Add crypto

backup.sh

@@ -2,6 +2,26 @@
 
 echo "backupinator :D"
 
+if [ ! -d /in ] || [ ! -d /out ] || [ ! -d /keys ]; then
+    echo "Please start this container with /in, /out and /keys mounted"
+    exit 1
+fi
+
 tar czf /tmp/backup.tar.gz -C /in .
 
-cp /tmp/backup.tar.gz /out
+# encryption
+
+openssl rand -out /tmp/secret.key 32
+openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -pass file:/tmp/secret.key \
+    -in /tmp/backup.tar.gz \
+    -out /out/backup.tar.gz.enc
+
+for keyfile in $(ls /keys); do
+    tmpkey=$(mktemp)
+    ssh-keygen -e -f "/keys/$keyfile" -m PKCS8 > "$tmpkey"
+    openssl rsautl -encrypt -oaep -pubin -inkey "$tmpkey" \
+        -in /tmp/secret.key \
+        -out "/out/key-${keyfile%.*}.enc"
+    rm $tmpkey
+done
+

decrypt.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+tmpkey=$(mktemp)
+openssl rsautl -decrypt -oaep -inkey $1 -in $2 -out $tmpkey
+openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -pass "file:$tmpkey" \
+    -in "$3" -out "${3%.*}" -d
+rm $tmpkey