (
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	golang.org/x/crypto v0.36.0
+	golang.org/x/crypto v0.37.0
 	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 	gopkg.in/ini.v1 v1.51.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools/v3 v3.4.0 // indirect

go.sum

@@ -1,9 +1,13 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/InfiniteLoopSpace/go_S-MIME v0.0.0-20181221134359-3f58f9a4b2b6 h1:TkEaE2dfSBN9onWsQ1pC9EVMmVDJqkYWNUwS6+EYxlM=
+github.com/InfiniteLoopSpace/go_S-MIME v0.0.0-20181221134359-3f58f9a4b2b6/go.mod h1:yhh4MGRGdTpTET5RhSJx4XNCEkJljP3k8MxTTB3joQA=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.11.7 h1:vl/nj3Bar/CvJSYo7gIQPyRWc9f3c6IeSNavBTSZNZQ=
@@ -56,6 +60,7 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261/go.mod h1:GJKEexRPVJrBSOjoqN5VNOIKJ5Q3RViH6eu3puDRwx4=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudsoda/go-smb2 v0.0.0-20231106205947-b0758ecc4c67 h1:KzZU0EMkUm4vX/jPp5d/VttocDpocL/8QP0zyiI9Xiw=
@@ -72,6 +77,10 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/databacker/api/go/api v0.0.0-20241202154620-01b0380f21cb h1:9PthuA+o1wBZuTkNc2LLXQfI5+Myy+ok8nD3bQzd7DA=
 github.com/databacker/api/go/api v0.0.0-20241202154620-01b0380f21cb/go.mod h1:bQhbl71Lk1ATni0H+u249hjoQ8ShAdVNcNjnw6z+SbE=
+github.com/databacker/api/go/api v0.0.0-20250418091750-e67e3226ca5f h1:vuPsDEgli1S6khpEwY721epJnZiFtPSPHuxyMz9SJUY=
+github.com/databacker/api/go/api v0.0.0-20250418091750-e67e3226ca5f/go.mod h1:bQhbl71Lk1ATni0H+u249hjoQ8ShAdVNcNjnw6z+SbE=
+github.com/databacker/api/go/api v0.0.0-20250418100420-12e1adda1303 h1:TVLyJzdvDvWIEs1/v6G0rQPpZeUsArQ7skzicjfCV8I=
+github.com/databacker/api/go/api v0.0.0-20250418100420-12e1adda1303/go.mod h1:bQhbl71Lk1ATni0H+u249hjoQ8ShAdVNcNjnw6z+SbE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -96,6 +105,8 @@ github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbS
 github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
 github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/github/smimesign v0.2.0 h1:Hho4YcX5N1I9XNqhq0fNx0Sts8MhLonHd+HRXVGNjvk=
+github.com/github/smimesign v0.2.0/go.mod h1:iZiiwNT4HbtGRVqCQu7uJPEZCuEE5sfSSttcnePkDl4=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -198,10 +209,12 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -293,11 +306,14 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -350,6 +366,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -363,6 +381,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -381,6 +401,7 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/config/process.go

@@ -181,9 +181,9 @@ func decryptConfig(spec api.EncryptedSpec, credentials []string) (api.Config, er
 	hkdfReader := hkdf.New(sha256.New, sharedSecret[:], nil, []byte(api.SymmetricKey))
 	var symmetricKeySize int
 	switch *spec.Algorithm {
-	case api.AesGcm256:
+	case api.EncryptedSpecAlgorithmAes256Gcm:
 		symmetricKeySize = 32
-	case api.Chacha20Poly1305:
+	case api.EncryptedSpecAlgorithmChacha20Poly1305:
 		symmetricKeySize = 32
 	default:
 		return plainConfig, fmt.Errorf("unsupported algorithm: %s", *spec.Algorithm)
@@ -202,7 +202,7 @@ func decryptConfig(spec api.EncryptedSpec, credentials []string) (api.Config, er
 		return plainConfig, fmt.Errorf("failed to decode encrypted data: %w", err)
 	}
 	switch *spec.Algorithm {
-	case api.AesGcm256:
+	case api.EncryptedSpecAlgorithmAes256Gcm:
 		// Decrypt with AES-GCM
 		block, err := aes.NewCipher(symmetricKey)
 		if err != nil {
@@ -212,7 +212,7 @@ func decryptConfig(spec api.EncryptedSpec, credentials []string) (api.Config, er
 		if err != nil {
 			return plainConfig, fmt.Errorf("failed to initialize AES-GCM: %w", err)
 		}
-	case api.Chacha20Poly1305:
+	case api.EncryptedSpecAlgorithmChacha20Poly1305:
 		// Decrypt with ChaCha20Poly1305
 		aead, err = chacha20poly1305.New(symmetricKey)
 		if err != nil {

pkg/config/process_test.go

@@ -169,7 +169,7 @@ func TestDecryptConfig(t *testing.T) {
 	// Embed the nonce in the ciphertext
 	fullCiphertext := append(nonce, ciphertext...)
 
-	algo := api.AesGcm256
+	algo := api.EncryptedSpecAlgorithmAes256Gcm
 	data := base64.StdEncoding.EncodeToString(fullCiphertext)
 
 	// this is a valid spec, we want to be able to change fields

pkg/core/dump.go

@@ -34,6 +34,7 @@ func (e *Executor) Dump(ctx context.Context, opts DumpOptions) (DumpResults, err
 	dbnames := opts.DBNames
 	dbconn := opts.DBConn
 	compressor := opts.Compressor
+	encryptor := opts.Encryptor
 	compact := opts.Compact
 	suppressUseDatabase := opts.SuppressUseDatabase
 	maxAllowedPacket := opts.MaxAllowedPacket
@@ -132,6 +133,14 @@ func (e *Executor) Dump(ctx context.Context, opts DumpOptions) (DumpResults, err
 		tarSpan.End()
 		return results, fmt.Errorf("failed to create compressor: %v", err)
 	}
+	if encryptor != nil {
+		cw, err = encryptor.Encrypt(cw)
+		if err != nil {
+			tarSpan.SetStatus(codes.Error, err.Error())
+			tarSpan.End()
+			return results, fmt.Errorf("failed to create encryptor: %v", err)
+		}
+	}
 	if err := archive.Tar(workdir, cw); err != nil {
 		tarSpan.SetStatus(codes.Error, err.Error())
 		tarSpan.End()

pkg/core/dumpoptions.go

@@ -3,6 +3,7 @@ package core
 import (
 	"github.com/databacker/mysql-backup/pkg/compression"
 	"github.com/databacker/mysql-backup/pkg/database"
+	"github.com/databacker/mysql-backup/pkg/encrypt"
 	"github.com/databacker/mysql-backup/pkg/storage"
 	"github.com/google/uuid"
 )
@@ -13,6 +14,7 @@ type DumpOptions struct {
 	DBNames             []string
 	DBConn              database.Connection
 	Compressor          compression.Compressor
+	Encryptor           encrypt.Encryptor
 	Exclude             []string
 	PreBackupScripts    string
 	PostBackupScripts   string