From 1d50efe64629bed21615cc50964fa202e037054d Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 7 Aug 2025 15:01:03 +0000 Subject: [PATCH] DEK isolation --- .env | 2 +- Backup_data.sh | 35 +++++++++++++++++++++++++++++++++++ docker-compose.yml | 9 +++++---- 3 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 Backup_data.sh diff --git a/.env b/.env index a9bca83..52a51b9 100644 --- a/.env +++ b/.env @@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http:// SERVER1_PORT=5000 SERVER2_PORT=5001 SERVER3_PORT=5002 -IMG_TAG=69fce4f-202508071311 \ No newline at end of file +IMG_TAG=16e01ab-202508071457 \ No newline at end of file diff --git a/Backup_data.sh b/Backup_data.sh new file mode 100644 index 0000000..7bcb4ce --- /dev/null +++ b/Backup_data.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -euo pipefail + +# === CONFIG === +DB_NAME="aptiva_dev" +DB_USER="root" +DB_HOST="127.0.0.1" +DB_PORT="3306" +BACKUP_DIR="./dev_backups" +DATE=$(date +"%Y-%m-%d_%H-%M-%S") +SNAPSHOT_NAME="dev_snapshot_${DATE}.sql.gz" +EDEK_NAME="dev_edek_${DATE}.bin" +KMS_KEY="projects/aptiva/locations/us-central1/keyRings/aptiva-db/cryptoKeys/field-level" + +mkdir -p "$BACKUP_DIR" + +# === STEP 1: Dump encrypted DB === +echo "๐Ÿ”„ Dumping dev MySQL database..." +mysqldump -h "$DB_HOST" -P "$DB_PORT" -u "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_DIR/$SNAPSHOT_NAME" + +# === STEP 2: Backup current EDEK === +echo "๐Ÿ” Backing up current EDEK..." +cp /run/secrets/dek.enc "$BACKUP_DIR/$EDEK_NAME" + +# === STEP 3: Verify EDEK unwrap === +echo "๐Ÿงช Verifying EDEK unwrap with KMS..." +gcloud kms decrypt \ + --location="us-central1" \ + --keyring="aptiva-db" \ + --key="field-level" \ + --ciphertext-file="$BACKUP_DIR/$EDEK_NAME" \ + --plaintext-file="/dev/null" \ + > /dev/null + +echo "โœ… Dev backup complete: $SNAPSHOT_NAME + $EDEK_NAME" diff --git a/docker-compose.yml b/docker-compose.yml index a1a5098..16fa005 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -31,7 +31,7 @@ services: volumes: - ./salary_info.db:/app/salary_info.db:ro - ./user_profile.db:/app/user_profile.db - - dek-vol:/run/secrets/dev + - dek-vol:/run/secrets healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:${SERVER1_PORT}/healthz || exit 1"] interval: 30s @@ -62,7 +62,7 @@ services: - ./public:/app/public:ro - ./salary_info.db:/app/salary_info.db:ro - ./user_profile.db:/app/user_profile.db - - dek-vol:/run/secrets/dev + - dek-vol:/run/secrets healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:${SERVER2_PORT}/healthz || exit 1"] interval: 30s @@ -103,7 +103,7 @@ services: volumes: - ./salary_info.db:/app/salary_info.db:ro - ./user_profile.db:/app/user_profile.db - - dek-vol:/run/secrets/dev + - dek-vol:/run/secrets healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:${SERVER3_PORT}/healthz || exit 1"] interval: 30s @@ -130,6 +130,7 @@ networks: external: true volumes: - dek-vol: + dek-vol: + name: driver: local