Support for encrypted backups/restore

ee/backup/run.go

@@ -33,7 +33,7 @@ var Restore x.SubCommand
 var LsBackup x.SubCommand
 
 var opt struct {
-	backupId, location, pdir, zero string
+	backupId, location, pdir, zero, keyfile string
 }
 
 func init() {
@@ -105,6 +105,8 @@ $ dgraph restore -p . -l /var/backups/dgraph -z localhost:5080
 	flag.StringVarP(&opt.zero, "zero", "z", "", "gRPC address for Dgraph zero. ex: localhost:5080")
 	flag.StringVarP(&opt.backupId, "backup_id", "", "", "The ID of the backup series to "+
 		"restore. If empty, it will restore the latest series.")
+	flag.StringVarP(&opt.keyfile, "keyfile", "k", "",
+		"Key file to decrypt the backup")
 	_ = Restore.Cmd.MarkFlagRequired("postings")
 	_ = Restore.Cmd.MarkFlagRequired("location")
 }
@@ -185,7 +187,7 @@ func runRestoreCmd() error {
 	}
 
 	start = time.Now()
-	result := worker.RunRestore(opt.pdir, opt.location, opt.backupId)
+	result := worker.RunRestore(opt.pdir, opt.location, opt.backupId, opt.keyfile)
 	if result.Err != nil {
 		return result.Err
 	}
@@ -226,9 +228,9 @@ func runLsbackupCmd() error {
 		return errors.Wrapf(err, "while listing manifests")
 	}
 
-	fmt.Printf("Name\tSince\tGroups\n")
+	fmt.Printf("Name\tSince\tGroups\tEncrypted\n")
 	for path, manifest := range manifests {
-		fmt.Printf("%v\t%v\t%v\n", path, manifest.Since, manifest.Groups)
+		fmt.Printf("%v\t%v\t%v\t%v\n", path, manifest.Since, manifest.Groups, manifest.Encrypted)
 	}
 
 	return nil

ee/enc/util_ee.go

@@ -13,7 +13,12 @@
 package enc
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"github.com/dgraph-io/badger/v2/y"
 	"github.com/dgraph-io/dgraph/x"
+	"github.com/pkg/errors"
+	"io"
 	"io/ioutil"
 )
 
@@ -35,3 +40,48 @@ func ReadEncryptionKeyFile(filepath string) []byte {
 
 	return k
 }
+
+// GetWriter wraps a crypto StreamWriter on input Writer given a key file
+func GetWriter(filepath string, w io.Writer) (io.Writer, error) {
+	// No encryption, return the input writer as is.
+	if filepath == "" {
+		return w, nil
+	}
+	// Encryption, wrap crypto StreamWriter on the input Writer.
+	c, err := aes.NewCipher(ReadEncryptionKeyFile(filepath))
+	if err != nil {
+		return nil, err
+	}
+	iv, err := y.GenerateIV()
+	if err != nil {
+		return nil, err
+	}
+	if iv != nil {
+		if _, err = w.Write(iv); err != nil {
+			return nil, err
+		}
+	}
+	return cipher.StreamWriter{S: cipher.NewCTR(c, iv), W: w}, nil
+}
+
+// GetReader returns a crypto StreamReader on the input Reader given a key file.
+func GetReader(filepath string, r io.Reader) (io.Reader, error) {
+	// No encryption, return input reader as is.
+	if filepath == "" {
+		return r, nil
+	}
+
+	// Encryption, wrap crypto StreamReader on input Reader.
+	c, err := aes.NewCipher(ReadEncryptionKeyFile(filepath))
+	if err != nil {
+		return nil, err
+	}
+	var iv []byte = make([]byte, 16)
+	cnt, err := r.Read(iv)
+	if cnt != 16 || err != nil {
+		err = errors.Errorf("unable to get IV from encrypted backup. Read %v bytes, err %v ",
+			cnt, err)
+		return nil, err
+	}
+	return cipher.StreamReader{S: cipher.NewCTR(c, iv), R: r}, nil
+}