#!/bin/bash set -euo pipefail # === CONFIG === DB_NAME="aptiva_dev" DB_USER="root" DB_HOST="127.0.0.1" DB_PORT="3306" BACKUP_DIR="./dev_backups" DATE=$(date +"%Y-%m-%d_%H-%M-%S") SNAPSHOT_NAME="dev_snapshot_${DATE}.sql.gz" EDEK_NAME="dev_edek_${DATE}.bin" KMS_KEY="projects/aptiva/locations/us-central1/keyRings/aptiva-db/cryptoKeys/field-level" mkdir -p "$BACKUP_DIR" # === STEP 1: Dump encrypted DB === echo "๐Ÿ”„ Dumping dev MySQL database..." mysqldump -h "$DB_HOST" -P "$DB_PORT" -u "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_DIR/$SNAPSHOT_NAME" # === STEP 2: Backup current EDEK === echo "๐Ÿ” Backing up current EDEK..." cp /run/secrets/dek.enc "$BACKUP_DIR/$EDEK_NAME" # === STEP 3: Verify EDEK unwrap === echo "๐Ÿงช Verifying EDEK unwrap with KMS..." gcloud kms decrypt \ --location="us-central1" \ --keyring="aptiva-db" \ --key="field-level" \ --ciphertext-file="$BACKUP_DIR/$EDEK_NAME" \ --plaintext-file="/dev/null" \ > /dev/null echo "โœ… Dev backup complete: $SNAPSHOT_NAME + $EDEK_NAME"