DEK isolation

2025-08-07 15:01:03 +00:00 · 2025-08-07 15:01:03 +00:00 · 1d50efe646
commit 1d50efe646
parent 16e01ab004
3 changed files with 41 additions and 5 deletions
--- a/.env
+++ b/.env
@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
 SERVER1_PORT=5000
 SERVER2_PORT=5001
 SERVER3_PORT=5002
-IMG_TAG=69fce4f-202508071311
+IMG_TAG=16e01ab-202508071457
--- a/Backup_data.sh
+++ b/Backup_data.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+set -euo pipefail
+
+# === CONFIG ===
+DB_NAME="aptiva_dev"
+DB_USER="root"
+DB_HOST="127.0.0.1"
+DB_PORT="3306"
+BACKUP_DIR="./dev_backups"
+DATE=$(date +"%Y-%m-%d_%H-%M-%S")
+SNAPSHOT_NAME="dev_snapshot_${DATE}.sql.gz"
+EDEK_NAME="dev_edek_${DATE}.bin"
+KMS_KEY="projects/aptiva/locations/us-central1/keyRings/aptiva-db/cryptoKeys/field-level"
+
+mkdir -p "$BACKUP_DIR"
+
+# === STEP 1: Dump encrypted DB ===
+echo "🔄 Dumping dev MySQL database..."
+mysqldump -h "$DB_HOST" -P "$DB_PORT" -u "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_DIR/$SNAPSHOT_NAME"
+
+# === STEP 2: Backup current EDEK ===
+echo "🔐 Backing up current EDEK..."
+cp /run/secrets/dek.enc "$BACKUP_DIR/$EDEK_NAME"
+
+# === STEP 3: Verify EDEK unwrap ===
+echo "🧪 Verifying EDEK unwrap with KMS..."
+gcloud kms decrypt \
+  --location="us-central1" \
+  --keyring="aptiva-db" \
+  --key="field-level" \
+  --ciphertext-file="$BACKUP_DIR/$EDEK_NAME" \
+  --plaintext-file="/dev/null" \
+  > /dev/null
+
+echo "✅ Dev backup complete: $SNAPSHOT_NAME + $EDEK_NAME"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - ./salary_info.db:/app/salary_info.db:ro
      - ./user_profile.db:/app/user_profile.db
-      - dek-vol:/run/secrets/dev
+      - dek-vol:/run/secrets
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:${SERVER1_PORT}/healthz || exit 1"]
      interval: 30s
@ -62,7 +62,7 @@ services:
      - ./public:/app/public:ro
      - ./salary_info.db:/app/salary_info.db:ro
      - ./user_profile.db:/app/user_profile.db
-      - dek-vol:/run/secrets/dev 
+      - dek-vol:/run/secrets
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:${SERVER2_PORT}/healthz || exit 1"]
      interval: 30s
@ -103,7 +103,7 @@ services:
    volumes:
      - ./salary_info.db:/app/salary_info.db:ro
      - ./user_profile.db:/app/user_profile.db
-      - dek-vol:/run/secrets/dev 
+      - dek-vol:/run/secrets
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:${SERVER3_PORT}/healthz || exit 1"]
      interval: 30s
@ -130,6 +130,7 @@ networks:
    external: true
    
 volumes:
-    dek-vol:            
+    dek-vol:
+      name:            
      driver: local