WIP: Encrypted backup
What does this MR do?
Implements feature described in #32208 (moved)
Adds GPG based encryption capability to existing gitlab:backup:create and gitlab:backup:restore tasks.
New environment variables ENCRYPTION_KEY_PATH and DECRYPTION_KEY_PATH, will be used during create and restore task.
If ENCRYPTION_KEY_PATH is passed to gitlab:backup:create task then gpg encryption will be performed on tar file. If DECRYPTION_KEY_PATH is passed to gitlab:backup:restore task then gpg decryption will be performed on gpg file.
Are there points in the code the reviewer needs to double check?
Check Backup::Manager#upload methods. I was not able to test this method on my local system.
Why was this MR needed?
As mentioned here #32208 (moved) users are requesting for inbuilt encryption mechanism for gitlab backups.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together -
Internationalization required/considered -
End-to-end tests pass ( package-qa
manual pipeline job)
What are the relevant issue numbers?
Pending Tasks
-
Write tests for rake tasks and Backup::Manager. -
Discuss on minimising user interaction. -
Should we skip this question while calling gpg encrypt command? - "Use this key anyway? (y/N)" -
Should we add passphrase as an argument to restore task? - When we decrypt file using GPG, it asks for passphrase, "You need a passphrase to unlock the secret key for". Rake task can take passphrase as argument, which will be passed to gpg command.
Edited by Dinesh Sawant