From 2dc1c045aa6dd9a872466739f6286e422ad36b1c Mon Sep 17 00:00:00 2001
From: Christopher Hoelter <git@christopherhoelter.com>
Date: Sun, 5 Jan 2025 09:57:53 -0600
Subject: [PATCH 1/3] Fixed removing public-key-encryption.

---
 README.md                                      | 10 ++++++++++
 common-functions                               | 12 ++++++------
 subcommands/backup-unset-public-key-encryption |  6 +++---
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 1cf3f85a..f56aa544 100644
--- a/README.md
+++ b/README.md
@@ -646,6 +646,10 @@ Datastore backups are supported via AWS S3 and S3 compatible services like [mini
 
 You may skip the `backup-auth` step if your dokku install is running within EC2 and has access to the bucket via an IAM profile. In that case, use the `--use-iam` option with the `backup` command.
 
+If both passphrase and public key forms of encryption are set, the public key encryption will take precedence.
+
+The underlying core backup script is present [here](https://github.com/dokku/docker-s3backup/blob/main/backup.sh).
+
 Backups can be performed using the backup commands:
 
 ### set up authentication for backups on the postgres service
@@ -728,8 +732,12 @@ Set the GPG-compatible passphrase for encrypting backups for backups:
 dokku postgres:backup-set-encryption lollipop
 ```
 
+Public key encryption will take precendence over the passphrase encryption if both types are set.
+
 ### set GPG Public Key encryption for all future backups of postgres service
 
+This method currently requires the <public-key-id> to be present on the "keyserver.ubuntu.com" keyserver.
+
 ```shell
 # usage
 dokku postgres:backup-set-public-key-encryption <service> <public-key-id>
@@ -741,6 +749,8 @@ Set the `GPG` Public Key for encrypting backups:
 dokku postgres:backup-set-public-key-encryption lollipop
 ```
 
+This will take precendence over the passphrase encryption.
+
 ### unset encryption for future backups of the postgres service
 
 ```shell
diff --git a/common-functions b/common-functions
index 5c410890..b8c834b0 100755
--- a/common-functions
+++ b/common-functions
@@ -433,7 +433,7 @@ service_backup_set_encryption() {
   local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
   local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
 
-  mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+  mkdir -p "$SERVICE_BACKUP_ENCRYPTION_ROOT"
   echo "$ENCRYPTION_KEY" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY"
 }
 
@@ -443,7 +443,7 @@ service_backup_set_public_key_encryption() {
   local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
   local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
 
-  mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+  mkdir -p "$SERVICE_BACKUP_ENCRYPTION_ROOT"
   echo "$ENCRYPT_WITH_PUBLIC_KEY_ID" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPT_WITH_PUBLIC_KEY_ID"
 }
 
@@ -461,16 +461,16 @@ service_backup_unset_encryption() {
   local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
   local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
 
-  rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+  rm "$SERVICE_BACKUP_ENCRYPTION_ROOT/ENCRYPTION_KEY"
 }
 
-service_backup_unset_encryption() {
-  declare desc="remove backup encryption"
+service_backup_unset_public_key_encryption() {
+  declare desc="remove backup GPG Public Key encryption"
   declare SERVICE="$1"
   local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}"
   local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/"
 
-  rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT"
+  rm "$SERVICE_BACKUP_ENCRYPTION_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID"
 }
 
 service_container_rm() {
diff --git a/subcommands/backup-unset-public-key-encryption b/subcommands/backup-unset-public-key-encryption
index 8e0352f8..0d6939b2 100755
--- a/subcommands/backup-unset-public-key-encryption
+++ b/subcommands/backup-unset-public-key-encryption
@@ -13,11 +13,11 @@ service-backup-unset-public-key-encryption-cmd() {
   local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption" argv=("$@")
   [[ ${argv[0]} == "$cmd" ]] && shift 1
   declare SERVICE="$1"
-  is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"  # TODO: [22.03.2024 by Mykola]
+  is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented"
 
   [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service"
   verify_service_name "$SERVICE"
-  service_backup_unset_public_key_encryption "$SERVICE"  # TODO: [22.03.2024 by Mykola]
+  service_backup_unset_public_key_encryption "$SERVICE"
 }
 
-service-backup-unset-encryption-cmd "$@"
+service-backup-unset-public-key-encryption-cmd "$@"

From 885dfa9f5ee3b46a5d63392b434077aa17af3f19 Mon Sep 17 00:00:00 2001
From: Christopher Hoelter <git@christopherhoelter.com>
Date: Tue, 12 Aug 2025 21:22:59 -0500
Subject: [PATCH 2/3] Quick commit

---
 bin/generate                                 | 4 ++++
 subcommands/backup-set-encryption            | 2 +-
 subcommands/backup-set-public-key-encryption | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/bin/generate b/bin/generate
index 1a8e5c53..70e6d593 100755
--- a/bin/generate
+++ b/bin/generate
@@ -304,6 +304,10 @@ def usage_backup(
         "",
         "You may skip the `backup-auth` step if your dokku install is running within EC2 and has access to the bucket via an IAM profile. In that case, use the `--use-iam` option with the `backup` command.",
         "",
+        "If both passphrase and public key forms of encryption are set, the public key encryption will take precedence.",
+        "",
+        "The underlying core backup script is present [here](https://github.com/dokku/docker-s3backup/blob/main/backup.sh).",
+        "",
         "Backups can be performed using the backup commands:",
         "",
     ]
diff --git a/subcommands/backup-set-encryption b/subcommands/backup-set-encryption
index 27cb86e8..3d90abdb 100755
--- a/subcommands/backup-set-encryption
+++ b/subcommands/backup-set-encryption
@@ -10,7 +10,7 @@ service-backup-set-encryption-cmd() {
   #E dokku $PLUGIN_COMMAND_PREFIX:backup-set-encryption lollipop
   #A service, service to run command against
   #A passphrase, a GPG-compatible passphrase
-  declare desc="set encryption for all future backups of $PLUGIN_SERVICE service"
+  declare desc="set encryption for all future backups of $PLUGIN_SERVICE service; public key encryption will take precendence over the passphrase encryption if both types are set."
   local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-encryption" argv=("$@")
   [[ ${argv[0]} == "$cmd" ]] && shift 1
   declare SERVICE="$1" PASSPHRASE="$2"
diff --git a/subcommands/backup-set-public-key-encryption b/subcommands/backup-set-public-key-encryption
index d058bb20..a0c0cf61 100755
--- a/subcommands/backup-set-public-key-encryption
+++ b/subcommands/backup-set-public-key-encryption
@@ -10,7 +10,7 @@ service-backup-set-public-key-encryption-cmd() {
   #E dokku $PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption lollipop
   #A service, service to run command against
   #A public-key-id, a GPG Public Key ID (or fingerprint) to use for encryption. Must be uploaded to the GPG keyserver beforehand.
-  declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service"
+  declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service; this method currently requires the <public-key-id> to be present on the \"keyserver.ubuntu.com\" keyserver."
   local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption" argv=("$@")
   [[ ${argv[0]} == "$cmd" ]] && shift 1
   declare SERVICE="$1" PUBLIC_KEY_ID="$2"

From c9f2e6ec08c5120172410d765f10f741276640e5 Mon Sep 17 00:00:00 2001
From: Christopher Hoelter <git@christopherhoelter.com>
Date: Tue, 12 Aug 2025 21:28:03 -0500
Subject: [PATCH 3/3] Regenerated readme.

---
 README.md | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index f56aa544..93fbe5cf 100644
--- a/README.md
+++ b/README.md
@@ -23,8 +23,8 @@ postgres:backup-auth <service> <aws-access-key-id> <aws-secret-access-key> <aws-
 postgres:backup-deauth <service>                   # remove backup authentication for the postgres service
 postgres:backup-schedule <service> <schedule> <bucket-name> [--use-iam] # schedule a backup of the postgres service
 postgres:backup-schedule-cat <service>             # cat the contents of the configured backup cronfile for the service
-postgres:backup-set-encryption <service> <passphrase> # set encryption for all future backups of postgres service
-postgres:backup-set-public-key-encryption <service> <public-key-id> # set GPG Public Key encryption for all future backups of postgres service
+postgres:backup-set-encryption <service> <passphrase> # set encryption for all future backups of postgres service; public key encryption will take precendence over the passphrase encryption if both types are set.
+postgres:backup-set-public-key-encryption <service> <public-key-id> # set GPG Public Key encryption for all future backups of postgres service; this method currently requires the <public-key-id> to be present on the \"keyserver.ubuntu.com\" keyserver.
 postgres:backup-unschedule <service>               # unschedule the backup of the postgres service
 postgres:backup-unset-encryption <service>         # unset encryption for future backups of the postgres service
 postgres:backup-unset-public-key-encryption <service> # unset GPG Public Key encryption for future backups of the postgres service
@@ -646,10 +646,6 @@ Datastore backups are supported via AWS S3 and S3 compatible services like [mini
 
 You may skip the `backup-auth` step if your dokku install is running within EC2 and has access to the bucket via an IAM profile. In that case, use the `--use-iam` option with the `backup` command.
 
-If both passphrase and public key forms of encryption are set, the public key encryption will take precedence.
-
-The underlying core backup script is present [here](https://github.com/dokku/docker-s3backup/blob/main/backup.sh).
-
 Backups can be performed using the backup commands:
 
 ### set up authentication for backups on the postgres service
@@ -719,7 +715,7 @@ Restore a backup file (assuming it was extracted via `tar -xf backup.tgz`):
 dokku postgres:import lollipop < backup-folder/export
 ```
 
-### set encryption for all future backups of postgres service
+### set encryption for all future backups of postgres service; public key encryption will take precendence over the passphrase encryption if both types are set.
 
 ```shell
 # usage
@@ -732,11 +728,7 @@ Set the GPG-compatible passphrase for encrypting backups for backups:
 dokku postgres:backup-set-encryption lollipop
 ```
 
-Public key encryption will take precendence over the passphrase encryption if both types are set.
-
-### set GPG Public Key encryption for all future backups of postgres service
-
-This method currently requires the <public-key-id> to be present on the "keyserver.ubuntu.com" keyserver.
+### set GPG Public Key encryption for all future backups of postgres service; this method currently requires the <public-key-id> to be present on the \"keyserver.ubuntu.com\" keyserver.
 
 ```shell
 # usage
@@ -749,8 +741,6 @@ Set the `GPG` Public Key for encrypting backups:
 dokku postgres:backup-set-public-key-encryption lollipop
 ```
 
-This will take precendence over the passphrase encryption.
-
 ### unset encryption for future backups of the postgres service
 
 ```shell