36 lines
1017 B
Bash
36 lines
1017 B
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# === CONFIG ===
|
|
DB_NAME="aptiva_dev"
|
|
DB_USER="root"
|
|
DB_HOST="127.0.0.1"
|
|
DB_PORT="3306"
|
|
BACKUP_DIR="./dev_backups"
|
|
DATE=$(date +"%Y-%m-%d_%H-%M-%S")
|
|
SNAPSHOT_NAME="dev_snapshot_${DATE}.sql.gz"
|
|
EDEK_NAME="dev_edek_${DATE}.bin"
|
|
KMS_KEY="projects/aptiva/locations/us-central1/keyRings/aptiva-db/cryptoKeys/field-level"
|
|
|
|
mkdir -p "$BACKUP_DIR"
|
|
|
|
# === STEP 1: Dump encrypted DB ===
|
|
echo "🔄 Dumping dev MySQL database..."
|
|
mysqldump -h "$DB_HOST" -P "$DB_PORT" -u "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_DIR/$SNAPSHOT_NAME"
|
|
|
|
# === STEP 2: Backup current EDEK ===
|
|
echo "🔐 Backing up current EDEK..."
|
|
cp /run/secrets/dek.enc "$BACKUP_DIR/$EDEK_NAME"
|
|
|
|
# === STEP 3: Verify EDEK unwrap ===
|
|
echo "🧪 Verifying EDEK unwrap with KMS..."
|
|
gcloud kms decrypt \
|
|
--location="us-central1" \
|
|
--keyring="aptiva-db" \
|
|
--key="field-level" \
|
|
--ciphertext-file="$BACKUP_DIR/$EDEK_NAME" \
|
|
--plaintext-file="/dev/null" \
|
|
> /dev/null
|
|
|
|
echo "✅ Dev backup complete: $SNAPSHOT_NAME + $EDEK_NAME"
|