From ab63912c8997231abc72553fca9a0c4d0ad68c9d Mon Sep 17 00:00:00 2001
From: Avi Deitcher <avi@deitcher.net>
Date: Thu, 16 Jan 2020 13:45:47 -0500
Subject: [PATCH] Add openssl support and example

---
 Dockerfile          |  2 +-
 README.md           |  8 ++++++++
 examples/encrypt.sh | 25 +++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 examples/encrypt.sh

diff --git a/Dockerfile b/Dockerfile
index a41440dd..aa70ff17 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ MAINTAINER Avi Deitcher <https://github.com/deitch>
 
 # install the necessary client
 # the mysql-client must be 10.3.15 or later
-RUN apk add --update 'mariadb-client>10.3.15' mariadb-connector-c bash python3 samba-client shadow && \
+RUN apk add --update 'mariadb-client>10.3.15' mariadb-connector-c bash python3 samba-client shadow openssl && \
     rm -rf /var/cache/apk/* && \
     touch /etc/samba/smb.conf && \
     pip3 install awscli
diff --git a/README.md b/README.md
index bb63b747..2d39ccbb 100644
--- a/README.md
+++ b/README.md
@@ -268,6 +268,14 @@ fi
 
 You can think of this as a sort of basic plugin system. Look at the source of the [entrypoint](https://github.com/databack/mysql-backup/blob/master/entrypoint) script for other variables that can be used.
 
+### Encrypting the Backup
+
+Post-processing also give you options to encrypt the backup using openssl. The openssl binary is available
+to the processing scripts.
+
+The sample [examples/encrypt.sh](./examples/encrypt.sh) provides a sample post-processing script that you can use
+to encrypt your backup with AES256.
+
 ## Restore
 ### Dump Restore
 If you wish to run a restore to an existing database, you can use mysql-backup to do a restore.
diff --git a/examples/encrypt.sh b/examples/encrypt.sh
new file mode 100644
index 00000000..54a7e611
--- /dev/null
+++ b/examples/encrypt.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+#
+# post-processing backup script used to encrypt the backup file.
+# Many thanks to Sascha Schieferdecker https://github.com/sascha-schieferdecker
+# for providing it.
+#
+# to use, mount in /scripts.d/post-backup/secure.sh
+#
+# the symmetric encryption key should be mounted in /scripts.d/post-backup/mysqldump-key.pub.pem
+
+# Encrypt and chmod backup file.
+if [[ -n "$DB_DUMP_DEBUG" ]]; then
+  set -x
+fi
+
+if [ -e ${DUMPFILE} ];
+then
+  openssl smime -encrypt -binary -text -aes256 -in ${DUMPFILE} -out ${DUMPFILE}.enc -outform DER /scripts.d/post-backup/mysqldump-key.pub.pem
+  mv ${DUMPFILE}.enc ${DUMPFILE}
+  chmod 600 ${DUMPFILE}
+else
+  echo "ERROR: Backup file ${DUMPFILE} does not exist!"
+fi
+