[keyserver] Introduce support for encrypting database backups

Summary: Part of [ENG-11578](https://linear.app/comm/issue/ENG-11578/set-up-dropbox-backups-of-keyserver-db-on-personal-server).

Test Plan: Will test in prod

Subscribers: tomek

Differential Revision: https://phab.comm.dev/D15617

Author: Ashoat

keyserver/Dockerfile

@@ -53,13 +53,15 @@ RUN wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup \
 # We need rsync in the prod-build yarn script
 # We need mariadb-client so we can use mysqldump for backups
 # We need php-cli and php-mysql for Phorge backups
+# We need gnupg for OpenPGP backup encryption
 # We need cmake to install protobuf (prereq for rust-node-addon)
 # We need binaryen for wasm-opt tool used for WASM optimization
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
   rsync \
   mariadb-client \
   php-cli \
   php-mysql \
+  gnupg \
   cmake \
   && rm -rf /var/lib/apt/lists/*
 

keyserver/src/backups/backup-encryption.js

@@ -0,0 +1,33 @@
+// @flow
+
+import { OpenPGPBackupEncryptionAdapter } from './openpgp-backup-encryption-adapter.js';
+
+export type OpenPGPEncryptionConfig = {
+  +type: 'openpgp',
+  +armoredPublicKey: string,
+};
+
+export type BackupEncryptionConfig = OpenPGPEncryptionConfig;
+
+export type BackupEncryptionPipeline = {
+  +writeStream: stream$Writable,
+  +completion: Promise<void>,
+};
+
+export interface BackupEncryptionAdapter {
+  createEncryptedWriteStream(
+    filename: string,
+    writeStream: stream$Writable,
+  ): Promise<BackupEncryptionPipeline>;
+}
+
+function createBackupEncryptionAdapter(
+  config: BackupEncryptionConfig,
+): BackupEncryptionAdapter {
+  if (config.type === 'openpgp') {
+    return new OpenPGPBackupEncryptionAdapter(config);
+  }
+  throw new Error(`unsupported backup encryption config: ${config.type}`);
+}
+
+export { createBackupEncryptionAdapter };

keyserver/src/backups/backup-output.js

@@ -0,0 +1,64 @@
+// @flow
+
+import { PassThrough, pipeline as streamPipeline } from 'stream';
+import { promisify } from 'util';
+import zlib from 'zlib';
+
+import {
+  createBackupEncryptionAdapter,
+  type BackupEncryptionConfig,
+} from './backup-encryption.js';
+
+const pipeline = promisify(streamPipeline);
+
+type BackupOutputOptions = {
+  +filename: string,
+  +writeStream: stream$Writable,
+  +encryption?: ?BackupEncryptionConfig,
+};
+
+type BackupOutputPipeline = {
+  +rawStream: PassThrough,
+  +completion: Promise<mixed>,
+};
+
+async function createBackupOutputPipeline({
+  filename,
+  writeStream,
+  encryption,
+}: BackupOutputOptions): Promise<BackupOutputPipeline> {
+  const rawStream = new PassThrough();
+  const gzipStream = zlib.createGzip();
+
+  rawStream.on('error', (error: Error) => {
+    console.warn(`backup stdout stream emitted error for ${filename}`, error);
+  });
+  gzipStream.on('error', (error: Error) => {
+    console.warn(`gzip transform stream emitted error for ${filename}`, error);
+  });
+
+  if (!encryption) {
+    return {
+      rawStream,
+      completion: pipeline(rawStream, gzipStream, writeStream),
+    };
+  }
+
+  const encryptionAdapter = createBackupEncryptionAdapter(encryption);
+  const encryptedPipeline = await encryptionAdapter.createEncryptedWriteStream(
+    filename,
+    writeStream,
+  );
+
+  const completion = Promise.all([
+    pipeline(rawStream, gzipStream, encryptedPipeline.writeStream),
+    encryptedPipeline.completion,
+  ]);
+
+  return {
+    rawStream,
+    completion,
+  };
+}
+
+export { createBackupOutputPipeline };