feat(backup): add support for asymmetric encryption

Author: kikkomep

k8s/backup-key.secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: lifemonitor-api-backup-key
+type: Opaque
+data:
+  encryptionKey: <base64-encoded-encryption-key>

k8s/templates/_helpers.tpl

@@ -67,6 +67,13 @@ Define lifemonitor TLS secret name
 {{- printf "%s-tls" .Release.Name }}
 {{- end }}
 
+{{/*
+Define lifemonitor secret name for backup key
+*/}}
+{{- define "chart.lifemonitor.backup.key" -}}
+{{- printf "%s-backup-key" .Release.Name }}
+{{- end }}
+
 
 {{/*
 Define volume name of LifeMonitor backup data 

k8s/templates/backup.job.yaml

@@ -29,12 +29,22 @@ spec:
             {{- include "lifemonitor.common-volume-mounts" . | nindent 12 }}
             - name: lifemonitor-backup
               mountPath: "/var/data/backup"
+            {{- if .Values.backup.encryptionKeySecret }}
+            - name: lifemonitor-backup-encryption-key
+              mountPath: "/lm/backup/encryption.key"
+              subPath: encryptionKey
+            {{- end }}
           restartPolicy: OnFailure
           volumes:
             {{- include "lifemonitor.common-volume" . | nindent 10 }}
           - name: lifemonitor-backup
             persistentVolumeClaim:
               claimName: {{ .Values.backup.existingClaim }}
+          {{- if .Values.backup.encryptionKeySecret }}
+          - name: lifemonitor-backup-encryption-key
+            secret:
+              secretName: {{ .Values.backup.encryptionKeySecret }}
+          {{- end }}
           {{- with .Values.lifemonitor.nodeSelector }}
           nodeSelector:
             {{- toYaml . | nindent 10 }}

k8s/templates/settings.secret.yaml

@@ -78,8 +78,8 @@ stringData:
     {{- if .Values.backup.retain_days }}
     BACKUP_RETAIN_DAYS={{ .Values.backup.retain_days }}
     {{- end }}
-    {{- if .Values.backup.encryptionKey }}
-    BACKUP_ENCRYPTION_KEY={{ .Values.backup.encryptionKey }}
+    {{- if .Values.backup.encryptionKeySecret }}
+    BACKUP_ENCRYPTION_KEY_PATH=/lm/backup/encryption.key
     {{- end }}    
     {{- if .Values.backup.remote.enabled }}
     BACKUP_REMOTE_PATH={{ .Values.backup.remote.path }}

k8s/values.yaml

@@ -120,7 +120,7 @@ backup:
   successfulJobsHistoryLimit: 30
   failedJobsHistoryLimit: 30
   existingClaim: data-api-backup
-  # encryptionKey: <YOUR_ENCRYPTION_KEY>
+  # encryptionKeySecret: lifemonitor-api-backup-key
   # Settings to mirror the (cluster) local backup
   # to a remote site via FTPS or SFTP
   remote:

lifemonitor/commands/backup.py

@@ -33,6 +33,7 @@
 from flask.blueprints import Blueprint
 from flask.cli import with_appcontext
 from flask.config import Config
+
 from lifemonitor.utils import FtpUtils, encrypt_folder
 
 from .db import backup, backup_options
@@ -51,6 +52,9 @@
 encryption_key_file_option = click.option("-kf", "--encryption-key-file",
                                           type=click.File("rb"), default=None,
                                           help="File containing the encryption key")
+encryption_asymmetric_option = click.option("-a", "--encryption-asymmetric", is_flag=True, default=False,
+                                            show_default=True,
+                                            help="Use asymmetric encryption")
 
 
 class RequiredIf(GroupedOption):
@@ -120,17 +124,29 @@ def bck(ctx):
 @backup_options
 @synch_otptions
 @with_appcontext
-def db_cmd(file, directory, encryption_key, encryption_key_file, verbose, *args, **kwargs):
+def db_cmd(file, directory,
+           encryption_key, encryption_key_file, encryption_asymmetric,
+           verbose, *args, **kwargs):
     """
     Make a backup of the database
     """
-    result = backup_db(directory, file, encryption_key, encryption_key_file, verbose, *args, **kwargs)
+    result = backup_db(directory, file,
+                       encryption_key=encryption_key,
+                       encryption_key_file=encryption_key_file,
+                       encryption_asymmetric=encryption_asymmetric,
+                       verbose=verbose, *args, **kwargs)
     sys.exit(result)
 
 
-def backup_db(directory, file=None, encryption_key=None, encryption_key_file=None, verbose=False, *args, **kwargs):
+def backup_db(directory, file=None,
+              encryption_key=None, encryption_key_file=None, encryption_asymmetric=False,
+              verbose=False, *args, **kwargs):
     logger.debug(sys.argv)
-    result = backup(directory, file, encryption_key, encryption_key_file, verbose)
+    logger.debug("Backup DB: %r - %r - %r - %r - %r - %r - %r",)
+    logger.warning(f"Encryption asymmetric: {encryption_asymmetric}")
+    result = backup(directory, file,
+                    encryption_key=encryption_key, encryption_key_file=encryption_key_file,
+                    encryption_asymmetric=encryption_asymmetric, verbose=verbose)
     if result.returncode == 0:
         synch = kwargs.pop('synch', False)
         if synch:
@@ -143,20 +159,25 @@ def backup_db(directory, file=None, encryption_key=None, encryption_key_file=Non
               help="Local path to store RO-Crates")
 @encryption_key_option
 @encryption_key_file_option
+@encryption_asymmetric_option
 @synch_otptions
 @with_appcontext
-def crates_cmd(directory, encryption_key, encryption_key_file, *args, **kwargs):
+def crates_cmd(directory,
+               encryption_key, encryption_key_file, encryption_asymmetric,
+               *args, **kwargs):
     """
     Make a backup of the registered workflow RO-Crates
     """
     result = backup_crates(current_app.config, directory,
-                           encryption_key, encryption_key_file,
+                           encryption_key=encryption_key, encryption_key_file=encryption_key_file,
+                           encryption_asymmetric=encryption_asymmetric,
                            *args, **kwargs)
     sys.exit(result.returncode)
 
 
 def backup_crates(config, directory,
                   encryption_key: bytes = None, encryption_key_file: BinaryIO = None,
+                  encryption_asymmetric: bool = False,
                   *args, **kwargs) -> subprocess.CompletedProcess:
     assert config.get("DATA_WORKFLOWS", None), "DATA_WORKFLOWS not configured"
     # get the path of the RO-Crates
@@ -169,19 +190,23 @@ def backup_crates(config, directory,
     if encryption_key or encryption_key_file:
         if not encryption_key:
             encryption_key = encryption_key_file.read()
-        result = encrypt_folder(rocrate_source_path, directory, encryption_key)
-        result = subprocess.CompletedProcess(returncode=0 if result else 1, args=())
+        result = encrypt_folder(rocrate_source_path, directory, encryption_key,
+                                encryption_asymmetric=encryption_asymmetric)
+        result = subprocess.CompletedProcess(returncode=0 if result else 1, args=())        
     else:
         result = subprocess.run(f'rsync -avh --delete {rocrate_source_path}/ {directory} ',
                                 shell=True, capture_output=True)
-    if result:
+    if result.returncode == 0:
         print("Created backup of workflow RO-Crates @ '%s'" % directory)
         synch = kwargs.pop('synch', False)
         if synch:
             logger.debug("Remaining args: %r", kwargs)
             return __remote_synch__(source=directory, **kwargs)
     else:
-        print("Unable to backup workflow RO-Crates\n%s", result.stderr.decode())
+        try:
+            print("Unable to backup workflow RO-Crates\n%s", result.stderr.decode())
+        except Exception:
+            print("Unable to backup workflow RO-Crates\n")
     return result
 
 
@@ -192,20 +217,36 @@ def auto(config: Config):
         click.echo("No BACKUP_LOCAL_PATH found in your settings")
         sys.exit(0)
 
-    # search for an encryption key
-    encryption_key = config.get("BACKUP_ENCRYPTION_KEY", None)
+    # search for an encryption key file
+    encryption_key = None
+    encryption_key_file = config.get("BACKUP_ENCRYPTION_KEY_PATH", None)
+    if not encryption_key_file:
+        click.echo("WARNING: No BACKUP_ENCRYPTION_KEY_PATH found in your settings")
+        logger.warning("No BACKUP_ENCRYPTION_KEY_PATH found in your settings")
+    else:
+        # read the encryption key from the file if the key is not provided
+        if isinstance(encryption_key_file, str):
+            with open(encryption_key_file, "rb") as encryption_key_file:
+                encryption_key = encryption_key_file.read()
+        elif isinstance(encryption_key_file, BinaryIO):
+            encryption_key = encryption_key_file.read()
+        else:
+            raise ValueError("Invalid encryption key file")
 
     # set paths
     base_path = base_path.removesuffix('/')  # remove trailing '/'
     db_backups = f"{base_path}/db"
     rc_backups = f"{base_path}/crates"
     logger.debug("Backup paths: %r - %r - %r", base_path, db_backups, rc_backups)
     # backup database
-    result = backup(db_backups, encryption_key=encryption_key)
+    result = backup(db_backups,
+                    encryption_key=encryption_key,
+                    encryption_asymmetric=True)
     if result.returncode != 0:
         sys.exit(result.returncode)
     # backup crates
-    result = backup_crates(config, rc_backups, encryption_key=encryption_key)
+    result = backup_crates(config, rc_backups,
+                           encryption_key=encryption_key, encryption_asymmetric=True)
     if result.returncode != 0:
         sys.exit(result.returncode)
     # clean up old files

lifemonitor/commands/db.py

@@ -24,13 +24,15 @@
 import subprocess
 import sys
 from datetime import datetime
+from typing import BinaryIO
 
 import click
 from flask import current_app
 from flask.cli import with_appcontext
 from flask_migrate import cli, current, stamp, upgrade
+
 from lifemonitor.auth.models import User
-from lifemonitor.utils import encrypt_file, decrypt_file, hide_secret
+from lifemonitor.utils import decrypt_file, encrypt_file, hide_secret
 
 # set module level logger
 logger = logging.getLogger()
@@ -109,11 +111,14 @@ def wait_for_db():
 encryption_key_file_option = click.option("-kf", "--encryption-key-file",
                                           type=click.File("rb"),
                                           default=None, help="File containing the encryption key")
+encryption_asymmetric_option = click.option("-a", "--encryption-asymmetric", is_flag=True, default=False,
+                                            help="Use asymmetric encryption", show_default=True)
 
 
 def backup_options(func):
     # backup command options (evaluated in reverse order!)
     func = verbose_option(func)
+    func = encryption_asymmetric_option(func)
     func = encryption_key_file_option(func)
     func = encryption_key_option(func)
     func = click.option("-f", "--file", default=None, help="Backup filename (default 'hhmmss_yyyymmdd.tar')")(func)
@@ -124,23 +129,34 @@ def backup_options(func):
 @cli.db.command("backup")
 @backup_options
 @with_appcontext
-def backup_cmd(directory, file, encryption_key, encryption_key_file, verbose):
+def backup_cmd(directory, file,
+               encryption_key, encryption_key_file, encryption_asymmetric,
+               verbose):
     """
     Make a backup of the current app database
     """
-    logger.debug("%r - %r - %r - %r - %r", file, directory, encryption_key, encryption_key_file, verbose)
-    result = backup(directory, file, encryption_key, encryption_key_file, verbose)
+    logger.debug("%r - %r - %r - %r - %r - %r ", file, directory,
+                 encryption_key, encryption_key_file, encryption_asymmetric, verbose)
+    result = backup(directory, file,
+                    encryption_key=encryption_key,
+                    encryption_key_file=encryption_key_file,
+                    encryption_asymmetric=encryption_asymmetric,
+                    verbose=verbose)
     # report exit code to the main process
     sys.exit(result.returncode)
 
 
 def backup(directory, file=None,
-           encryption_key=None, encryption_key_file=None,
+           encryption_key=None, encryption_key_file: BinaryIO = None,
+           encryption_asymmetric=False,
            verbose=False) -> subprocess.CompletedProcess:
     """
     Make a backup of the current app database
     """
-    logger.debug("%r - %r - %r - %r - %r", file, directory, encryption_key, encryption_key_file, verbose)
+    logger.debug("%r - %r - %r - %r - %r - %r",
+                 file, directory,
+                 encryption_key, encryption_key_file, encryption_asymmetric,
+                 verbose)
     from lifemonitor.db import db_connection_params
     params = db_connection_params()
     if not file:
@@ -161,21 +177,23 @@ def backup(directory, file=None,
             msg = f"Encrypting backup file {target_path}..."
             logger.debug(msg)
             print(msg)
-
             # read the encryption key from the file if the key is not provided
             if encryption_key is None:
                 encryption_key = encryption_key_file.read()
-
             # encrypt the backup file using the encryption key with the Fernet algorithm
             try:
                 with open(target_path, "rb") as input_file:
                     with open(target_path + ".enc", "wb") as output_file:
-                        encrypt_file(input_file, output_file, encryption_key, raise_error=True)
+                        encrypt_file(input_file, output_file, encryption_key,
+                                     encryption_asymmetric=encryption_asymmetric,
+                                     raise_error=True)
                 # remove the original backup file
                 os.remove(target_path)
                 msg = f"Backup file {target_path} encrypted"
                 logger.debug(msg)
                 print(msg)
+            except ValueError as e:
+                logger.error("Unable to encrypt backup file '%s'. ERROR: %s", target_path, str(e))
             except Exception as e:
                 print("Unable to encrypt backup file '%s'. ERROR: %s" % (target_path, str(e)))
                 sys.exit(1)
@@ -192,9 +210,12 @@ def backup(directory, file=None,
               help="Preserve the current database renaming it as '<dbname>_yyyymmdd_hhmmss'")
 @encryption_key_option
 @encryption_key_file_option
+@encryption_asymmetric_option
 @verbose_option
 @with_appcontext
-def restore(file, safe, encryption_key, encryption_key_file, verbose):
+def restore(file, safe,
+            encryption_key, encryption_key_file, encryption_asymmetric,
+            verbose):
     """
     Restore a backup of the app database
     """
@@ -228,7 +249,8 @@ def restore(file, safe, encryption_key, encryption_key_file, verbose):
             file = file.removesuffix(".enc")
             with open(encrypted_file, "rb") as input_file:
                 with open(file, "wb") as output_file:
-                    decrypt_file(input_file, output_file, encryption_key)
+                    decrypt_file(input_file, output_file,
+                                 encryption_key, encryption_asymmetric=encryption_asymmetric)
             logger.debug("Decrypted backup file '%s' to '%s'", encrypted_file, file)
 
         # check if delete or preserve the current app database (if exists)