Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add S3 backup encryption at rest using rclone crypt#3194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
amirhmoradi wants to merge7 commits intoDokploy:canary
base:canary
Choose a base branch
Loading
fromamirhmoradi:claude/add-s3-backup-encryption-018RrZGgmyuupd7qWBRNYgCg

Conversation

@amirhmoradi
Copy link

Summary

This PR adds encryption at rest support for all S3 backups using rclone's native crypt backend. When enabled on a destination, all backups (database, compose, web-server, and volume backups) are automatically encrypted before upload and decrypted on restore.

Key Features

  • Encryption at rest for all backup types using NaCl SecretBox (XSalsa20 cipher + Poly1305)
  • Full rclone crypt options exposed in the UI:
    • Main encryption password
    • Salt password (password2) for additional security
    • Filename encryption (standard/obfuscate/off)
    • Directory name encryption
  • Transparent encryption/decryption - backups are encrypted on upload, decrypted on download
  • Backward compatible - existing unencrypted backups continue to work

Backup Types Covered

TypeBackupRestoreCleanup
PostgreSQL
MySQL
MariaDB
MongoDB
Compose
Web Server
Volume Backups

Files Changed

  • Schema: Added encryption fields to destination table
  • Core: NewgetRcloneS3Remote() function with crypt overlay support
  • Backup utilities: All backup types now use encryption-aware functions
  • Restore utilities: All restore types now use encryption-aware functions
  • Volume backups: Added encryption support for volume backup/restore/cleanup
  • UI: New encryption settings section in destination form
  • Migration:0131_add_destination_encryption.sql
  • Tests: 24 unit tests for encryption utilities

How It Works

  1. User enables encryption on an S3 destination and provides passwords
  2. When backing up, rclone wraps the S3 remote with a crypt overlay
  3. Files are encrypted locally before upload using NaCl SecretBox
  4. On restore, rclone automatically decrypts using the same credentials
  5. Filename encryption (optional) encrypts file/directory names on S3

Security

  • Uses rclone's battle-tested crypt implementation
  • Passwords are passed via environment variables (not command line)
  • Single quotes in passwords are properly escaped
  • No plaintext credentials in logs

Test plan

  • Unit tests pass (24 new tests for encryption utilities)
  • Manual test: Create destination with encryption enabled
  • Manual test: Create database backup with encryption
  • Manual test: Restore encrypted backup
  • Manual test: Create volume backup with encryption
  • Manual test: Verify encrypted files on S3 are unreadable without key
  • Manual test: Verify existing unencrypted backups still work

Screenshots

The UI adds an "Encryption Settings" section to the destination form with:

  • Enable/disable toggle
  • Password field with generate button
  • Salt password field with generate button
  • Filename encryption dropdown (standard/obfuscate/off)
  • Directory name encryption toggle
  • Link to rclone crypt documentation

Documentation:https://rclone.org/crypt/

Add support for encrypting backups before uploading to S3 and decryptingduring restore. This includes:- Database schema changes:  - Added encryptionEnabled, encryptionMethod, and encryptionKey fields    to the destination table  - Created migration 0130_add_destination_encryption.sql- Server-side backup encryption:  - Added getEncryptionCommand/getDecryptionCommand utilities  - Updated all backup handlers (postgres, mysql, mariadb, mongo,    compose, web-server) to encrypt backups when enabled  - Encrypted backups have .enc extension appended- Server-side restore decryption:  - Updated all restore handlers to detect encrypted backups and    decrypt them during restore  - Added isEncryptedBackup utility to check file extensions- UI changes:  - Added encryption settings section to destination configuration  - Toggle for enabling/disabling encryption  - Dropdown for selecting encryption method (AES-256-CBC, AES-256-GCM)  - Input for encryption key with generate button  - Warning about storing keys securelyEncryption uses OpenSSL with PBKDF2 key derivation (100,000 iterations)for secure password-based encryption.
Replace OpenSSL-based encryption with rclone's native crypt backendfor better integration and simpler architecture. The crypt backendprovides transparent encryption/decryption using NaCl SecretBox(XSalsa20 cipher + Poly1305 for integrity).Changes:- Remove encryptionMethod field (rclone uses its own algorithm)- Add getRcloneS3Remote() to generate crypt-wrapped remotes- Simplify backup commands (encryption handled by rclone remote)- Simplify restore commands (decryption happens automatically)- Update UI to remove encryption method selection- Simplify migration to only add encryptionEnabled and encryptionKey
Add all rclone crypt configuration options to give users complete controlover backup encryption settings:New options:- password2: Optional salt password for additional security (recommended)- filenameEncryption: "standard", "obfuscate", or "off" (default: off)- directoryNameEncryption: Encrypt directory names when filename encryption is enabledUI improvements:- Added link to rclone crypt documentation- Password and salt password fields with generate buttons- Filename encryption dropdown with descriptions- Directory name encryption toggle (shown when filename encryption is enabled)Encryption details:- Uses NaCl SecretBox (XSalsa20 cipher + Poly1305)- Filename encryption uses EME for "standard" mode- All passwords should be stored securely as they cannot be recoveredSee:https://rclone.org/crypt/
Add comprehensive tests for getEncryptionConfigFromDestination andgetRcloneS3Remote functions covering all encryption options includingpassword2 (salt), filename encryption, and directory name encryption.
Resolved conflict in drizzle migration journal by renamingencryption migration from 0130 to 0131.
Update volume backup, restore, and cleanup functions to usegetRcloneS3Remote with encryption support. Volume backups nowrespect the destination's encryption settings (encryptionEnabled,encryptionKey, password2, filenameEncryption, directoryNameEncryption)just like database backups.
@amirhmoradi
Copy link
Author

@Siumauricio Hi, thanks for the effort on Dokploy. I can see the that you are busy with the important number of commits and PRs on dokploy. Sorry to be bothering, any chance I get a feedback on my PRs in the coming weeks please? Is there a way for me to be more helpful on this project?

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@SiumauricioSiumauricioAwaiting requested review from SiumauricioSiumauricio is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amirhmoradi@claude
[8]ページ先頭
©2009-2025 Movatter.jp