allow to keep source files when encrypting

This can be set in the config file and overriden on the command line
orgrim · Dec 2, 2021 · 2d8b840 · 2d8b840
1 parent f6f9590
commit 2d8b840
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -131,7 +131,11 @@ encryption of files). To keep things simple, encryption is done using a
 passphrase. To encrypt files, use the `--encrypt` option along with the
 `--cipher-pass` option or `PGBK_PASSPHRASE` environment variable to specify the
 passphrase. When `encrypt` is set to true in the configuration file, the
-`--no-encrypt` option allows to disable encryption on the command line.
+`--no-encrypt` option allows to disable encryption on the command line. By
+default, unencrypted source files are removed when they are successfully
+encrypted. Use the `--encrypt-keep-src` option to keep them or
+`--no-encrypt-keep-src` to force remove them and override the configuration
+file.
 
 Encrypted files can be decrypted with the correct passphrase and the
 `--decrypt` option. When `--decrypt` is present on the command line, dumps are

diff --git a/config.go b/config.go
@@ -72,6 +72,7 @@ type options struct {
 	Verbose          bool
 	Quiet            bool
 	Encrypt          bool
+	EncryptKeepSrc   bool
 	CipherPassphrase string
 	Decrypt          bool
 }
@@ -191,6 +192,8 @@ func parseCli(args []string) (options, []string, error) {
 
 	pflag.BoolVar(&opts.Encrypt, "encrypt", false, "encrypt the dumps")
 	NoEncrypt := pflag.Bool("no-encrypt", false, "do not encrypt the dumps")
+	pflag.BoolVar(&opts.EncryptKeepSrc, "encrypt-keep-src", false, "keep original files when encrypting")
+	NoEncryptKeepSrc := pflag.Bool("no-encrypt-keep-src", false, "do not keep original files when encrypting")
 	pflag.BoolVar(&opts.Decrypt, "decrypt", false, "decrypt files in the backup directory")
 	pflag.StringVar(&opts.CipherPassphrase, "cipher-pass", "", "cipher passphrase for encryption and decryption\n")
 
@@ -233,6 +236,12 @@ func parseCli(args []string) (options, []string, error) {
 		changed = append(changed, "encrypt")
 	}
 
+	// Same for encrypt_keep_source = true in the config file
+	if *NoEncryptKeepSrc {
+		opts.EncryptKeepSrc = false
+		changed = append(changed, "encrypt-keep-src")
+	}
+
 	// When --help or --version is given print and tell the caller
 	// through the error to exit
 	if pce.ShowHelp {
@@ -350,6 +359,7 @@ func loadConfigurationFile(path string) (options, error) {
 	opts.PostHook = s.Key("post_backup_hook").MustString("")
 	opts.Encrypt = s.Key("encrypt").MustBool(false)
 	opts.CipherPassphrase = s.Key("cipher_passphrase").MustString("")
+	opts.EncryptKeepSrc = s.Key("encrypt_keep_source").MustBool(false)
 
 	// Validate purge keep and time limit
 	keep, err := validatePurgeKeepValue(purgeKeep)
@@ -539,6 +549,8 @@ func mergeCliAndConfigOptions(cliOpts options, configOpts options, onCli []strin
 			opts.PostHook = cliOpts.PostHook
 		case "encrypt":
 			opts.Encrypt = cliOpts.Encrypt
+		case "encrypt-keep-src":
+			opts.EncryptKeepSrc = cliOpts.EncryptKeepSrc
 		case "cipher-pass":
 			opts.CipherPassphrase = cliOpts.CipherPassphrase
 		case "decrypt":

diff --git a/crypto.go b/crypto.go
@@ -117,6 +117,7 @@ func encryptFile(path string, password string, keep bool) error {
 				}
 
 				if !keep {
+					l.Verboseln("removeing source file:", path)
 					src.Close()
 					if err := os.Remove(path); err != nil {
 						return fmt.Errorf("could not remove %s: %w", path, err)
@@ -155,6 +156,7 @@ func encryptFile(path string, password string, keep bool) error {
 		}
 
 		if !keep {
+			l.Verboseln("removeing source file:", path)
 			src.Close()
 			if err := os.Remove(path); err != nil {
 				return fmt.Errorf("could not remove %s: %w", path, err)

diff --git a/main.go b/main.go
@@ -64,6 +64,9 @@ type dump struct {
 	// Cipher passphrase, when not empty cipher the file
 	CipherPassphrase string
 
+	// Keep original files after encryption
+	EncryptKeepSrc bool
+
 	// Result
 	When     time.Time
 	ExitCode int
@@ -208,7 +211,7 @@ func main() {
 			}
 
 			if opts.Encrypt {
-				if err = encryptFile(file, opts.CipherPassphrase, false); err != nil {
+				if err = encryptFile(file, opts.CipherPassphrase, opts.EncryptKeepSrc); err != nil {
 					l.Warnln("encryption failed", err)
 				}
 			}
@@ -310,6 +313,7 @@ func main() {
 			TimeFormat:       opts.TimeFormat,
 			ConnString:       conninfo,
 			CipherPassphrase: passphrase,
+			EncryptKeepSrc:   opts.EncryptKeepSrc,
 			ExitCode:         -1,
 			PgDumpVersion:    pgDumpVersion,
 		}
@@ -597,7 +601,7 @@ func (d *dump) dump() error {
 	// Encrypt the file
 	if d.CipherPassphrase != "" {
 		l.Infoln("encrypting", file)
-		if err = encryptFile(file, d.CipherPassphrase, false); err != nil {
+		if err = encryptFile(file, d.CipherPassphrase, d.EncryptKeepSrc); err != nil {
 			return fmt.Errorf("encrypt failed: %s", err)
 
 		}

diff --git a/pg_back.conf b/pg_back.conf
@@ -61,6 +61,9 @@ encrypt = false
 # environment variable can be used alternatively.
 cipher_passphrase =
 
+# Keep orignal files after encrypting them.
+encrypt_keep_source = false
+
 # Purge dumps older than this number of days. If the interval has to
 # be shorter than one day, use a duration with units, h for hours, m
 # for minutes, s for seconds, us for microseconds or ns for