support GPG encryption

Dockerfile

@@ -13,7 +13,7 @@ COPY scripts/*.sh /app/
 
 RUN chmod +x /app/*.sh \
   && mkdir -m 777 /bitwarden \
-  && apk add --no-cache 7zip bash mariadb-client postgresql16-client sqlite supercronic s-nail tzdata \
+  && apk add --no-cache 7zip bash gpg mariadb-client postgresql16-client sqlite supercronic s-nail tzdata \
   && apk info --no-cache -Lq mariadb-client | grep -vE '/bin/mariadb$' | grep -vE '/bin/mariadb-dump$' | xargs -I {} rm -f "/{}" \
   && ln -sf "${LOCALTIME_FILE}" /etc/localtime \
   && addgroup -g "${USER_ID}" "${USER_NAME}" \

docker-compose.yml

@@ -24,6 +24,7 @@ services:
     #   ZIP_ENABLE: 'TRUE'
     #   ZIP_PASSWORD: 'WHEREISMYPASSWORD?'
     #   ZIP_TYPE: 'zip'
+    #   GPG_BASE64_PUBKEY: ''
     #   BACKUP_FILE_SUFFIX: '%Y%m%d'
     #   BACKUP_KEEP_DAYS: 0
     #   PING_URL: ''

scripts/backup.sh

@@ -4,6 +4,7 @@
 
 function clear_dir() {
     rm -rf "${BACKUP_DIR}"
+    rm -rf "${GPG_DIR}"
 }
 
 function backup_init() {
@@ -140,24 +141,49 @@ function backup_package() {
 
         UPLOAD_FILE="${BACKUP_FILE_ZIP}"
 
+        local PASSWORD_FLAG="-p${ZIP_PASSWORD}"
+        if [[ "${GPG_ENABLE}" == "TRUE" ]]; then
+            PASSWORD_FLAG=""
+        fi
+
         if [[ "${ZIP_TYPE}" == "zip" ]]; then
-            7z a -tzip -mx=9 -p"${ZIP_PASSWORD}" "${BACKUP_FILE_ZIP}" "${BACKUP_DIR}"/*
+            7z a -tzip -mx=9 ${PASSWORD_FLAG} "${BACKUP_FILE_ZIP}" "${BACKUP_DIR}"/*
         else
-            7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on -p"${ZIP_PASSWORD}" "${BACKUP_FILE_ZIP}" "${BACKUP_DIR}"/*
+            7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on ${PASSWORD_FLAG} "${BACKUP_FILE_ZIP}" "${BACKUP_DIR}"/*
         fi
 
         ls -lah "${BACKUP_DIR}"
 
         color blue "display backup ${ZIP_TYPE} file list"
 
-        7z l -p"${ZIP_PASSWORD}" "${BACKUP_FILE_ZIP}"
+        7z l ${PASSWORD_FLAG} "${BACKUP_FILE_ZIP}"
     else
         color yellow "skip package backup files"
 
         UPLOAD_FILE="${BACKUP_DIR}"
     fi
 }
 
+function backup_gpg() {
+    if [[ "${GPG_ENABLE}" == "FALSE" ]]; then
+        return
+    fi
+
+    color blue "encrypt backup file"
+
+    if [[ -f "${UPLOAD_FILE}" ]]; then
+        gpg -v --output "${UPLOAD_FILE}.gpg" --encrypt --recipient-file "${GPG_PUBKEY_FILE}" "${UPLOAD_FILE}"
+
+        UPLOAD_FILE="${UPLOAD_FILE}.gpg"
+    else
+        mkdir -p "${GPG_DIR}"
+
+        ls "${UPLOAD_FILE}" | xargs -I {} gpg -v --output "${GPG_DIR}/{}.gpg" --encrypt --recipient-file "${GPG_PUBKEY_FILE}" "{}"
+
+        UPLOAD_FILE="${GPG_DIR}"
+    fi
+}
+
 function upload() {
     # upload file not exist
     if [[ ! -e "${UPLOAD_FILE}" ]]; then
@@ -220,6 +246,7 @@ clear_dir
 backup_init
 backup
 backup_package
+backup_gpg
 upload
 clear_dir
 clear_history

scripts/includes.sh

@@ -2,6 +2,8 @@
 
 ENV_FILE="/.env"
 CRON_CONFIG_FILE="${HOME}/crontabs"
+GPG_PUBKEY_FILE="${HOME}/gpg.pub"
+GPG_DIR="/bitwarden/gpg"
 BACKUP_DIR="/bitwarden/backup"
 RESTORE_DIR="/bitwarden/restore"
 RESTORE_EXTRACT_DIR="/bitwarden/extract"
@@ -142,6 +144,37 @@ function send_ping() {
     fi
 }
 
+########################################
+# Configure GPG public key.
+# Arguments:
+#     None
+########################################
+function configure_gpg_pubkey() {
+    GPG_ENABLE="FALSE"
+
+    if [[ -z "${GPG_BASE64_PUBKEY}" ]]; then
+        return
+    fi
+
+    if [[ ! -f "${GPG_PUBKEY_FILE}" ]]; then
+        local PUBKEY=$(echo "${GPG_BASE64_PUBKEY}" | base64 -d 2>&1)
+        if [[ $? != 0 ]]; then
+            color red "decoding GPG public key failed"
+            exit 1
+        fi
+
+        echo "${PUBKEY}" > "${GPG_PUBKEY_FILE}"
+    fi
+
+    gpg "${GPG_PUBKEY_FILE}" > /dev/null 2>&1
+    if [[ $? != 0 ]]; then
+        color red "validate GPG public key failed"
+        exit 1
+    fi
+
+    GPG_ENABLE="TRUE"
+}
+
 ########################################
 # Configure PostgreSQL password file.
 # Arguments:
@@ -293,6 +326,11 @@ function init_env() {
         ZIP_TYPE="zip"
     fi
 
+    # GPG_BASE64_PUBKEY
+    get_env GPG_BASE64_PUBKEY
+    GPG_BASE64_PUBKEY="${GPG_BASE64_PUBKEY:-""}"
+    configure_gpg_pubkey
+
     # BACKUP_KEEP_DAYS
     get_env BACKUP_KEEP_DAYS
     BACKUP_KEEP_DAYS="${BACKUP_KEEP_DAYS:-"0"}"
@@ -344,6 +382,7 @@ function init_env() {
     color yellow "ZIP_ENABLE: ${ZIP_ENABLE}"
     color yellow "ZIP_PASSWORD: ${#ZIP_PASSWORD} Chars"
     color yellow "ZIP_TYPE: ${ZIP_TYPE}"
+    color yellow "GPG_ENABLE: ${GPG_ENABLE}"
     color yellow "BACKUP_FILE_DATE_FORMAT: ${BACKUP_FILE_DATE_FORMAT} (example \"[filename].$(date +"${BACKUP_FILE_DATE_FORMAT}").[ext]\")"
     color yellow "BACKUP_KEEP_DAYS: ${BACKUP_KEEP_DAYS}"
     if [[ -n "${PING_URL}" ]]; then

version

@@ -1 +1 @@
-v1.19.10
+v1.20.0-beta.0