FIX (ci \ cd): Add cleaning up CI space

FEATURE (clusters): Add cluster-based database management and bulk import

.dockerignore

@@ -0,0 +1,68 @@
+# Git and GitHub
+.git
+.gitignore
+.github
+
+# Node modules everywhere
+node_modules
+**/node_modules
+
+# Backend - exclude everything except what's needed for build
+backend/tools
+backend/mysqldata
+backend/pgdata
+backend/mariadbdata
+backend/temp
+backend/images
+backend/bin
+backend/*.exe
+
+# Scripts and data directories
+scripts
+postgresus-data
+
+# IDE and editor files
+.idea
+.vscode
+.cursor
+**/*.swp
+**/*.swo
+
+# Documentation and articles (not needed for build)
+articles
+docs
+pages
+
+# Notifiers not needed in container
+notifiers
+
+# Dist (will be built fresh)
+frontend/dist
+
+# Environment files (handled separately)
+.env.local
+.env.development
+
+# Logs and temp files
+**/*.log
+tmp
+temp
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Helm charts and deployment configs
+deploy
+
+# License and other root files
+LICENSE
+CITATION.cff
+*.md
+assets
+
+# Python cache
+**/__pycache__
+
+# Pre-commit config
+.pre-commit-config.yaml

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,102 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as members, contributors and maintainers pledge to make participation in the Postgresus community a friendly and welcoming experience for everyone, regardless of background, experience level or personal circumstances.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive and healthy community.
+
+## Our Standards
+
+### Examples of behavior that contributes to a positive environment
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+- Helping newcomers get started with contributions
+- Providing clear and constructive feedback on pull requests
+- Celebrating successes and acknowledging contributions
+
+### Examples of unacceptable behavior
+
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Publishing others' private information, such as physical or email addresses, without their explicit permission
+- Spam, self-promotion or off-topic content in project spaces
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Scope
+
+This Code of Conduct applies within all community spaces, including:
+
+- GitHub repositories (issues, pull requests, discussions, comments)
+- Telegram channels and direct messages related to Postgresus
+- Social media interactions when representing the project
+- Community forums and online discussions
+- Any other spaces where Postgresus community members interact
+
+This Code of Conduct also applies when an individual is officially representing the community in public spaces, such as using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive or unacceptable behavior may be reported to the community leaders responsible for enforcement:
+
+- **Email**: [info@postgresus.com](mailto:info@postgresus.com)
+- **Telegram**: [@rostislav_dugin](https://t.me/rostislav_dugin)
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Contributing with Respect
+
+When contributing to Postgresus, please:
+
+- Be patient with maintainers and other contributors
+- Understand that everyone has different levels of experience
+- Ask questions in a respectful manner
+- Accept that your contribution may not be accepted, and be open to feedback
+- Follow the [contribution guidelines](https://postgresus.com/contribute)
+
+For code contributions, remember to:
+
+- Discuss significant changes before implementing them
+- Be open to code review feedback
+- Help review others' contributions when possible
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1, available at [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html).
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+For answers to common questions about this code of conduct, see the FAQ at [https://www.contributor-covenant.org/faq](https://www.contributor-covenant.org/faq).

.github/SECURITY.md

@@ -0,0 +1,54 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Postgresus, please report it responsibly. **Do not create a public GitHub issue for security vulnerabilities.**
+
+### How to Report
+
+1. **Email** (preferred): Send details to [info@postgresus.com](mailto:info@postgresus.com)
+2. **Telegram**: Contact [@rostislav_dugin](https://t.me/rostislav_dugin)
+3. **GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/RostislavDugin/postgresus/security/advisories/new) feature
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact and severity assessment
+- Any suggested fixes (optional)
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| Latest  | Yes       |
+
+We recommend always using the latest version of Postgresus. Security patches are applied to the most recent release.
+
+### PostgreSQL Compatibility
+
+Postgresus supports PostgreSQL versions 12, 13, 14, 15, 16, 17 and 18.
+
+## Response Timeline
+
+- **Acknowledgment**: Within 48-72 hours
+- **Initial Assessment**: Within 1 week
+- **Fix Timeline**: Depends on severity, but we aim to address critical issues as quickly as possible
+
+We follow a coordinated disclosure policy. We ask that you give us reasonable time to address the vulnerability before any public disclosure.
+
+## Security Features
+
+Postgresus is designed with security in mind. For full details, see our [security documentation](https://postgresus.com/security).
+
+Key features include:
+
+- **AES-256-GCM Encryption**: Enterprise-grade encryption for backup files and sensitive data
+- **Read-Only Database Access**: Postgresus uses read-only access by default and warns if write permissions are detected
+- **Role-Based Access Control**: Assign viewer, member, admin or owner roles within workspaces
+- **Audit Logging**: Track all system activities and changes made by users
+- **Zero-Trust Storage**: Encrypted backups are safe even in shared cloud storage
+
+## License
+
+Postgresus is licensed under [Apache 2.0](../LICENSE).

.github/workflows/ci-release.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.3"
+          go-version: "1.24.4"
 
       - name: Cache Go modules
         uses: actions/cache@v4
@@ -31,7 +31,7 @@ jobs:
 
       - name: Install golangci-lint
         run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.3
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.2
           echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
 
       - name: Install swag for swagger generation
@@ -82,17 +82,59 @@ jobs:
           cd frontend
           npm run lint
 
+  test-frontend:
+    runs-on: ubuntu-latest
+    needs: [lint-frontend]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install dependencies
+        run: |
+          cd frontend
+          npm ci
+
+      - name: Run frontend tests
+        run: |
+          cd frontend
+          npm run test
+
   test-backend:
     runs-on: ubuntu-latest
     needs: [lint-backend]
     steps:
+      - name: Free up disk space
+        run: |
+          echo "Disk space before cleanup:"
+          df -h
+          # Remove unnecessary pre-installed software
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf /usr/share/swift
+          # Clean apt cache
+          sudo apt-get clean
+          # Clean docker images (if any pre-installed)
+          docker system prune -af --volumes || true
+          echo "Disk space after cleanup:"
+          df -h
+
       - name: Check out code
         uses: actions/checkout@v4
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.3"
+          go-version: "1.24.4"
 
       - name: Cache Go modules
         uses: actions/cache@v4
@@ -141,9 +183,35 @@ jobs:
           TEST_AZURITE_BLOB_PORT=10000
           # testing NAS
           TEST_NAS_PORT=7006
+          # testing FTP
+          TEST_FTP_PORT=7007
+          # testing SFTP
+          TEST_SFTP_PORT=7008
+          # testing MySQL
+          TEST_MYSQL_57_PORT=33057
+          TEST_MYSQL_80_PORT=33080
+          TEST_MYSQL_84_PORT=33084
+          # testing MariaDB
+          TEST_MARIADB_55_PORT=33055
+          TEST_MARIADB_101_PORT=33101
+          TEST_MARIADB_102_PORT=33102
+          TEST_MARIADB_103_PORT=33103
+          TEST_MARIADB_104_PORT=33104
+          TEST_MARIADB_105_PORT=33105
+          TEST_MARIADB_106_PORT=33106
+          TEST_MARIADB_1011_PORT=33111
+          TEST_MARIADB_114_PORT=33114
+          TEST_MARIADB_118_PORT=33118
+          TEST_MARIADB_120_PORT=33120
           # testing Telegram
           TEST_TELEGRAM_BOT_TOKEN=${{ secrets.TEST_TELEGRAM_BOT_TOKEN }}
           TEST_TELEGRAM_CHAT_ID=${{ secrets.TEST_TELEGRAM_CHAT_ID }}
+          # supabase
+          TEST_SUPABASE_HOST=${{ secrets.TEST_SUPABASE_HOST }}
+          TEST_SUPABASE_PORT=${{ secrets.TEST_SUPABASE_PORT }}
+          TEST_SUPABASE_USERNAME=${{ secrets.TEST_SUPABASE_USERNAME }}
+          TEST_SUPABASE_PASSWORD=${{ secrets.TEST_SUPABASE_PASSWORD }}
+          TEST_SUPABASE_DATABASE=${{ secrets.TEST_SUPABASE_DATABASE }}
           EOF
 
       - name: Start test containers
@@ -170,6 +238,44 @@ jobs:
           # Wait for Azurite
           timeout 60 bash -c 'until nc -z localhost 10000; do sleep 2; done'
 
+          # Wait for FTP
+          timeout 60 bash -c 'until nc -z localhost 7007; do sleep 2; done'
+
+          # Wait for SFTP
+          timeout 60 bash -c 'until nc -z localhost 7008; do sleep 2; done'
+
+          # Wait for MySQL containers
+          echo "Waiting for MySQL 5.7..."
+          timeout 120 bash -c 'until docker exec test-mysql-57 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MySQL 8.0..."
+          timeout 120 bash -c 'until docker exec test-mysql-80 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MySQL 8.4..."
+          timeout 120 bash -c 'until docker exec test-mysql-84 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
+
+          # Wait for MariaDB containers
+          echo "Waiting for MariaDB 5.5..."
+          timeout 120 bash -c 'until docker exec test-mariadb-55 mysqladmin ping -h localhost -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.1..."
+          timeout 120 bash -c 'until docker exec test-mariadb-101 mysqladmin ping -h localhost -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.2..."
+          timeout 120 bash -c 'until docker exec test-mariadb-102 mysqladmin ping -h localhost -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.3..."
+          timeout 120 bash -c 'until docker exec test-mariadb-103 mysqladmin ping -h localhost -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.4..."
+          timeout 120 bash -c 'until docker exec test-mariadb-104 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.5..."
+          timeout 120 bash -c 'until docker exec test-mariadb-105 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.6..."
+          timeout 120 bash -c 'until docker exec test-mariadb-106 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 10.11..."
+          timeout 120 bash -c 'until docker exec test-mariadb-1011 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 11.4..."
+          timeout 120 bash -c 'until docker exec test-mariadb-114 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 11.8..."
+          timeout 120 bash -c 'until docker exec test-mariadb-118 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MariaDB 12.0..."
+          timeout 120 bash -c 'until docker exec test-mariadb-120 healthcheck.sh --connect --innodb_initialized 2>/dev/null; do sleep 2; done'
+
       - name: Create data and temp directories
         run: |
           # Create directories that are used for backups and restore
@@ -177,12 +283,77 @@ jobs:
           mkdir -p postgresus-data/backups
           mkdir -p postgresus-data/temp
 
-      - name: Install PostgreSQL client tools
+      - name: Cache PostgreSQL client tools
+        id: cache-postgres
+        uses: actions/cache@v4
+        with:
+          path: /usr/lib/postgresql
+          key: postgres-clients-12-18-v1
+
+      - name: Cache MySQL client tools
+        id: cache-mysql
+        uses: actions/cache@v4
+        with:
+          path: backend/tools/mysql
+          key: mysql-clients-57-80-84-v1
+
+      - name: Cache MariaDB client tools
+        id: cache-mariadb
+        uses: actions/cache@v4
+        with:
+          path: backend/tools/mariadb
+          key: mariadb-clients-106-121-v1
+
+      - name: Install MySQL dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq libncurses6
+          sudo ln -sf /usr/lib/x86_64-linux-gnu/libncurses.so.6 /usr/lib/x86_64-linux-gnu/libncurses.so.5
+          sudo ln -sf /usr/lib/x86_64-linux-gnu/libtinfo.so.6 /usr/lib/x86_64-linux-gnu/libtinfo.so.5
+
+      - name: Install PostgreSQL, MySQL and MariaDB client tools
+        if: steps.cache-postgres.outputs.cache-hit != 'true' || steps.cache-mysql.outputs.cache-hit != 'true' || steps.cache-mariadb.outputs.cache-hit != 'true'
         run: |
           chmod +x backend/tools/download_linux.sh
           cd backend/tools
           ./download_linux.sh
 
+      - name: Setup PostgreSQL symlinks (when using cache)
+        if: steps.cache-postgres.outputs.cache-hit == 'true'
+        run: |
+          cd backend/tools
+          mkdir -p postgresql
+          for version in 12 13 14 15 16 17 18; do
+            version_dir="postgresql/postgresql-$version"
+            mkdir -p "$version_dir/bin"
+            pg_bin_dir="/usr/lib/postgresql/$version/bin"
+            if [ -d "$pg_bin_dir" ]; then
+              ln -sf "$pg_bin_dir/pg_dump" "$version_dir/bin/pg_dump"
+              ln -sf "$pg_bin_dir/pg_dumpall" "$version_dir/bin/pg_dumpall"
+              ln -sf "$pg_bin_dir/psql" "$version_dir/bin/psql"
+              ln -sf "$pg_bin_dir/pg_restore" "$version_dir/bin/pg_restore"
+              ln -sf "$pg_bin_dir/createdb" "$version_dir/bin/createdb"
+              ln -sf "$pg_bin_dir/dropdb" "$version_dir/bin/dropdb"
+            fi
+          done
+
+      - name: Verify MariaDB client tools exist
+        run: |
+          cd backend/tools
+          echo "Checking MariaDB client tools..."
+          if [ -f "mariadb/mariadb-10.6/bin/mariadb-dump" ]; then
+            echo "MariaDB 10.6 client tools found"
+            ls -la mariadb/mariadb-10.6/bin/
+          else
+            echo "MariaDB 10.6 client tools NOT found"
+          fi
+          if [ -f "mariadb/mariadb-12.1/bin/mariadb-dump" ]; then
+            echo "MariaDB 12.1 client tools found"
+            ls -la mariadb/mariadb-12.1/bin/
+          else
+            echo "MariaDB 12.1 client tools NOT found"
+          fi
+
       - name: Run database migrations
         run: |
           cd backend
@@ -202,7 +373,7 @@ jobs:
 
   determine-version:
     runs-on: ubuntu-latest
-    needs: [test-backend, lint-frontend]
+    needs: [test-backend, test-frontend]
     if: ${{ github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip-release]') }}
     outputs:
       should_release: ${{ steps.version_bump.outputs.should_release }}
@@ -295,7 +466,7 @@ jobs:
 
   build-only:
     runs-on: ubuntu-latest
-    needs: [test-backend, lint-frontend]
+    needs: [test-backend, test-frontend]
     if: ${{ github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[skip-release]') }}
     steps:
       - name: Check out code
@@ -455,6 +626,17 @@ jobs:
             echo EOF
           } >> $GITHUB_OUTPUT
 
+      - name: Update CITATION.cff version
+        run: |
+          VERSION="${{ needs.determine-version.outputs.new_version }}"
+          sed -i "s/^version: .*/version: ${VERSION}/" CITATION.cff
+          sed -i "s/^date-released: .*/date-released: \"$(date +%Y-%m-%d)\"/" CITATION.cff
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add CITATION.cff
+          git commit -m "Update CITATION.cff to v${VERSION}" || true
+          git push || true
+
       - name: Create GitHub Release
         uses: actions/create-release@v1
         env:
@@ -465,3 +647,37 @@ jobs:
           body: ${{ steps.changelog.outputs.changelog }}
           draft: false
           prerelease: false
+
+  publish-helm-chart:
+    runs-on: ubuntu-latest
+    needs: [determine-version, build-and-push]
+    if: ${{ needs.determine-version.outputs.should_release == 'true' }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Update Chart.yaml with release version
+        run: |
+          VERSION="${{ needs.determine-version.outputs.new_version }}"
+          sed -i "s/^version: .*/version: ${VERSION}/" deploy/helm/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"v${VERSION}\"/" deploy/helm/Chart.yaml
+          cat deploy/helm/Chart.yaml
+
+      - name: Package Helm chart
+        run: helm package deploy/helm --destination .
+
+      - name: Push Helm chart to GHCR
+        run: |
+          VERSION="${{ needs.determine-version.outputs.new_version }}"
+          helm push postgresus-${VERSION}.tgz oci://ghcr.io/rostislavdugin/charts

.gitignore

@@ -4,4 +4,8 @@ postgresus-data/
 pgdata/
 docker-compose.yml
 node_modules/
-.idea
+.idea
+/articles
+
+.DS_Store
+/scripts

CITATION.cff

@@ -0,0 +1,33 @@
+cff-version: 1.2.0
+title: Postgresus
+message: "If you use this software, please cite it as below."
+type: software
+authors:
+  - family-names: Dugin
+    given-names: Rostislav
+repository-code: https://github.com/RostislavDugin/postgresus
+url: https://postgresus.com
+abstract: "Free, open source and self-hosted solution for automated PostgreSQL backups with multiple storage options and notifications."
+keywords:
+  - docker
+  - kubernetes
+  - golang
+  - backups
+  - postgres
+  - devops
+  - backup
+  - database
+  - tools
+  - monitoring
+  - ftp
+  - postgresql
+  - s3
+  - psql
+  - web-ui
+  - self-hosted
+  - pg
+  - system-administration
+  - database-backup
+license: Apache-2.0
+version: 2.11.0
+date-released: "2025-12-20"

Dockerfile

@@ -22,7 +22,7 @@ RUN npm run build
 
 # ========= BUILD BACKEND =========
 # Backend build stage
-FROM --platform=$BUILDPLATFORM golang:1.23.3 AS backend-build
+FROM --platform=$BUILDPLATFORM golang:1.24.4 AS backend-build
 
 # Make TARGET args available early so tools built here match the final image arch
 ARG TARGETOS
@@ -77,16 +77,98 @@ ENV APP_VERSION=$APP_VERSION
 # Set production mode for Docker containers
 ENV ENV_MODE=production
 
-# Install PostgreSQL server and client tools (versions 12-18)
+# Install PostgreSQL server and client tools (versions 12-18), MySQL client tools (5.7, 8.0, 8.4), MariaDB client tools, and rclone
+# Note: MySQL 5.7 is only available for x86_64, MySQL 8.0+ supports both x86_64 and ARM64
+# Note: MySQL binaries require libncurses5 for terminal handling
+# Note: MariaDB uses a single client version (12.1) that is backward compatible with all server versions
+ARG TARGETARCH
 RUN apt-get update && apt-get install -y --no-install-recommends \
-  wget ca-certificates gnupg lsb-release sudo gosu && \
+  wget ca-certificates gnupg lsb-release sudo gosu curl unzip xz-utils libncurses5 && \
+  # Add PostgreSQL repository
   wget -qO- https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
   echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
   > /etc/apt/sources.list.d/pgdg.list && \
   apt-get update && \
+  # Install PostgreSQL
   apt-get install -y --no-install-recommends \
   postgresql-17 postgresql-18 postgresql-client-12 postgresql-client-13 postgresql-client-14 postgresql-client-15 \
-  postgresql-client-16 postgresql-client-17 postgresql-client-18 && \
+  postgresql-client-16 postgresql-client-17 postgresql-client-18 rclone && \
+  # Create MySQL directories
+  mkdir -p /usr/local/mysql-5.7/bin /usr/local/mysql-8.0/bin /usr/local/mysql-8.4/bin && \
+  # Download and install MySQL client tools (architecture-aware)
+  # MySQL 5.7: Only available for x86_64
+  if [ "$TARGETARCH" = "amd64" ]; then \
+  wget -q https://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.44-linux-glibc2.12-x86_64.tar.gz -O /tmp/mysql57.tar.gz && \
+  tar -xzf /tmp/mysql57.tar.gz -C /tmp && \
+  cp /tmp/mysql-5.7.*/bin/mysql /usr/local/mysql-5.7/bin/ && \
+  cp /tmp/mysql-5.7.*/bin/mysqldump /usr/local/mysql-5.7/bin/ && \
+  rm -rf /tmp/mysql-5.7.* /tmp/mysql57.tar.gz; \
+  else \
+  echo "MySQL 5.7 not available for $TARGETARCH, skipping..."; \
+  fi && \
+  # MySQL 8.0: Available for both x86_64 and ARM64
+  if [ "$TARGETARCH" = "amd64" ]; then \
+  wget -q https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-8.0.40-linux-glibc2.17-x86_64-minimal.tar.xz -O /tmp/mysql80.tar.xz; \
+  elif [ "$TARGETARCH" = "arm64" ]; then \
+  wget -q https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-8.0.40-linux-glibc2.17-aarch64-minimal.tar.xz -O /tmp/mysql80.tar.xz; \
+  fi && \
+  tar -xJf /tmp/mysql80.tar.xz -C /tmp && \
+  cp /tmp/mysql-8.0.*/bin/mysql /usr/local/mysql-8.0/bin/ && \
+  cp /tmp/mysql-8.0.*/bin/mysqldump /usr/local/mysql-8.0/bin/ && \
+  rm -rf /tmp/mysql-8.0.* /tmp/mysql80.tar.xz && \
+  # MySQL 8.4: Available for both x86_64 and ARM64
+  if [ "$TARGETARCH" = "amd64" ]; then \
+  wget -q https://dev.mysql.com/get/Downloads/MySQL-8.4/mysql-8.4.3-linux-glibc2.17-x86_64-minimal.tar.xz -O /tmp/mysql84.tar.xz; \
+  elif [ "$TARGETARCH" = "arm64" ]; then \
+  wget -q https://dev.mysql.com/get/Downloads/MySQL-8.4/mysql-8.4.3-linux-glibc2.17-aarch64-minimal.tar.xz -O /tmp/mysql84.tar.xz; \
+  fi && \
+  tar -xJf /tmp/mysql84.tar.xz -C /tmp && \
+  cp /tmp/mysql-8.4.*/bin/mysql /usr/local/mysql-8.4/bin/ && \
+  cp /tmp/mysql-8.4.*/bin/mysqldump /usr/local/mysql-8.4/bin/ && \
+  rm -rf /tmp/mysql-8.4.* /tmp/mysql84.tar.xz && \
+  # Make MySQL binaries executable (ignore errors for empty dirs on ARM64)
+  chmod +x /usr/local/mysql-*/bin/* 2>/dev/null || true && \
+  # Create MariaDB directories for both versions
+  # MariaDB uses two client versions:
+  # - 10.6 (legacy): For older servers (5.5, 10.1) that don't have generation_expression column
+  # - 12.1 (modern): For newer servers (10.2+)
+  mkdir -p /usr/local/mariadb-10.6/bin /usr/local/mariadb-12.1/bin && \
+  # Download and install MariaDB 10.6 client tools (legacy - for older servers)
+  if [ "$TARGETARCH" = "amd64" ]; then \
+  wget -q https://archive.mariadb.org/mariadb-10.6.21/bintar-linux-systemd-x86_64/mariadb-10.6.21-linux-systemd-x86_64.tar.gz -O /tmp/mariadb106.tar.gz && \
+  tar -xzf /tmp/mariadb106.tar.gz -C /tmp && \
+  cp /tmp/mariadb-10.6.*/bin/mariadb /usr/local/mariadb-10.6/bin/ && \
+  cp /tmp/mariadb-10.6.*/bin/mariadb-dump /usr/local/mariadb-10.6/bin/ && \
+  rm -rf /tmp/mariadb-10.6.* /tmp/mariadb106.tar.gz; \
+  elif [ "$TARGETARCH" = "arm64" ]; then \
+  # For ARM64, install MariaDB 10.6 client from official repository
+  curl -fsSL https://mariadb.org/mariadb_release_signing_key.asc | gpg --dearmor -o /usr/share/keyrings/mariadb-keyring.gpg && \
+  echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://mirror.mariadb.org/repo/10.6/debian $(lsb_release -cs) main" > /etc/apt/sources.list.d/mariadb106.list && \
+  apt-get update && \
+  apt-get install -y --no-install-recommends mariadb-client && \
+  cp /usr/bin/mariadb /usr/local/mariadb-10.6/bin/mariadb && \
+  cp /usr/bin/mariadb-dump /usr/local/mariadb-10.6/bin/mariadb-dump && \
+  apt-get remove -y mariadb-client && \
+  rm /etc/apt/sources.list.d/mariadb106.list; \
+  fi && \
+  # Download and install MariaDB 12.1 client tools (modern - for newer servers)
+  if [ "$TARGETARCH" = "amd64" ]; then \
+  wget -q https://archive.mariadb.org/mariadb-12.1.2/bintar-linux-systemd-x86_64/mariadb-12.1.2-linux-systemd-x86_64.tar.gz -O /tmp/mariadb121.tar.gz && \
+  tar -xzf /tmp/mariadb121.tar.gz -C /tmp && \
+  cp /tmp/mariadb-12.1.*/bin/mariadb /usr/local/mariadb-12.1/bin/ && \
+  cp /tmp/mariadb-12.1.*/bin/mariadb-dump /usr/local/mariadb-12.1/bin/ && \
+  rm -rf /tmp/mariadb-12.1.* /tmp/mariadb121.tar.gz; \
+  elif [ "$TARGETARCH" = "arm64" ]; then \
+  # For ARM64, install MariaDB 12.1 client from official repository
+  echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://mirror.mariadb.org/repo/12.1/debian $(lsb_release -cs) main" > /etc/apt/sources.list.d/mariadb121.list && \
+  apt-get update && \
+  apt-get install -y --no-install-recommends mariadb-client && \
+  cp /usr/bin/mariadb /usr/local/mariadb-12.1/bin/mariadb && \
+  cp /usr/bin/mariadb-dump /usr/local/mariadb-12.1/bin/mariadb-dump; \
+  fi && \
+  # Make MariaDB binaries executable
+  chmod +x /usr/local/mariadb-*/bin/* 2>/dev/null || true && \
+  # Cleanup
   rm -rf /var/lib/apt/lists/*
 
 # Create postgres user and set up directories

README.md

@@ -25,6 +25,8 @@
     <a href="https://postgresus.com" target="_blank"><strong>🌐 Postgresus website</strong></a>
   </p>
   
+  <img src="assets/dashboard-dark.svg" alt="Postgresus Dark Dashboard" width="800" style="margin-bottom: 10px;"/>
+
   <img src="assets/dashboard.svg" alt="Postgresus Dashboard" width="800"/>
   
  
@@ -34,38 +36,60 @@
 
 ## ✨ Features
 
-### 🔄 **Scheduled Backups**
+### 🔄 **Scheduled backups**
 
-- **Flexible scheduling**: hourly, daily, weekly, monthly
+- **Flexible scheduling**: hourly, daily, weekly, monthly or cron
 - **Precise timing**: run backups at specific times (e.g., 4 AM during low traffic)
 - **Smart compression**: 4-8x space savings with balanced compression (~20% overhead)
 
-### 🗄️ **Multiple Storage Destinations** <a href="https://postgresus.com/storages">(docs)</a>
+### 🗄️ **Multiple storage destinations** <a href="https://postgresus.com/storages">(view supported)</a>
 
 - **Local storage**: Keep backups on your VPS/server
-- **Cloud storage**: S3, Cloudflare R2, Google Drive, NAS, Dropbox and more
+- **Cloud storage**: S3, Cloudflare R2, Google Drive, NAS, Dropbox, SFTP, Rclone and more
 - **Secure**: All data stays under your control
 
-### 📱 **Smart Notifications** <a href="https://postgresus.com/notifiers">(docs)</a>
+### 📱 **Smart notifications** <a href="https://postgresus.com/notifiers">(view supported)</a>
 
 - **Multiple channels**: Email, Telegram, Slack, Discord, webhooks
 - **Real-time updates**: Success and failure notifications
 - **Team integration**: Perfect for DevOps workflows
 
-### 🐘 **PostgreSQL Support**
+### 🐘 **PostgreSQL support**
 
 - **Multiple versions**: PostgreSQL 12, 13, 14, 15, 16, 17 and 18
 - **SSL support**: Secure connections available
 - **Easy restoration**: One-click restore from any backup
 
-### 👥 **Suitable for Teams** <a href="https://postgresus.com/access-management">(docs)</a>
+### 🔒 **Enterprise-grade security** <a href="https://postgresus.com/security">(docs)</a>
+
+- **AES-256-GCM encryption**: Enterprise-grade protection for backup files
+- **Zero-trust storage**: Backups are encrypted and they are useless to attackers, so you can keep them in shared storages like S3, Azure Blob Storage, etc.
+- **Encryption for secrets**: Any sensitive data is encrypted and never exposed, even in logs or error messages
+- **Read-only user**: Postgresus uses by default a read-only user for backups and never stores anything that can change your data
+
+### 👥 **Suitable for teams** <a href="https://postgresus.com/access-management">(docs)</a>
 
 - **Workspaces**: Group databases, notifiers and storages for different projects or teams
 - **Access management**: Control who can view or manage specific databases with role-based permissions
 - **Audit logs**: Track all system activities and changes made by users
 - **User roles**: Assign viewer, member, admin or owner roles within workspaces
 
-### 🐳 **Self-Hosted & Secure**
+### 🎨 **UX-Friendly**
+
+- **Designer-polished UI**: Clean, intuitive interface crafted with attention to detail
+- **Dark & light themes**: Choose the look that suits your workflow
+- **Mobile adaptive**: Check your backups from anywhere on any device
+
+### ☁️ **Works with self-hosted & cloud databases**
+
+Postgresus works seamlessly with both self-hosted PostgreSQL and cloud-managed databases:
+
+- **Cloud support**: AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL
+- **Self-hosted**: Any PostgreSQL instance you manage yourself
+- **Why no PITR?**: Cloud providers already offer native PITR, and external PITR backups cannot be restored to managed cloud databases — making them impractical for cloud-hosted PostgreSQL
+- **Practical granularity**: Hourly and daily backups are sufficient for 99% of projects without the operational complexity of WAL archiving
+
+### 🐳 **Self-hosted & secure**
 
 - **Docker-based**: Easy deployment and management
 - **Privacy-first**: All your data stays on your infrastructure
@@ -73,7 +97,7 @@
 
 ### 📦 Installation <a href="https://postgresus.com/installation">(docs)</a>
 
-You have three ways to install Postgresus:
+You have several ways to install Postgresus:
 
 - Script (recommended)
 - Simple Docker run
@@ -87,11 +111,11 @@ You have three ways to install Postgresus:
 
 You have three ways to install Postgresus: automated script (recommended), simple Docker run, or Docker Compose setup.
 
-### Option 1: Automated Installation Script (Recommended, Linux only)
+### Option 1: Automated installation script (recommended, Linux only)
 
 The installation script will:
 
-- ✅ Install Docker with Docker Compose(if not already installed)
+- ✅ Install Docker with Docker Compose (if not already installed)
 - ✅ Set up Postgresus
 - ✅ Configure automatic startup on system reboot
 
@@ -101,7 +125,7 @@ sudo curl -sSL https://raw.githubusercontent.com/RostislavDugin/postgresus/refs/
 | sudo bash
 ```
 
-### Option 2: Simple Docker Run
+### Option 2: Simple Docker run
 
 The easiest way to run Postgresus with embedded PostgreSQL:
 
@@ -120,7 +144,7 @@ This single command will:
 - ✅ Store all data in `./postgresus-data` directory
 - ✅ Automatically restart on system reboot
 
-### Option 3: Docker Compose Setup
+### Option 3: Docker Compose setup
 
 Create a `docker-compose.yml` file with the following configuration:
 
@@ -142,19 +166,59 @@ Then run:
 docker compose up -d
 ```
 
+### Option 4: Kubernetes with Helm
+
+For Kubernetes deployments, install directly from the OCI registry.
+
+**With ClusterIP + port-forward (development/testing):**
+
+```bash
+helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
+  -n postgresus --create-namespace
+```
+
+```bash
+kubectl port-forward svc/postgresus-service 4005:4005 -n postgresus
+# Access at http://localhost:4005
+```
+
+**With LoadBalancer (cloud environments):**
+
+```bash
+helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
+  -n postgresus --create-namespace \
+  --set service.type=LoadBalancer
+```
+
+```bash
+kubectl get svc postgresus-service -n postgresus
+# Access at http://<EXTERNAL-IP>:4005
+```
+
+**With Ingress (domain-based access):**
+
+```bash
+helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
+  -n postgresus --create-namespace \
+  --set ingress.enabled=true \
+  --set ingress.hosts[0].host=backup.example.com
+```
+
+For more options (NodePort, TLS, HTTPRoute for Gateway API), see the [Helm chart README](deploy/helm/README.md).
+
 ---
 
 ## 🚀 Usage
 
 1. **Access the dashboard**: Navigate to `http://localhost:4005`
 2. **Add first DB for backup**: Click "New Database" and follow the setup wizard
-3. **Configure schedule**: Choose from hourly, daily, weekly or monthly intervals
+3. **Configure schedule**: Choose from hourly, daily, weekly, monthly or cron intervals
 4. **Set database connection**: Enter your PostgreSQL credentials and connection details
 5. **Choose storage**: Select where to store your backups (local, S3, Google Drive, etc.)
 6. **Add notifications** (optional): Configure email, Telegram, Slack, or webhook notifications
 7. **Save and start**: Postgresus will validate settings and begin the backup schedule
 
-### 🔑 Resetting Password <a href="https://postgresus.com/password">(docs)</a>
+### 🔑 Resetting password <a href="https://postgresus.com/password">(docs)</a>
 
 If you need to reset the password, you can use the built-in password reset command:
 
@@ -168,10 +232,10 @@ Replace `admin` with the actual email address of the user whose password you wan
 
 ## 📝 License
 
-This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details.
+This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details
 
 ---
 
 ## 🤝 Contributing
 
-Contributions are welcome! Read <a href="https://postgresus.com/contributing">contributing guide</a> for more details, prioerities and rules are specified there. If you want to contribute, but don't know what and how - message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)
+Contributions are welcome! Read <a href="https://postgresus.com/contribute">contributing guide</a> for more details, priorities and rules are specified there. If you want to contribute, but don't know what and how - message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)

backend/.cursor/rules/refactor.mdc

@@ -9,4 +9,4 @@ When applying changes, do not forget to refactor old code.
 You can shortify, make more readable, improve code quality, etc.
 Common logic can be extracted to functions, constants, files, etc.
 
-After each large change with more than ~50-100 lines of code - always run `make lint` (from backend root folder).
+After each large change with more than ~50-100 lines of code - always run `make lint` (from backend root folder) and, if you change frontend, run `npm run format` (from frontend root folder).

backend/.env.development.example

@@ -33,4 +33,30 @@ TEST_NAS_PORT=7006
 TEST_TELEGRAM_BOT_TOKEN=
 TEST_TELEGRAM_CHAT_ID=
 # testing Azure Blob Storage
-TEST_AZURITE_BLOB_PORT=10000
+TEST_AZURITE_BLOB_PORT=10000
+# supabase
+TEST_SUPABASE_HOST=
+TEST_SUPABASE_PORT=
+TEST_SUPABASE_USERNAME=
+TEST_SUPABASE_PASSWORD=
+TEST_SUPABASE_DATABASE=
+# FTP
+TEST_FTP_PORT=7007
+# SFTP
+TEST_SFTP_PORT=7008
+# MySQL Test Ports
+TEST_MYSQL_57_PORT=33057
+TEST_MYSQL_80_PORT=33080
+TEST_MYSQL_84_PORT=33084
+# testing MariaDB
+TEST_MARIADB_55_PORT=33055
+TEST_MARIADB_101_PORT=33101
+TEST_MARIADB_102_PORT=33102
+TEST_MARIADB_103_PORT=33103
+TEST_MARIADB_104_PORT=33104
+TEST_MARIADB_105_PORT=33105
+TEST_MARIADB_106_PORT=33106
+TEST_MARIADB_1011_PORT=33111
+TEST_MARIADB_114_PORT=33114
+TEST_MARIADB_118_PORT=33118
+TEST_MARIADB_120_PORT=33120

backend/.gitignore

@@ -3,6 +3,8 @@ main
 docker-compose.yml
 pgdata
 pgdata_test/
+mysqldata/
+mariadbdata/
 main.exe
 swagger/
 swagger/*

backend/.golangci.yml

@@ -1,7 +1,7 @@
 version: "2"
 
 run:
-  timeout: 1m
+  timeout: 5m
   tests: false
   concurrency: 4
 

backend/cmd/main.go

@@ -18,6 +18,7 @@ import (
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/disk"
+	"postgresus-backend/internal/features/encryption/secrets"
 	healthcheck_attempt "postgresus-backend/internal/features/healthcheck/attempt"
 	healthcheck_config "postgresus-backend/internal/features/healthcheck/config"
 	"postgresus-backend/internal/features/notifiers"
@@ -64,6 +65,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	err = secrets.GetSecretKeyService().MigrateKeyFromDbToFileIfExist()
+	if err != nil {
+		log.Error("Failed to migrate secret key from database to file", "error", err)
+		os.Exit(1)
+	}
+
 	err = users_services.GetUserService().CreateInitialAdmin()
 	if err != nil {
 		log.Error("Failed to create initial admin", "error", err)

backend/docker-compose.yml.example

@@ -31,14 +31,6 @@ services:
     container_name: test-minio
     command: server /data --console-address ":9001"
 
-  # Test Azurite container
-  test-azurite:
-    image: mcr.microsoft.com/azure-storage/azurite
-    ports:
-      - "${TEST_AZURITE_BLOB_PORT:-10000}:10000"
-    container_name: test-azurite
-    command: azurite-blob --blobHost 0.0.0.0
-
   # Test PostgreSQL containers
   test-postgres-12:
     image: postgres:12
@@ -117,6 +109,14 @@ services:
     container_name: test-postgres-18
     shm_size: 1gb
 
+  # Test Azurite container
+  test-azurite:
+    image: mcr.microsoft.com/azure-storage/azurite
+    ports:
+      - "${TEST_AZURITE_BLOB_PORT:-10000}:10000"
+    container_name: test-azurite
+    command: azurite-blob --blobHost 0.0.0.0
+
   # Test NAS server (Samba)
   test-nas:
     image: dperson/samba:latest
@@ -132,3 +132,293 @@ services:
       -s "backups;/shared;yes;no;no;testuser"
       -p
     container_name: test-nas
+
+  # Test FTP server
+  test-ftp:
+    image: stilliard/pure-ftpd:latest
+    ports:
+      - "${TEST_FTP_PORT:-21}:21"
+      - "30000-30009:30000-30009"
+    environment:
+      - PUBLICHOST=localhost
+      - FTP_USER_NAME=testuser
+      - FTP_USER_PASS=testpassword
+      - FTP_USER_HOME=/home/ftpusers/testuser
+      - FTP_PASSIVE_PORTS=30000:30009
+    container_name: test-ftp
+
+  # Test SFTP server
+  test-sftp:
+    image: atmoz/sftp:latest
+    ports:
+      - "${TEST_SFTP_PORT:-7008}:22"
+    command: testuser:testpassword:1001::upload
+    container_name: test-sftp
+
+  # Test MySQL containers
+  test-mysql-57:
+    image: mysql:5.7
+    ports:
+      - "${TEST_MYSQL_57_PORT:-33057}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mysqldata/mysql-57:/var/lib/mysql
+    container_name: test-mysql-57
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mysql-80:
+    image: mysql:8.0
+    ports:
+      - "${TEST_MYSQL_80_PORT:-33080}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --default-authentication-plugin=mysql_native_password
+    volumes:
+      - ./mysqldata/mysql-80:/var/lib/mysql
+    container_name: test-mysql-80
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mysql-84:
+    image: mysql:8.4
+    ports:
+      - "${TEST_MYSQL_84_PORT:-33084}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mysqldata/mysql-84:/var/lib/mysql
+    container_name: test-mysql-84
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  # Test MariaDB containers
+  test-mariadb-55:
+    image: mariadb:5.5
+    ports:
+      - "${TEST_MARIADB_55_PORT:-33055}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8 --collation-server=utf8_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-55:/var/lib/mysql
+    container_name: test-mariadb-55
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-101:
+    image: mariadb:10.1
+    ports:
+      - "${TEST_MARIADB_101_PORT:-33101}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-101:/var/lib/mysql
+    container_name: test-mariadb-101
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-102:
+    image: mariadb:10.2
+    ports:
+      - "${TEST_MARIADB_102_PORT:-33102}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-102:/var/lib/mysql
+    container_name: test-mariadb-102
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-103:
+    image: mariadb:10.3
+    ports:
+      - "${TEST_MARIADB_103_PORT:-33103}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-103:/var/lib/mysql
+    container_name: test-mariadb-103
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-104:
+    image: mariadb:10.4
+    ports:
+      - "${TEST_MARIADB_104_PORT:-33104}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-104:/var/lib/mysql
+    container_name: test-mariadb-104
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-105:
+    image: mariadb:10.5
+    ports:
+      - "${TEST_MARIADB_105_PORT:-33105}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-105:/var/lib/mysql
+    container_name: test-mariadb-105
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-106:
+    image: mariadb:10.6
+    ports:
+      - "${TEST_MARIADB_106_PORT:-33106}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-106:/var/lib/mysql
+    container_name: test-mariadb-106
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-1011:
+    image: mariadb:10.11
+    ports:
+      - "${TEST_MARIADB_1011_PORT:-33111}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-1011:/var/lib/mysql
+    container_name: test-mariadb-1011
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-114:
+    image: mariadb:11.4
+    ports:
+      - "${TEST_MARIADB_114_PORT:-33114}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-114:/var/lib/mysql
+    container_name: test-mariadb-114
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-118:
+    image: mariadb:11.8
+    ports:
+      - "${TEST_MARIADB_118_PORT:-33118}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-118:/var/lib/mysql
+    container_name: test-mariadb-118
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  test-mariadb-120:
+    image: mariadb:12.0
+    ports:
+      - "${TEST_MARIADB_120_PORT:-33120}:3306"
+    environment:
+      - MARIADB_ROOT_PASSWORD=rootpassword
+      - MARIADB_DATABASE=testdb
+      - MARIADB_USER=testuser
+      - MARIADB_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mariadbdata/mariadb-120:/var/lib/mysql
+    container_name: test-mariadb-120
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 5s
+      retries: 10

backend/go.mod

@@ -1,6 +1,6 @@
 module postgresus-backend
 
-go 1.23.3
+go 1.24.4
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
@@ -12,35 +12,197 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/ilyakaznacheev/cleanenv v1.5.0
 	github.com/jackc/pgx/v5 v5.7.5
+	github.com/jlaffaye/ftp v0.2.1-0.20240918233326-1b970516f5d3
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/lib/pq v1.10.9
-	github.com/minio/minio-go/v7 v7.0.92
-	github.com/shirou/gopsutil/v4 v4.25.5
+	github.com/minio/minio-go/v7 v7.0.97
+	github.com/pkg/sftp v1.13.10
+	github.com/rclone/rclone v1.72.1
+	github.com/robfig/cron/v3 v3.0.1
+	github.com/shirou/gopsutil/v4 v4.25.10
 	github.com/stretchr/testify v1.11.1
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
-	golang.org/x/crypto v0.41.0
-	golang.org/x/time v0.12.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/time v0.14.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.26.1
 )
 
-require github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+require (
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.3 // indirect
+	github.com/Azure/go-ntlmssp v0.0.2-0.20251110135918-10b7b7e7cd26 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/Files-com/files-sdk-go/v3 v3.2.264 // indirect
+	github.com/IBM/go-sdk-core/v5 v5.21.0 // indirect
+	github.com/Max-Sum/base32768 v0.0.0-20230304063302-18e6ce5945fd // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf // indirect
+	github.com/ProtonMail/gluon v0.17.1-0.20230724134000-308be39be96e // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/ProtonMail/go-srp v0.0.7 // indirect
+	github.com/ProtonMail/gopenpgp/v2 v2.9.0 // indirect
+	github.com/PuerkitoBio/goquery v1.10.3 // indirect
+	github.com/a1ex3/zstd-seekable-format-go/pkg v0.10.0 // indirect
+	github.com/abbot/go-http-auth v0.4.0 // indirect
+	github.com/anchore/go-lzo v0.1.0 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/appscode/go-querystring v0.0.0-20170504095604-0126cfb3f1dc // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.6 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.31.17 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/aws/smithy-go v1.23.2 // indirect
+	github.com/bahlo/generic-list-go v0.2.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/boombuler/barcode v1.1.0 // indirect
+	github.com/bradenaw/juniper v0.15.3 // indirect
+	github.com/bradfitz/iter v0.0.0-20191230175014-e8f45d346db8 // indirect
+	github.com/buengese/sgzip v0.1.1 // indirect
+	github.com/buger/jsonparser v1.1.1 // indirect
+	github.com/calebcase/tmpfile v1.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chilts/sid v0.0.0-20190607042430-660e94789ec9 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cloudinary/cloudinary-go/v2 v2.13.0 // indirect
+	github.com/cloudsoda/go-smb2 v0.0.0-20250228001242-d4c70e6251cc // indirect
+	github.com/cloudsoda/sddl v0.0.0-20250224235906-926454e91efc // indirect
+	github.com/colinmarc/hdfs/v2 v2.4.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
+	github.com/creasty/defaults v1.8.0 // indirect
+	github.com/cronokirby/saferith v0.33.0 // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
+	github.com/dropbox/dropbox-sdk-go-unofficial/v6 v6.0.5 // indirect
+	github.com/emersion/go-message v0.18.2 // indirect
+	github.com/emersion/go-vcard v0.0.0-20241024213814-c9703dde27ff // indirect
+	github.com/flynn/noise v1.1.0 // indirect
+	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-darwin/apfs v0.0.0-20211011131704-f84b94dbf348 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-openapi/errors v0.22.4 // indirect
+	github.com/go-openapi/strfmt v0.25.0 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/gorilla/schema v1.4.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/henrybear327/Proton-API-Bridge v1.0.0 // indirect
+	github.com/henrybear327/go-proton-api v1.0.0 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/jtolio/noiseconn v0.0.0-20231127013910-f6d9ecbf1de7 // indirect
+	github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004 // indirect
+	github.com/klauspost/crc32 v1.3.0 // indirect
+	github.com/koofr/go-httpclient v0.0.0-20240520111329-e20f8f203988 // indirect
+	github.com/koofr/go-koofrclient v0.0.0-20221207135200-cbd7fc9ad6a6 // indirect
+	github.com/kr/fs v0.1.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lanrat/extsort v1.4.2 // indirect
+	github.com/lpar/date v1.0.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncw/swift/v2 v2.0.5 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.104.0 // indirect
+	github.com/panjf2000/ants/v2 v2.11.3 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pengsrc/go-shared v0.2.1-0.20190131101655-1999055a4a14 // indirect
+	github.com/peterh/liner v1.2.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
+	github.com/pquerna/otp v1.5.0 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.2 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/putdotio/go-putio/putio v0.0.0-20200123120452-16d982cac2b8 // indirect
+	github.com/relvacode/iso8601 v1.7.0 // indirect
+	github.com/rfjakob/eme v1.1.2 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
+	github.com/samber/lo v1.52.0 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/spacemonkeygo/monkit/v3 v3.0.25-0.20251022131615-eb24eb109368 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/t3rm1n4l/go-mega v0.0.0-20251031123324-a804aaa87491 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	github.com/yunify/qingstor-sdk-go/v3 v3.2.0 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
+	go.mongodb.org/mongo-driver v1.17.6 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/validator.v2 v2.0.1 // indirect
+	moul.io/http2curl/v2 v2.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+	storj.io/common v0.0.0-20251107171817-6221ae45072c // indirect
+	storj.io/drpc v0.0.35-0.20250513201419-f7819ea69b55 // indirect
+	storj.io/eventkit v0.0.0-20250410172343-61f26d3de156 // indirect
+	storj.io/infectious v0.0.2 // indirect
+	storj.io/picobuf v0.0.4 // indirect
+	storj.io/uplink v1.13.1 // indirect
+)
 
 require (
-	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
-	github.com/geoffgarside/ber v1.1.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/geoffgarside/ber v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/hirochachacha/go-smb2 v1.1.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
+	google.golang.org/grpc v1.76.0 // indirect
 )
 
 require (
@@ -51,11 +213,11 @@ require (
 	github.com/bytedance/sonic v1.13.2 // indirect
 	github.com/bytedance/sonic/loader v0.2.4 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -67,8 +229,8 @@ require (
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.26.0 // indirect
-	github.com/go-sql-driver/mysql v1.9.2 // indirect
+	github.com/go-playground/validator/v10 v10.28.0 // indirect
+	github.com/go-sql-driver/mysql v1.9.2
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
@@ -77,40 +239,39 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/compress v1.18.1
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/minio/crc64nvme v1.0.1 // indirect
+	github.com/minio/crc64nvme v1.1.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.3.0 // indirect
+	github.com/tinylib/msgp v1.5.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	golang.org/x/arch v0.17.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
-	google.golang.org/api v0.239.0
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.33.0
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
+	google.golang.org/api v0.255.0
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 // indirect

backend/internal/config/config.go

@@ -25,9 +25,12 @@ type EnvVariables struct {
 	DatabaseDsn          string            `env:"DATABASE_DSN"         required:"true"`
 	EnvMode              env_utils.EnvMode `env:"ENV_MODE"             required:"true"`
 	PostgresesInstallDir string            `env:"POSTGRES_INSTALL_DIR"`
+	MysqlInstallDir      string            `env:"MYSQL_INSTALL_DIR"`
+	MariadbInstallDir    string            `env:"MARIADB_INSTALL_DIR"`
 
-	DataFolder string
-	TempFolder string
+	DataFolder    string
+	TempFolder    string
+	SecretKeyPath string
 
 	TestGoogleDriveClientID     string `env:"TEST_GOOGLE_DRIVE_CLIENT_ID"`
 	TestGoogleDriveClientSecret string `env:"TEST_GOOGLE_DRIVE_CLIENT_SECRET"`
@@ -46,7 +49,25 @@ type EnvVariables struct {
 
 	TestAzuriteBlobPort string `env:"TEST_AZURITE_BLOB_PORT"`
 
-	TestNASPort string `env:"TEST_NAS_PORT"`
+	TestNASPort  string `env:"TEST_NAS_PORT"`
+	TestFTPPort  string `env:"TEST_FTP_PORT"`
+	TestSFTPPort string `env:"TEST_SFTP_PORT"`
+
+	TestMysql57Port string `env:"TEST_MYSQL_57_PORT"`
+	TestMysql80Port string `env:"TEST_MYSQL_80_PORT"`
+	TestMysql84Port string `env:"TEST_MYSQL_84_PORT"`
+
+	TestMariadb55Port   string `env:"TEST_MARIADB_55_PORT"`
+	TestMariadb101Port  string `env:"TEST_MARIADB_101_PORT"`
+	TestMariadb102Port  string `env:"TEST_MARIADB_102_PORT"`
+	TestMariadb103Port  string `env:"TEST_MARIADB_103_PORT"`
+	TestMariadb104Port  string `env:"TEST_MARIADB_104_PORT"`
+	TestMariadb105Port  string `env:"TEST_MARIADB_105_PORT"`
+	TestMariadb106Port  string `env:"TEST_MARIADB_106_PORT"`
+	TestMariadb1011Port string `env:"TEST_MARIADB_1011_PORT"`
+	TestMariadb114Port  string `env:"TEST_MARIADB_114_PORT"`
+	TestMariadb118Port  string `env:"TEST_MARIADB_118_PORT"`
+	TestMariadb120Port  string `env:"TEST_MARIADB_120_PORT"`
 
 	// oauth
 	GitHubClientID     string `env:"GITHUB_CLIENT_ID"`
@@ -57,6 +78,13 @@ type EnvVariables struct {
 	// testing Telegram
 	TestTelegramBotToken string `env:"TEST_TELEGRAM_BOT_TOKEN"`
 	TestTelegramChatID   string `env:"TEST_TELEGRAM_CHAT_ID"`
+
+	// testing Supabase
+	TestSupabaseHost     string `env:"TEST_SUPABASE_HOST"`
+	TestSupabasePort     string `env:"TEST_SUPABASE_PORT"`
+	TestSupabaseUsername string `env:"TEST_SUPABASE_USERNAME"`
+	TestSupabasePassword string `env:"TEST_SUPABASE_PASSWORD"`
+	TestSupabaseDatabase string `env:"TEST_SUPABASE_DATABASE"`
 }
 
 var (
@@ -142,10 +170,17 @@ func loadEnvVariables() {
 	env.PostgresesInstallDir = filepath.Join(backendRoot, "tools", "postgresql")
 	tools.VerifyPostgresesInstallation(log, env.EnvMode, env.PostgresesInstallDir)
 
+	env.MysqlInstallDir = filepath.Join(backendRoot, "tools", "mysql")
+	tools.VerifyMysqlInstallation(log, env.EnvMode, env.MysqlInstallDir)
+
+	env.MariadbInstallDir = filepath.Join(backendRoot, "tools", "mariadb")
+	tools.VerifyMariadbInstallation(log, env.EnvMode, env.MariadbInstallDir)
+
 	// Store the data and temp folders one level below the root
 	// (projectRoot/postgresus-data -> /postgresus-data)
 	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "backups")
 	env.TempFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "temp")
+	env.SecretKeyPath = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "secret.key")
 
 	if env.IsTesting {
 		if env.TestPostgres12Port == "" {

backend/internal/features/backups/backups/background_service.go

@@ -5,6 +5,7 @@ import (
 	"postgresus-backend/internal/config"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/storages"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/period"
 	"time"
 )
@@ -131,7 +132,8 @@ func (s *BackupBackgroundService) cleanOldBackups() error {
 				continue
 			}
 
-			err = storage.DeleteFile(backup.ID)
+			encryptor := encryption.GetFieldEncryptor()
+			err = storage.DeleteFile(encryptor, backup.ID)
 			if err != nil {
 				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
 			}

backend/internal/features/backups/backups/backup_context_manager.go

@@ -2,20 +2,21 @@ package backups
 
 import (
 	"context"
-	"errors"
 	"sync"
 
 	"github.com/google/uuid"
 )
 
 type BackupContextManager struct {
-	mu          sync.RWMutex
-	cancelFuncs map[uuid.UUID]context.CancelFunc
+	mu               sync.RWMutex
+	cancelFuncs      map[uuid.UUID]context.CancelFunc
+	cancelledBackups map[uuid.UUID]bool
 }
 
 func NewBackupContextManager() *BackupContextManager {
 	return &BackupContextManager{
-		cancelFuncs: make(map[uuid.UUID]context.CancelFunc),
+		cancelFuncs:      make(map[uuid.UUID]context.CancelFunc),
+		cancelledBackups: make(map[uuid.UUID]bool),
 	}
 }
 
@@ -23,25 +24,37 @@ func (m *BackupContextManager) RegisterBackup(backupID uuid.UUID, cancelFunc con
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.cancelFuncs[backupID] = cancelFunc
+	delete(m.cancelledBackups, backupID)
 }
 
 func (m *BackupContextManager) CancelBackup(backupID uuid.UUID) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	cancelFunc, exists := m.cancelFuncs[backupID]
-	if !exists {
-		return errors.New("backup is not in progress or already completed")
+	if m.cancelledBackups[backupID] {
+		return nil
 	}
 
-	cancelFunc()
-	delete(m.cancelFuncs, backupID)
+	cancelFunc, exists := m.cancelFuncs[backupID]
+	if exists {
+		cancelFunc()
+		delete(m.cancelFuncs, backupID)
+	}
+
+	m.cancelledBackups[backupID] = true
 
 	return nil
 }
 
+func (m *BackupContextManager) IsCancelled(backupID uuid.UUID) bool {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.cancelledBackups[backupID]
+}
+
 func (m *BackupContextManager) UnregisterBackup(backupID uuid.UUID) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	delete(m.cancelFuncs, backupID)
+	delete(m.cancelledBackups, backupID)
 }

backend/internal/features/backups/backups/controller.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"postgresus-backend/internal/features/databases"
 	users_middleware "postgresus-backend/internal/features/users/middleware"
 
 	"github.com/gin-gonic/gin"
@@ -181,7 +182,7 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 		return
 	}
 
-	fileReader, err := c.backupService.GetBackupFile(user, id)
+	fileReader, dbType, err := c.backupService.GetBackupFile(user, id)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -192,10 +193,15 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 		}
 	}()
 
+	extension := ".dump.zst"
+	if dbType == databases.DatabaseTypeMysql {
+		extension = ".sql.zst"
+	}
+
 	ctx.Header("Content-Type", "application/octet-stream")
 	ctx.Header(
 		"Content-Disposition",
-		fmt.Sprintf("attachment; filename=\"backup_%s.dump\"", id.String()),
+		fmt.Sprintf("attachment; filename=\"backup_%s%s\"", id.String(), extension),
 	)
 
 	_, err = io.Copy(ctx.Writer, fileReader)

backend/internal/features/backups/backups/controller_test.go

@@ -1,6 +1,7 @@
 package backups
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -26,6 +27,7 @@ import (
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_models "postgresus-backend/internal/features/workspaces/models"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 	"postgresus-backend/internal/util/tools"
 )
@@ -524,7 +526,7 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Register a cancellable context for the backup
-	GetBackupService().backupContextMgr.RegisterBackup(backup.ID, func() {})
+	GetBackupService().backupContextManager.RegisterBackup(backup.ID, func() {})
 
 	resp := test_utils.MakePostRequest(
 		t,
@@ -700,7 +702,7 @@ func createTestBackup(
 	dummyContent := []byte("dummy backup content for testing")
 	reader := strings.NewReader(string(dummyContent))
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-	if err := storages[0].SaveFile(logger, backup.ID, reader); err != nil {
+	if err := storages[0].SaveFile(context.Background(), encryption.GetFieldEncryptor(), logger, backup.ID, reader); err != nil {
 		panic(fmt.Sprintf("Failed to create test backup file: %v", err))
 	}
 

backend/internal/features/backups/backups/di.go

@@ -1,15 +1,18 @@
 package backups
 
 import (
+	"time"
+
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	"postgresus-backend/internal/features/backups/backups/usecases"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
-	"time"
 )
 
 var backupRepository = &BackupRepository{}
@@ -23,6 +26,8 @@ var backupService = &BackupService{
 	notifiers.GetNotifierService(),
 	notifiers.GetNotifierService(),
 	backups_config.GetBackupConfigService(),
+	encryption_secrets.GetSecretKeyService(),
+	encryption.GetFieldEncryptor(),
 	usecases.GetCreateBackupUsecase(),
 	logger.GetLogger(),
 	[]BackupRemoveListener{},

backend/internal/features/backups/backups/dto.go

@@ -1,5 +1,10 @@
 package backups
 
+import (
+	"io"
+	"postgresus-backend/internal/features/backups/backups/encryption"
+)
+
 type GetBackupsRequest struct {
 	DatabaseID string `form:"database_id" binding:"required"`
 	Limit      int    `form:"limit"`
@@ -12,3 +17,12 @@ type GetBackupsResponse struct {
 	Limit   int       `json:"limit"`
 	Offset  int       `json:"offset"`
 }
+
+type decryptionReaderCloser struct {
+	*encryption.DecryptionReader
+	baseReader io.ReadCloser
+}
+
+func (r *decryptionReaderCloser) Close() error {
+	return r.baseReader.Close()
+}

backend/internal/features/backups/backups/encryption/decrypting_reader.go

@@ -0,0 +1,156 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+type DecryptionReader struct {
+	baseReader io.Reader
+	cipher     cipher.AEAD
+	buffer     []byte
+	nonce      []byte
+	chunkIndex uint64
+	headerRead bool
+	eof        bool
+}
+
+func NewDecryptionReader(
+	baseReader io.Reader,
+	masterKey string,
+	backupID uuid.UUID,
+	salt []byte,
+	nonce []byte,
+) (*DecryptionReader, error) {
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes, got %d", SaltLen, len(salt))
+	}
+	if len(nonce) != NonceLen {
+		return nil, fmt.Errorf("nonce must be %d bytes, got %d", NonceLen, len(nonce))
+	}
+
+	derivedKey, err := DeriveBackupKey(masterKey, backupID, salt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive backup key: %w", err)
+	}
+
+	block, err := aes.NewCipher(derivedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	reader := &DecryptionReader{
+		baseReader,
+		aesgcm,
+		make([]byte, 0),
+		nonce,
+		0,
+		false,
+		false,
+	}
+
+	if err := reader.readAndValidateHeader(salt, nonce); err != nil {
+		return nil, err
+	}
+
+	return reader, nil
+}
+
+func (r *DecryptionReader) Read(p []byte) (n int, err error) {
+	for len(r.buffer) < len(p) && !r.eof {
+		if err := r.readAndDecryptChunk(); err != nil {
+			if err == io.EOF {
+				r.eof = true
+				break
+			}
+			return 0, err
+		}
+	}
+
+	if len(r.buffer) == 0 {
+		return 0, io.EOF
+	}
+
+	n = copy(p, r.buffer)
+	r.buffer = r.buffer[n:]
+
+	return n, nil
+}
+
+func (r *DecryptionReader) readAndValidateHeader(expectedSalt, expectedNonce []byte) error {
+	header := make([]byte, HeaderLen)
+
+	if _, err := io.ReadFull(r.baseReader, header); err != nil {
+		return fmt.Errorf("failed to read header: %w", err)
+	}
+
+	magic := string(header[0:MagicBytesLen])
+	if magic != MagicBytes {
+		return fmt.Errorf("invalid magic bytes: expected %s, got %s", MagicBytes, magic)
+	}
+
+	salt := header[MagicBytesLen : MagicBytesLen+SaltLen]
+	nonce := header[MagicBytesLen+SaltLen : MagicBytesLen+SaltLen+NonceLen]
+
+	if string(salt) != string(expectedSalt) {
+		return fmt.Errorf("salt mismatch in file header")
+	}
+
+	if string(nonce) != string(expectedNonce) {
+		return fmt.Errorf("nonce mismatch in file header")
+	}
+
+	r.headerRead = true
+	return nil
+}
+
+func (r *DecryptionReader) readAndDecryptChunk() error {
+	lengthBuf := make([]byte, 4)
+	if _, err := io.ReadFull(r.baseReader, lengthBuf); err != nil {
+		return err
+	}
+
+	chunkLen := binary.BigEndian.Uint32(lengthBuf)
+	if chunkLen == 0 || chunkLen > ChunkSize+16 {
+		return fmt.Errorf("invalid chunk length: %d", chunkLen)
+	}
+
+	encrypted := make([]byte, chunkLen)
+	if _, err := io.ReadFull(r.baseReader, encrypted); err != nil {
+		return fmt.Errorf("failed to read encrypted chunk: %w", err)
+	}
+
+	chunkNonce := r.generateChunkNonce()
+
+	decrypted, err := r.cipher.Open(nil, chunkNonce, encrypted, nil)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to decrypt chunk (authentication failed - file may be corrupted or tampered): %w",
+			err,
+		)
+	}
+
+	r.buffer = append(r.buffer, decrypted...)
+	r.chunkIndex++
+
+	return nil
+}
+
+func (r *DecryptionReader) generateChunkNonce() []byte {
+	chunkNonce := make([]byte, NonceLen)
+	copy(chunkNonce, r.nonce)
+
+	binary.BigEndian.PutUint64(chunkNonce[4:], r.chunkIndex)
+
+	return chunkNonce
+}

backend/internal/features/backups/backups/encryption/encrypting_writer.go

@@ -0,0 +1,147 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+type EncryptionWriter struct {
+	baseWriter    io.Writer
+	cipher        cipher.AEAD
+	buffer        []byte
+	nonce         []byte
+	salt          []byte
+	chunkIndex    uint64
+	headerWritten bool
+}
+
+func NewEncryptionWriter(
+	baseWriter io.Writer,
+	masterKey string,
+	backupID uuid.UUID,
+	salt []byte,
+	nonce []byte,
+) (*EncryptionWriter, error) {
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes, got %d", SaltLen, len(salt))
+	}
+	if len(nonce) != NonceLen {
+		return nil, fmt.Errorf("nonce must be %d bytes, got %d", NonceLen, len(nonce))
+	}
+
+	derivedKey, err := DeriveBackupKey(masterKey, backupID, salt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive backup key: %w", err)
+	}
+
+	block, err := aes.NewCipher(derivedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	writer := &EncryptionWriter{
+		baseWriter:    baseWriter,
+		cipher:        aesgcm,
+		buffer:        make([]byte, 0, ChunkSize),
+		nonce:         nonce,
+		chunkIndex:    0,
+		headerWritten: false,
+		salt:          salt, // Store salt for lazy header writing
+	}
+
+	return writer, nil
+}
+
+func (w *EncryptionWriter) Write(p []byte) (n int, err error) {
+	// Write header on first write (lazy initialization)
+	if !w.headerWritten {
+		if err := w.writeHeader(w.salt, w.nonce); err != nil {
+			return 0, fmt.Errorf("failed to write header: %w", err)
+		}
+	}
+
+	n = len(p)
+	w.buffer = append(w.buffer, p...)
+
+	for len(w.buffer) >= ChunkSize {
+		chunk := w.buffer[:ChunkSize]
+		if err := w.encryptAndWriteChunk(chunk); err != nil {
+			return 0, err
+		}
+		w.buffer = w.buffer[ChunkSize:]
+	}
+
+	return n, nil
+}
+
+func (w *EncryptionWriter) Close() error {
+	// Write header if it hasn't been written yet (in case Close is called without any writes)
+	if !w.headerWritten {
+		if err := w.writeHeader(w.salt, w.nonce); err != nil {
+			return fmt.Errorf("failed to write header: %w", err)
+		}
+	}
+
+	if len(w.buffer) > 0 {
+		if err := w.encryptAndWriteChunk(w.buffer); err != nil {
+			return err
+		}
+		w.buffer = nil
+	}
+	return nil
+}
+
+func (w *EncryptionWriter) writeHeader(salt, nonce []byte) error {
+	header := make([]byte, HeaderLen)
+
+	copy(header[0:MagicBytesLen], []byte(MagicBytes))
+	copy(header[MagicBytesLen:MagicBytesLen+SaltLen], salt)
+	copy(header[MagicBytesLen+SaltLen:MagicBytesLen+SaltLen+NonceLen], nonce)
+
+	_, err := w.baseWriter.Write(header)
+	if err != nil {
+		return fmt.Errorf("failed to write header: %w", err)
+	}
+
+	w.headerWritten = true
+	return nil
+}
+
+func (w *EncryptionWriter) encryptAndWriteChunk(chunk []byte) error {
+	chunkNonce := w.generateChunkNonce()
+
+	encrypted := w.cipher.Seal(nil, chunkNonce, chunk, nil)
+
+	lengthBuf := make([]byte, 4)
+	binary.BigEndian.PutUint32(lengthBuf, uint32(len(encrypted)))
+
+	if _, err := w.baseWriter.Write(lengthBuf); err != nil {
+		return fmt.Errorf("failed to write chunk length: %w", err)
+	}
+
+	if _, err := w.baseWriter.Write(encrypted); err != nil {
+		return fmt.Errorf("failed to write encrypted chunk: %w", err)
+	}
+
+	w.chunkIndex++
+	return nil
+}
+
+func (w *EncryptionWriter) generateChunkNonce() []byte {
+	chunkNonce := make([]byte, NonceLen)
+	copy(chunkNonce, w.nonce)
+
+	binary.BigEndian.PutUint64(chunkNonce[4:], w.chunkIndex)
+
+	return chunkNonce
+}

backend/internal/features/backups/backups/encryption/encryption_test.go

@@ -0,0 +1,387 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_EncryptDecryptRoundTrip_ReturnsOriginalData(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte(
+		"This is a test backup data that should be encrypted and then decrypted successfully.",
+	)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	n, err := writer.Write(originalData)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted := make([]byte, len(originalData))
+	n, err = io.ReadFull(reader, decrypted)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_EncryptDecryptRoundTrip_LargeData_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := make([]byte, 100*1024)
+	_, err = rand.Read(originalData)
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	n, err := writer.Write(originalData)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_EncryptionWriter_MultipleWrites_CombinesCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	part1 := []byte("First part of data. ")
+	part2 := []byte("Second part of data. ")
+	part3 := []byte("Third part of data.")
+	expectedData := append(append(part1, part2...), part3...)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(part1)
+	require.NoError(t, err)
+	_, err = writer.Write(part2)
+	require.NoError(t, err)
+	_, err = writer.Write(part3)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, expectedData, decrypted)
+}
+
+func Test_DecryptionReader_InvalidHeader_ReturnsError(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	invalidHeader := make([]byte, HeaderLen)
+	copy(invalidHeader, []byte("INVALID!"))
+
+	invalidData := bytes.NewBuffer(invalidHeader)
+
+	_, err = NewDecryptionReader(invalidData, masterKey, backupID, salt, nonce)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid magic bytes")
+}
+
+func Test_DecryptionReader_TamperedData_ReturnsError(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("This data will be tampered with.")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	encryptedBytes := encrypted.Bytes()
+	if len(encryptedBytes) > HeaderLen+10 {
+		encryptedBytes[HeaderLen+10] ^= 0xFF
+	}
+
+	tamperedBuffer := bytes.NewBuffer(encryptedBytes)
+
+	reader, err := NewDecryptionReader(tamperedBuffer, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = io.ReadAll(reader)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "authentication failed")
+}
+
+func Test_DeriveBackupKey_SameInputs_ReturnsSameKey(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+
+	key1, err := DeriveBackupKey(masterKey, backupID, salt)
+	require.NoError(t, err)
+
+	key2, err := DeriveBackupKey(masterKey, backupID, salt)
+	require.NoError(t, err)
+
+	assert.Equal(t, key1, key2)
+}
+
+func Test_DeriveBackupKey_DifferentInputs_ReturnsDifferentKeys(t *testing.T) {
+	masterKey1 := uuid.New().String() + uuid.New().String()
+	masterKey2 := uuid.New().String() + uuid.New().String()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	salt1, err := GenerateSalt()
+	require.NoError(t, err)
+	salt2, err := GenerateSalt()
+	require.NoError(t, err)
+
+	key1, err := DeriveBackupKey(masterKey1, backupID1, salt1)
+	require.NoError(t, err)
+
+	key2, err := DeriveBackupKey(masterKey2, backupID1, salt1)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key2)
+
+	key3, err := DeriveBackupKey(masterKey1, backupID2, salt1)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key3)
+
+	key4, err := DeriveBackupKey(masterKey1, backupID1, salt2)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key4)
+}
+
+func Test_EncryptionWriter_PartialChunk_HandledCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	smallData := []byte("Small data less than chunk size")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(smallData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, smallData, decrypted)
+}
+
+func Test_GenerateSalt_ReturnsCorrectLength(t *testing.T) {
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	assert.Equal(t, SaltLen, len(salt))
+}
+
+func Test_GenerateSalt_GeneratesUniqueSalts(t *testing.T) {
+	salt1, err := GenerateSalt()
+	require.NoError(t, err)
+
+	salt2, err := GenerateSalt()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, salt1, salt2)
+}
+
+func Test_GenerateNonce_ReturnsCorrectLength(t *testing.T) {
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+	assert.Equal(t, NonceLen, len(nonce))
+}
+
+func Test_GenerateNonce_GeneratesUniqueNonces(t *testing.T) {
+	nonce1, err := GenerateNonce()
+	require.NoError(t, err)
+
+	nonce2, err := GenerateNonce()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, nonce1, nonce2)
+}
+
+func Test_DecryptionReader_WrongMasterKey_ReturnsError(t *testing.T) {
+	masterKey1 := uuid.New().String() + uuid.New().String()
+	masterKey2 := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("Secret data")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey1, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey2, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = io.ReadAll(reader)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "authentication failed")
+}
+
+func Test_EncryptionWriter_EmptyData_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, 0, len(decrypted))
+}
+
+func Test_EncryptionWriter_MultipleChunks_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	dataSize := ChunkSize*3 + 1000
+	originalData := make([]byte, dataSize)
+	_, err = rand.Read(originalData)
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_DecryptionReader_SmallReads_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("This is test data that will be read in small chunks.")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	var decrypted []byte
+	buf := make([]byte, 5)
+	for {
+		n, err := reader.Read(buf)
+		if n > 0 {
+			decrypted = append(decrypted, buf[:n]...)
+		}
+		if err == io.EOF {
+			break
+		}
+		require.NoError(t, err)
+	}
+
+	assert.Equal(t, originalData, decrypted)
+}

backend/internal/features/backups/backups/encryption/utils.go

@@ -0,0 +1,52 @@
+package encryption
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/google/uuid"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	MagicBytes       = "PGRSUS01"
+	MagicBytesLen    = 8
+	SaltLen          = 32
+	NonceLen         = 12
+	ReservedLen      = 12
+	HeaderLen        = MagicBytesLen + SaltLen + NonceLen + ReservedLen
+	ChunkSize        = 1 * 1024 * 1024
+	PBKDF2Iterations = 100000
+)
+
+func DeriveBackupKey(masterKey string, backupID uuid.UUID, salt []byte) ([]byte, error) {
+	if masterKey == "" {
+		return nil, fmt.Errorf("master key cannot be empty")
+	}
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes", SaltLen)
+	}
+
+	keyMaterial := []byte(masterKey + backupID.String())
+
+	derivedKey := pbkdf2.Key(keyMaterial, salt, PBKDF2Iterations, 32, sha256.New)
+
+	return derivedKey, nil
+}
+
+func GenerateSalt() ([]byte, error) {
+	salt := make([]byte, SaltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+	return salt, nil
+}
+
+func GenerateNonce() ([]byte, error) {
+	nonce := make([]byte, NonceLen)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+	return nonce, nil
+}

backend/internal/features/backups/backups/interfaces.go

@@ -3,6 +3,7 @@ package backups
 import (
 	"context"
 
+	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/notifiers"
@@ -26,10 +27,8 @@ type CreateBackupUsecase interface {
 		backupConfig *backups_config.BackupConfig,
 		database *databases.Database,
 		storage *storages.Storage,
-		backupProgressListener func(
-			completedMBs float64,
-		),
-	) error
+		backupProgressListener func(completedMBs float64),
+	) (*usecases_common.BackupMetadata, error)
 }
 
 type BackupRemoveListener interface {

backend/internal/features/backups/backups/model.go

@@ -1,6 +1,7 @@
 package backups
 
 import (
+	backups_config "postgresus-backend/internal/features/backups/config"
 	"time"
 
 	"github.com/google/uuid"
@@ -19,5 +20,9 @@ type Backup struct {
 
 	BackupDurationMs int64 `json:"backupDurationMs" gorm:"column:backup_duration_ms;default:0"`
 
+	EncryptionSalt *string                         `json:"-"          gorm:"column:encryption_salt"`
+	EncryptionIV   *string                         `json:"-"          gorm:"column:encryption_iv"`
+	Encryption     backups_config.BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
+
 	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at"`
 }

backend/internal/features/backups/backups/service.go

@@ -2,20 +2,25 @@ package backups
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
+	"slices"
+	"strings"
+	"time"
+
 	audit_logs "postgresus-backend/internal/features/audit_logs"
+	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_models "postgresus-backend/internal/features/users/models"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
-	"slices"
-	"strings"
-	"time"
+	util_encryption "postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -27,6 +32,8 @@ type BackupService struct {
 	notifierService     *notifiers.NotifierService
 	notificationSender  NotificationSender
 	backupConfigService *backups_config.BackupConfigService
+	secretKeyService    *encryption_secrets.SecretKeyService
+	fieldEncryptor      util_encryption.FieldEncryptor
 
 	createBackupUseCase CreateBackupUsecase
 
@@ -34,9 +41,9 @@ type BackupService struct {
 
 	backupRemoveListeners []BackupRemoveListener
 
-	workspaceService *workspaces_services.WorkspaceService
-	auditLogService  *audit_logs.AuditLogService
-	backupContextMgr *BackupContextManager
+	workspaceService     *workspaces_services.WorkspaceService
+	auditLogService      *audit_logs.AuditLogService
+	backupContextManager *BackupContextManager
 }
 
 func (s *BackupService) AddBackupRemoveListener(listener BackupRemoveListener) {
@@ -253,10 +260,10 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
-	s.backupContextMgr.RegisterBackup(backup.ID, cancel)
-	defer s.backupContextMgr.UnregisterBackup(backup.ID)
+	s.backupContextManager.RegisterBackup(backup.ID, cancel)
+	defer s.backupContextManager.UnregisterBackup(backup.ID)
 
-	err = s.createBackupUseCase.Execute(
+	backupMetadata, err := s.createBackupUseCase.Execute(
 		ctx,
 		backup.ID,
 		backupConfig,
@@ -268,7 +275,12 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 		errMsg := err.Error()
 
 		// Check if backup was cancelled (not due to shutdown)
-		if strings.Contains(errMsg, "backup cancelled") && !strings.Contains(errMsg, "shutdown") {
+		isCancelled := strings.Contains(errMsg, "backup cancelled") ||
+			strings.Contains(errMsg, "context canceled") ||
+			errors.Is(err, context.Canceled)
+		isShutdown := strings.Contains(errMsg, "shutdown")
+
+		if isCancelled && !isShutdown {
 			backup.Status = BackupStatusCanceled
 			backup.BackupDurationMs = time.Since(start).Milliseconds()
 			backup.BackupSizeMb = 0
@@ -280,7 +292,7 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 			// Delete partial backup from storage
 			storage, storageErr := s.storageService.GetStorageByID(backup.StorageID)
 			if storageErr == nil {
-				if deleteErr := storage.DeleteFile(backup.ID); deleteErr != nil {
+				if deleteErr := storage.DeleteFile(s.fieldEncryptor, backup.ID); deleteErr != nil {
 					s.logger.Error(
 						"Failed to delete partial backup file",
 						"backupId",
@@ -326,6 +338,13 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 	backup.Status = BackupStatusCompleted
 	backup.BackupDurationMs = time.Since(start).Milliseconds()
 
+	// Update backup with encryption metadata if provided
+	if backupMetadata != nil {
+		backup.EncryptionSalt = backupMetadata.EncryptionSalt
+		backup.EncryptionIV = backupMetadata.EncryptionIV
+		backup.Encryption = backupMetadata.Encryption
+	}
+
 	if err := s.backupRepository.Save(backup); err != nil {
 		s.logger.Error("Failed to save backup", "error", err)
 		return
@@ -463,7 +482,7 @@ func (s *BackupService) CancelBackup(
 		return errors.New("backup is not in progress")
 	}
 
-	if err := s.backupContextMgr.CancelBackup(backupID); err != nil {
+	if err := s.backupContextManager.CancelBackup(backupID); err != nil {
 		return err
 	}
 
@@ -483,19 +502,19 @@ func (s *BackupService) CancelBackup(
 func (s *BackupService) GetBackupFile(
 	user *users_models.User,
 	backupID uuid.UUID,
-) (io.ReadCloser, error) {
+) (io.ReadCloser, databases.DatabaseType, error) {
 	backup, err := s.backupRepository.FindByID(backupID)
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	if database.WorkspaceID == nil {
-		return nil, errors.New("cannot download backup for database without workspace")
+		return nil, "", errors.New("cannot download backup for database without workspace")
 	}
 
 	canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
@@ -503,15 +522,10 @@ func (s *BackupService) GetBackupFile(
 		user,
 	)
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 	if !canAccess {
-		return nil, errors.New("insufficient permissions to download backup for this database")
-	}
-
-	storage, err := s.storageService.GetStorageByID(backup.StorageID)
-	if err != nil {
-		return nil, err
+		return nil, "", errors.New("insufficient permissions to download backup for this database")
 	}
 
 	s.auditLogService.WriteAuditLog(
@@ -524,7 +538,12 @@ func (s *BackupService) GetBackupFile(
 		database.WorkspaceID,
 	)
 
-	return storage.GetFile(backup.ID)
+	reader, err := s.getBackupReader(backupID)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return reader, database.Type, nil
 }
 
 func (s *BackupService) deleteBackup(backup *Backup) error {
@@ -539,7 +558,7 @@ func (s *BackupService) deleteBackup(backup *Backup) error {
 		return err
 	}
 
-	err = storage.DeleteFile(backup.ID)
+	err = storage.DeleteFile(s.fieldEncryptor, backup.ID)
 	if err != nil {
 		// we do not return error here, because sometimes clean up performed
 		// before unavailable storage removal or change - therefore we should
@@ -579,3 +598,91 @@ func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 
 	return nil
 }
+
+// GetBackupReader returns a reader for the backup file
+// If encrypted, wraps with DecryptionReader
+func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find backup: %w", err)
+	}
+
+	storage, err := s.storageService.GetStorageByID(backup.StorageID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get storage: %w", err)
+	}
+
+	fileReader, err := storage.GetFile(s.fieldEncryptor, backup.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup file: %w", err)
+	}
+
+	// If not encrypted, return raw reader
+	if backup.Encryption == backups_config.BackupEncryptionNone {
+		s.logger.Info("Returning non-encrypted backup", "backupId", backupID)
+		return fileReader, nil
+	}
+
+	// Decrypt on-the-fly for encrypted backups
+	if backup.Encryption != backups_config.BackupEncryptionEncrypted {
+		if err := fileReader.Close(); err != nil {
+			s.logger.Error("Failed to close file reader", "error", err)
+		}
+		return nil, fmt.Errorf("unsupported encryption type: %s", backup.Encryption)
+	}
+
+	if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+		if err := fileReader.Close(); err != nil {
+			s.logger.Error("Failed to close file reader", "error", err)
+		}
+		return nil, fmt.Errorf("backup marked as encrypted but missing encryption metadata")
+	}
+
+	// Get master key
+	masterKey, err := s.secretKeyService.GetSecretKey()
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	// Decode salt and IV
+	salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to decode salt: %w", err)
+	}
+
+	iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to decode IV: %w", err)
+	}
+
+	// Wrap with decrypting reader
+	decryptionReader, err := encryption.NewDecryptionReader(
+		fileReader,
+		masterKey,
+		backup.ID,
+		salt,
+		iv,
+	)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to create decrypting reader: %w", err)
+	}
+
+	s.logger.Info("Returning encrypted backup with decryption", "backupId", backupID)
+
+	return &decryptionReaderCloser{
+		decryptionReader,
+		fileReader,
+	}, nil
+}

backend/internal/features/backups/backups/service_test.go

@@ -3,18 +3,22 @@ package backups
 import (
 	"context"
 	"errors"
+	"strings"
+	"testing"
+	"time"
+
+	"postgresus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_enums "postgresus-backend/internal/features/users/enums"
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
-	"strings"
-	"testing"
-	"time"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -53,11 +57,13 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			encryption_secrets.GetSecretKeyService(),
+			encryption.GetFieldEncryptor(),
 			&CreateFailedBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 
@@ -99,11 +105,13 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			encryption_secrets.GetSecretKeyService(),
+			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 
@@ -122,11 +130,13 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			encryption_secrets.GetSecretKeyService(),
+			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 
@@ -168,16 +178,13 @@ func (uc *CreateFailedBackupUsecase) Execute(
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
-	backupProgressListener func(
-		completedMBs float64,
-	),
-) error {
-	backupProgressListener(10) // Assume we completed 10MB
-	return errors.New("backup failed")
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return nil, errors.New("backup failed")
 }
 
-type CreateSuccessBackupUsecase struct {
-}
+type CreateSuccessBackupUsecase struct{}
 
 func (uc *CreateSuccessBackupUsecase) Execute(
 	ctx context.Context,
@@ -185,10 +192,12 @@ func (uc *CreateSuccessBackupUsecase) Execute(
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
-	backupProgressListener func(
-		completedMBs float64,
-	),
-) error {
-	backupProgressListener(10) // Assume we completed 10MB
-	return nil
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
 }

backend/internal/features/backups/backups/usecases/common/dto.go

@@ -0,0 +1,9 @@
+package common
+
+import backups_config "postgresus-backend/internal/features/backups/config"
+
+type BackupMetadata struct {
+	EncryptionSalt *string
+	EncryptionIV   *string
+	Encryption     backups_config.BackupEncryption
+}

backend/internal/features/backups/backups/usecases/common/interfaces.go

@@ -0,0 +1,22 @@
+package common
+
+import "io"
+
+type CountingWriter struct {
+	Writer       io.Writer
+	BytesWritten int64
+}
+
+func (cw *CountingWriter) Write(p []byte) (n int, err error) {
+	n, err = cw.Writer.Write(p)
+	cw.BytesWritten += int64(n)
+	return n, err
+}
+
+func (cw *CountingWriter) GetBytesWritten() int64 {
+	return cw.BytesWritten
+}
+
+func NewCountingWriter(writer io.Writer) *CountingWriter {
+	return &CountingWriter{Writer: writer}
+}

backend/internal/features/backups/backups/usecases/create_backup_uc.go

@@ -3,6 +3,10 @@ package usecases
 import (
 	"context"
 	"errors"
+
+	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
+	usecases_mariadb "postgresus-backend/internal/features/backups/backups/usecases/mariadb"
+	usecases_mysql "postgresus-backend/internal/features/backups/backups/usecases/mysql"
 	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
@@ -13,20 +17,20 @@ import (
 
 type CreateBackupUsecase struct {
 	CreatePostgresqlBackupUsecase *usecases_postgresql.CreatePostgresqlBackupUsecase
+	CreateMysqlBackupUsecase      *usecases_mysql.CreateMysqlBackupUsecase
+	CreateMariadbBackupUsecase    *usecases_mariadb.CreateMariadbBackupUsecase
 }
 
-// Execute creates a backup of the database and returns the backup size in MB
 func (uc *CreateBackupUsecase) Execute(
 	ctx context.Context,
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	database *databases.Database,
 	storage *storages.Storage,
-	backupProgressListener func(
-		completedMBs float64,
-	),
-) error {
-	if database.Type == databases.DatabaseTypePostgres {
+	backupProgressListener func(completedMBs float64),
+) (*usecases_common.BackupMetadata, error) {
+	switch database.Type {
+	case databases.DatabaseTypePostgres:
 		return uc.CreatePostgresqlBackupUsecase.Execute(
 			ctx,
 			backupID,
@@ -35,7 +39,28 @@ func (uc *CreateBackupUsecase) Execute(
 			storage,
 			backupProgressListener,
 		)
-	}
 
-	return errors.New("database type not supported")
+	case databases.DatabaseTypeMysql:
+		return uc.CreateMysqlBackupUsecase.Execute(
+			ctx,
+			backupID,
+			backupConfig,
+			database,
+			storage,
+			backupProgressListener,
+		)
+
+	case databases.DatabaseTypeMariadb:
+		return uc.CreateMariadbBackupUsecase.Execute(
+			ctx,
+			backupID,
+			backupConfig,
+			database,
+			storage,
+			backupProgressListener,
+		)
+
+	default:
+		return nil, errors.New("database type not supported")
+	}
 }

backend/internal/features/backups/backups/usecases/di.go

@@ -1,11 +1,15 @@
 package usecases
 
 import (
+	usecases_mariadb "postgresus-backend/internal/features/backups/backups/usecases/mariadb"
+	usecases_mysql "postgresus-backend/internal/features/backups/backups/usecases/mysql"
 	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
 )
 
 var createBackupUsecase = &CreateBackupUsecase{
 	usecases_postgresql.GetCreatePostgresqlBackupUsecase(),
+	usecases_mysql.GetCreateMysqlBackupUsecase(),
+	usecases_mariadb.GetCreateMariadbBackupUsecase(),
 }
 
 func GetCreateBackupUsecase() *CreateBackupUsecase {

backend/internal/features/backups/backups/usecases/mariadb/create_backup_uc.go

@@ -0,0 +1,595 @@
+package usecases_mariadb
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/klauspost/compress/zstd"
+
+	"postgresus-backend/internal/config"
+	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
+	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
+	backups_config "postgresus-backend/internal/features/backups/config"
+	"postgresus-backend/internal/features/databases"
+	mariadbtypes "postgresus-backend/internal/features/databases/databases/mariadb"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/features/storages"
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/tools"
+)
+
+const (
+	backupTimeout               = 23 * time.Hour
+	shutdownCheckInterval       = 1 * time.Second
+	copyBufferSize              = 8 * 1024 * 1024
+	progressReportIntervalMB    = 1.0
+	zstdStorageCompressionLevel = 3
+	exitCodeGenericError        = 1
+	exitCodeConnectionError     = 2
+)
+
+type CreateMariadbBackupUsecase struct {
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+	fieldEncryptor   encryption.FieldEncryptor
+}
+
+type writeResult struct {
+	bytesWritten int
+	writeErr     error
+}
+
+func (uc *CreateMariadbBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	db *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*usecases_common.BackupMetadata, error) {
+	uc.logger.Info(
+		"Creating MariaDB backup via mariadb-dump",
+		"databaseId", db.ID,
+		"storageId", storage.ID,
+	)
+
+	if !backupConfig.IsBackupsEnabled {
+		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
+	}
+
+	mdb := db.Mariadb
+	if mdb == nil {
+		return nil, fmt.Errorf("mariadb database configuration is required")
+	}
+
+	if mdb.Database == nil || *mdb.Database == "" {
+		return nil, fmt.Errorf("database name is required for mariadb-dump backups")
+	}
+
+	decryptedPassword, err := uc.fieldEncryptor.Decrypt(db.ID, mdb.Password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt database password: %w", err)
+	}
+
+	args := uc.buildMariadbDumpArgs(mdb)
+
+	return uc.streamToStorage(
+		ctx,
+		backupID,
+		backupConfig,
+		tools.GetMariadbExecutable(
+			tools.MariadbExecutableMariadbDump,
+			mdb.Version,
+			config.GetEnv().EnvMode,
+			config.GetEnv().MariadbInstallDir,
+		),
+		args,
+		decryptedPassword,
+		storage,
+		backupProgressListener,
+		mdb,
+	)
+}
+
+func (uc *CreateMariadbBackupUsecase) buildMariadbDumpArgs(
+	mdb *mariadbtypes.MariadbDatabase,
+) []string {
+	args := []string{
+		"--host=" + mdb.Host,
+		"--port=" + strconv.Itoa(mdb.Port),
+		"--user=" + mdb.Username,
+		"--single-transaction",
+		"--routines",
+		"--triggers",
+		"--events",
+		"--quick",
+		"--verbose",
+	}
+
+	args = append(args, "--compress")
+
+	if mdb.IsHttps {
+		args = append(args, "--ssl")
+	}
+
+	if mdb.Database != nil && *mdb.Database != "" {
+		args = append(args, *mdb.Database)
+	}
+
+	return args
+}
+
+func (uc *CreateMariadbBackupUsecase) streamToStorage(
+	parentCtx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	mariadbBin string,
+	args []string,
+	password string,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+	mdbConfig *mariadbtypes.MariadbDatabase,
+) (*usecases_common.BackupMetadata, error) {
+	uc.logger.Info("Streaming MariaDB backup to storage", "mariadbBin", mariadbBin)
+
+	ctx, cancel := uc.createBackupContext(parentCtx)
+	defer cancel()
+
+	myCnfFile, err := uc.createTempMyCnfFile(mdbConfig, password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create .my.cnf: %w", err)
+	}
+	defer func() { _ = os.RemoveAll(filepath.Dir(myCnfFile)) }()
+
+	fullArgs := append([]string{"--defaults-file=" + myCnfFile}, args...)
+
+	cmd := exec.CommandContext(ctx, mariadbBin, fullArgs...)
+	uc.logger.Info("Executing MariaDB backup command", "command", cmd.String())
+
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env,
+		"MYSQL_PWD=",
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+	)
+
+	pgStdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stdout pipe: %w", err)
+	}
+
+	pgStderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	stderrCh := make(chan []byte, 1)
+	go func() {
+		stderrOutput, _ := io.ReadAll(pgStderr)
+		stderrCh <- stderrOutput
+	}()
+
+	storageReader, storageWriter := io.Pipe()
+
+	finalWriter, encryptionWriter, backupMetadata, err := uc.setupBackupEncryption(
+		backupID,
+		backupConfig,
+		storageWriter,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	zstdWriter, err := zstd.NewWriter(finalWriter,
+		zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(zstdStorageCompressionLevel)))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
+	}
+	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+
+	saveErrCh := make(chan error, 1)
+	go func() {
+		saveErr := storage.SaveFile(ctx, uc.fieldEncryptor, uc.logger, backupID, storageReader)
+		saveErrCh <- saveErr
+	}()
+
+	if err = cmd.Start(); err != nil {
+		return nil, fmt.Errorf("start %s: %w", filepath.Base(mariadbBin), err)
+	}
+
+	copyResultCh := make(chan error, 1)
+	bytesWrittenCh := make(chan int64, 1)
+	go func() {
+		bytesWritten, err := uc.copyWithShutdownCheck(
+			ctx,
+			countingWriter,
+			pgStdout,
+			backupProgressListener,
+		)
+		bytesWrittenCh <- bytesWritten
+		copyResultCh <- err
+	}()
+
+	copyErr := <-copyResultCh
+	bytesWritten := <-bytesWrittenCh
+	waitErr := cmd.Wait()
+
+	select {
+	case <-ctx.Done():
+		uc.cleanupOnCancellation(zstdWriter, encryptionWriter, storageWriter, saveErrCh)
+		return nil, uc.checkCancellationReason()
+	default:
+	}
+
+	if err := zstdWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close zstd writer", "error", err)
+	}
+	if err := uc.closeWriters(encryptionWriter, storageWriter); err != nil {
+		<-saveErrCh
+		return nil, err
+	}
+
+	saveErr := <-saveErrCh
+	stderrOutput := <-stderrCh
+
+	if waitErr == nil && copyErr == nil && saveErr == nil && backupProgressListener != nil {
+		sizeMB := float64(bytesWritten) / (1024 * 1024)
+		backupProgressListener(sizeMB)
+	}
+
+	switch {
+	case waitErr != nil:
+		return nil, uc.buildMariadbDumpErrorMessage(waitErr, stderrOutput, mariadbBin)
+	case copyErr != nil:
+		return nil, fmt.Errorf("copy to storage: %w", copyErr)
+	case saveErr != nil:
+		return nil, fmt.Errorf("save to storage: %w", saveErr)
+	}
+
+	return &backupMetadata, nil
+}
+
+func (uc *CreateMariadbBackupUsecase) createTempMyCnfFile(
+	mdbConfig *mariadbtypes.MariadbDatabase,
+	password string,
+) (string, error) {
+	tempDir, err := os.MkdirTemp("", "mycnf")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
+
+	myCnfFile := filepath.Join(tempDir, ".my.cnf")
+
+	content := fmt.Sprintf(`[client]
+user=%s
+password="%s"
+host=%s
+port=%d
+`, mdbConfig.Username, tools.EscapeMariadbPassword(password), mdbConfig.Host, mdbConfig.Port)
+
+	if mdbConfig.IsHttps {
+		content += "ssl=true\n"
+	} else {
+		content += "ssl=false\n"
+	}
+
+	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	if err != nil {
+		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
+	}
+
+	return myCnfFile, nil
+}
+
+func (uc *CreateMariadbBackupUsecase) copyWithShutdownCheck(
+	ctx context.Context,
+	dst io.Writer,
+	src io.Reader,
+	backupProgressListener func(completedMBs float64),
+) (int64, error) {
+	buf := make([]byte, copyBufferSize)
+	var totalBytesWritten int64
+	var lastReportedMB float64
+
+	for {
+		select {
+		case <-ctx.Done():
+			return totalBytesWritten, fmt.Errorf("copy cancelled: %w", ctx.Err())
+		default:
+		}
+
+		if config.IsShouldShutdown() {
+			return totalBytesWritten, fmt.Errorf("copy cancelled due to shutdown")
+		}
+
+		bytesRead, readErr := src.Read(buf)
+		if bytesRead > 0 {
+			writeResultCh := make(chan writeResult, 1)
+			go func() {
+				bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+				writeResultCh <- writeResult{bytesWritten, writeErr}
+			}()
+
+			var bytesWritten int
+			var writeErr error
+
+			select {
+			case <-ctx.Done():
+				return totalBytesWritten, fmt.Errorf("copy cancelled during write: %w", ctx.Err())
+			case result := <-writeResultCh:
+				bytesWritten = result.bytesWritten
+				writeErr = result.writeErr
+			}
+
+			if bytesWritten < 0 || bytesRead < bytesWritten {
+				bytesWritten = 0
+				if writeErr == nil {
+					writeErr = fmt.Errorf("invalid write result")
+				}
+			}
+
+			if writeErr != nil {
+				return totalBytesWritten, writeErr
+			}
+
+			if bytesRead != bytesWritten {
+				return totalBytesWritten, io.ErrShortWrite
+			}
+
+			totalBytesWritten += int64(bytesWritten)
+
+			if backupProgressListener != nil {
+				currentSizeMB := float64(totalBytesWritten) / (1024 * 1024)
+				if currentSizeMB >= lastReportedMB+progressReportIntervalMB {
+					backupProgressListener(currentSizeMB)
+					lastReportedMB = currentSizeMB
+				}
+			}
+		}
+
+		if readErr != nil {
+			if readErr != io.EOF {
+				return totalBytesWritten, readErr
+			}
+			break
+		}
+	}
+
+	return totalBytesWritten, nil
+}
+
+func (uc *CreateMariadbBackupUsecase) createBackupContext(
+	parentCtx context.Context,
+) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithTimeout(parentCtx, backupTimeout)
+
+	go func() {
+		ticker := time.NewTicker(shutdownCheckInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-parentCtx.Done():
+				cancel()
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	return ctx, cancel
+}
+
+func (uc *CreateMariadbBackupUsecase) setupBackupEncryption(
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	storageWriter io.WriteCloser,
+) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
+	metadata := usecases_common.BackupMetadata{}
+
+	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
+		metadata.Encryption = backups_config.BackupEncryptionNone
+		uc.logger.Info("Encryption disabled for backup", "backupId", backupID)
+		return storageWriter, nil, metadata, nil
+	}
+
+	salt, err := backup_encryption.GenerateSalt()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := backup_encryption.GenerateNonce()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	masterKey, err := uc.secretKeyService.GetSecretKey()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	encWriter, err := backup_encryption.NewEncryptionWriter(
+		storageWriter,
+		masterKey,
+		backupID,
+		salt,
+		nonce,
+	)
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+	}
+
+	saltBase64 := base64.StdEncoding.EncodeToString(salt)
+	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
+	metadata.EncryptionSalt = &saltBase64
+	metadata.EncryptionIV = &nonceBase64
+	metadata.Encryption = backups_config.BackupEncryptionEncrypted
+
+	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
+	return encWriter, encWriter, metadata, nil
+}
+
+func (uc *CreateMariadbBackupUsecase) cleanupOnCancellation(
+	zstdWriter *zstd.Encoder,
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+	saveErrCh chan error,
+) {
+	if zstdWriter != nil {
+		go func() {
+			if closeErr := zstdWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close zstd writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if encryptionWriter != nil {
+		go func() {
+			if closeErr := encryptionWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close encrypting writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer during cancellation", "error", err)
+	}
+
+	<-saveErrCh
+}
+
+func (uc *CreateMariadbBackupUsecase) closeWriters(
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+) error {
+	encryptionCloseErrCh := make(chan error, 1)
+	if encryptionWriter != nil {
+		go func() {
+			closeErr := encryptionWriter.Close()
+			if closeErr != nil {
+				uc.logger.Error("Failed to close encrypting writer", "error", closeErr)
+			}
+			encryptionCloseErrCh <- closeErr
+		}()
+	} else {
+		encryptionCloseErrCh <- nil
+	}
+
+	encryptionCloseErr := <-encryptionCloseErrCh
+	if encryptionCloseErr != nil {
+		if err := storageWriter.Close(); err != nil {
+			uc.logger.Error("Failed to close pipe writer after encryption error", "error", err)
+		}
+		return fmt.Errorf("failed to close encryption writer: %w", encryptionCloseErr)
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+func (uc *CreateMariadbBackupUsecase) checkCancellationReason() error {
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("backup cancelled due to shutdown")
+	}
+	return fmt.Errorf("backup cancelled")
+}
+
+func (uc *CreateMariadbBackupUsecase) buildMariadbDumpErrorMessage(
+	waitErr error,
+	stderrOutput []byte,
+	mariadbBin string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf(
+		"%s failed: %v – stderr: %s",
+		filepath.Base(mariadbBin),
+		waitErr,
+		stderrStr,
+	)
+
+	exitErr, ok := waitErr.(*exec.ExitError)
+	if !ok {
+		return errors.New(errorMsg)
+	}
+
+	exitCode := exitErr.ExitCode()
+
+	if exitCode == exitCodeGenericError || exitCode == exitCodeConnectionError {
+		return uc.handleConnectionErrors(stderrStr)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func (uc *CreateMariadbBackupUsecase) handleConnectionErrors(stderrStr string) error {
+	if containsIgnoreCase(stderrStr, "access denied") {
+		return fmt.Errorf(
+			"MariaDB access denied. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "can't connect") ||
+		containsIgnoreCase(stderrStr, "connection refused") {
+		return fmt.Errorf(
+			"MariaDB connection refused. Check if the server is running and accessible. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "unknown database") {
+		return fmt.Errorf(
+			"MariaDB database does not exist. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") {
+		return fmt.Errorf(
+			"MariaDB SSL connection failed. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"MariaDB connection timeout. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return fmt.Errorf("MariaDB connection or authentication error. stderr: %s", stderrStr)
+}
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/backups/backups/usecases/mariadb/di.go

@@ -0,0 +1,17 @@
+package usecases_mariadb
+
+import (
+	"postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/logger"
+)
+
+var createMariadbBackupUsecase = &CreateMariadbBackupUsecase{
+	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
+	encryption.GetFieldEncryptor(),
+}
+
+func GetCreateMariadbBackupUsecase() *CreateMariadbBackupUsecase {
+	return createMariadbBackupUsecase
+}

backend/internal/features/backups/backups/usecases/mysql/create_backup_uc.go

@@ -0,0 +1,608 @@
+package usecases_mysql
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/klauspost/compress/zstd"
+
+	"postgresus-backend/internal/config"
+	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
+	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
+	backups_config "postgresus-backend/internal/features/backups/config"
+	"postgresus-backend/internal/features/databases"
+	mysqltypes "postgresus-backend/internal/features/databases/databases/mysql"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/features/storages"
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/tools"
+)
+
+const (
+	backupTimeout               = 23 * time.Hour
+	shutdownCheckInterval       = 1 * time.Second
+	copyBufferSize              = 8 * 1024 * 1024
+	progressReportIntervalMB    = 1.0
+	zstdStorageCompressionLevel = 3
+	exitCodeGenericError        = 1
+	exitCodeConnectionError     = 2
+)
+
+type CreateMysqlBackupUsecase struct {
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+	fieldEncryptor   encryption.FieldEncryptor
+}
+
+type writeResult struct {
+	bytesWritten int
+	writeErr     error
+}
+
+func (uc *CreateMysqlBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	db *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*usecases_common.BackupMetadata, error) {
+	uc.logger.Info(
+		"Creating MySQL backup via mysqldump",
+		"databaseId", db.ID,
+		"storageId", storage.ID,
+	)
+
+	if !backupConfig.IsBackupsEnabled {
+		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
+	}
+
+	my := db.Mysql
+	if my == nil {
+		return nil, fmt.Errorf("mysql database configuration is required")
+	}
+
+	if my.Database == nil || *my.Database == "" {
+		return nil, fmt.Errorf("database name is required for mysqldump backups")
+	}
+
+	decryptedPassword, err := uc.fieldEncryptor.Decrypt(db.ID, my.Password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt database password: %w", err)
+	}
+
+	args := uc.buildMysqldumpArgs(my)
+
+	return uc.streamToStorage(
+		ctx,
+		backupID,
+		backupConfig,
+		tools.GetMysqlExecutable(
+			my.Version,
+			tools.MysqlExecutableMysqldump,
+			config.GetEnv().EnvMode,
+			config.GetEnv().MysqlInstallDir,
+		),
+		args,
+		decryptedPassword,
+		storage,
+		backupProgressListener,
+		my,
+	)
+}
+
+func (uc *CreateMysqlBackupUsecase) buildMysqldumpArgs(my *mysqltypes.MysqlDatabase) []string {
+	args := []string{
+		"--host=" + my.Host,
+		"--port=" + strconv.Itoa(my.Port),
+		"--user=" + my.Username,
+		"--single-transaction",
+		"--routines",
+		"--triggers",
+		"--events",
+		"--set-gtid-purged=OFF",
+		"--quick",
+		"--verbose",
+	}
+
+	args = append(args, uc.getNetworkCompressionArgs(my.Version)...)
+
+	if my.IsHttps {
+		args = append(args, "--ssl-mode=REQUIRED")
+	}
+
+	if my.Database != nil && *my.Database != "" {
+		args = append(args, *my.Database)
+	}
+
+	return args
+}
+
+func (uc *CreateMysqlBackupUsecase) getNetworkCompressionArgs(version tools.MysqlVersion) []string {
+	const zstdCompressionLevel = 3
+
+	switch version {
+	case tools.MysqlVersion80, tools.MysqlVersion84:
+		return []string{
+			"--compression-algorithms=zstd",
+			fmt.Sprintf("--zstd-compression-level=%d", zstdCompressionLevel),
+		}
+	case tools.MysqlVersion57:
+		return []string{"--compress"}
+	default:
+		return []string{"--compress"}
+	}
+}
+
+func (uc *CreateMysqlBackupUsecase) streamToStorage(
+	parentCtx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	mysqlBin string,
+	args []string,
+	password string,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+	myConfig *mysqltypes.MysqlDatabase,
+) (*usecases_common.BackupMetadata, error) {
+	uc.logger.Info("Streaming MySQL backup to storage", "mysqlBin", mysqlBin)
+
+	ctx, cancel := uc.createBackupContext(parentCtx)
+	defer cancel()
+
+	myCnfFile, err := uc.createTempMyCnfFile(myConfig, password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create .my.cnf: %w", err)
+	}
+	defer func() { _ = os.RemoveAll(filepath.Dir(myCnfFile)) }()
+
+	fullArgs := append([]string{"--defaults-file=" + myCnfFile}, args...)
+
+	cmd := exec.CommandContext(ctx, mysqlBin, fullArgs...)
+	uc.logger.Info("Executing MySQL backup command", "command", cmd.String())
+
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env,
+		"MYSQL_PWD=",
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+	)
+
+	pgStdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stdout pipe: %w", err)
+	}
+
+	pgStderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	stderrCh := make(chan []byte, 1)
+	go func() {
+		stderrOutput, _ := io.ReadAll(pgStderr)
+		stderrCh <- stderrOutput
+	}()
+
+	storageReader, storageWriter := io.Pipe()
+
+	finalWriter, encryptionWriter, backupMetadata, err := uc.setupBackupEncryption(
+		backupID,
+		backupConfig,
+		storageWriter,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	zstdWriter, err := zstd.NewWriter(finalWriter,
+		zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(zstdStorageCompressionLevel)))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
+	}
+	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+
+	saveErrCh := make(chan error, 1)
+	go func() {
+		saveErr := storage.SaveFile(ctx, uc.fieldEncryptor, uc.logger, backupID, storageReader)
+		saveErrCh <- saveErr
+	}()
+
+	if err = cmd.Start(); err != nil {
+		return nil, fmt.Errorf("start %s: %w", filepath.Base(mysqlBin), err)
+	}
+
+	copyResultCh := make(chan error, 1)
+	bytesWrittenCh := make(chan int64, 1)
+	go func() {
+		bytesWritten, err := uc.copyWithShutdownCheck(
+			ctx,
+			countingWriter,
+			pgStdout,
+			backupProgressListener,
+		)
+		bytesWrittenCh <- bytesWritten
+		copyResultCh <- err
+	}()
+
+	copyErr := <-copyResultCh
+	bytesWritten := <-bytesWrittenCh
+	waitErr := cmd.Wait()
+
+	select {
+	case <-ctx.Done():
+		uc.cleanupOnCancellation(zstdWriter, encryptionWriter, storageWriter, saveErrCh)
+		return nil, uc.checkCancellationReason()
+	default:
+	}
+
+	if err := zstdWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close zstd writer", "error", err)
+	}
+	if err := uc.closeWriters(encryptionWriter, storageWriter); err != nil {
+		<-saveErrCh
+		return nil, err
+	}
+
+	saveErr := <-saveErrCh
+	stderrOutput := <-stderrCh
+
+	if waitErr == nil && copyErr == nil && saveErr == nil && backupProgressListener != nil {
+		sizeMB := float64(bytesWritten) / (1024 * 1024)
+		backupProgressListener(sizeMB)
+	}
+
+	switch {
+	case waitErr != nil:
+		return nil, uc.buildMysqldumpErrorMessage(waitErr, stderrOutput, mysqlBin)
+	case copyErr != nil:
+		return nil, fmt.Errorf("copy to storage: %w", copyErr)
+	case saveErr != nil:
+		return nil, fmt.Errorf("save to storage: %w", saveErr)
+	}
+
+	return &backupMetadata, nil
+}
+
+func (uc *CreateMysqlBackupUsecase) createTempMyCnfFile(
+	myConfig *mysqltypes.MysqlDatabase,
+	password string,
+) (string, error) {
+	tempDir, err := os.MkdirTemp("", "mycnf")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
+
+	myCnfFile := filepath.Join(tempDir, ".my.cnf")
+
+	content := fmt.Sprintf(`[client]
+user=%s
+password="%s"
+host=%s
+port=%d
+`, myConfig.Username, tools.EscapeMysqlPassword(password), myConfig.Host, myConfig.Port)
+
+	if myConfig.IsHttps {
+		content += "ssl-mode=REQUIRED\n"
+	}
+
+	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	if err != nil {
+		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
+	}
+
+	return myCnfFile, nil
+}
+
+func (uc *CreateMysqlBackupUsecase) copyWithShutdownCheck(
+	ctx context.Context,
+	dst io.Writer,
+	src io.Reader,
+	backupProgressListener func(completedMBs float64),
+) (int64, error) {
+	buf := make([]byte, copyBufferSize)
+	var totalBytesWritten int64
+	var lastReportedMB float64
+
+	for {
+		select {
+		case <-ctx.Done():
+			return totalBytesWritten, fmt.Errorf("copy cancelled: %w", ctx.Err())
+		default:
+		}
+
+		if config.IsShouldShutdown() {
+			return totalBytesWritten, fmt.Errorf("copy cancelled due to shutdown")
+		}
+
+		bytesRead, readErr := src.Read(buf)
+		if bytesRead > 0 {
+			writeResultCh := make(chan writeResult, 1)
+			go func() {
+				bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+				writeResultCh <- writeResult{bytesWritten, writeErr}
+			}()
+
+			var bytesWritten int
+			var writeErr error
+
+			select {
+			case <-ctx.Done():
+				return totalBytesWritten, fmt.Errorf("copy cancelled during write: %w", ctx.Err())
+			case result := <-writeResultCh:
+				bytesWritten = result.bytesWritten
+				writeErr = result.writeErr
+			}
+
+			if bytesWritten < 0 || bytesRead < bytesWritten {
+				bytesWritten = 0
+				if writeErr == nil {
+					writeErr = fmt.Errorf("invalid write result")
+				}
+			}
+
+			if writeErr != nil {
+				return totalBytesWritten, writeErr
+			}
+
+			if bytesRead != bytesWritten {
+				return totalBytesWritten, io.ErrShortWrite
+			}
+
+			totalBytesWritten += int64(bytesWritten)
+
+			if backupProgressListener != nil {
+				currentSizeMB := float64(totalBytesWritten) / (1024 * 1024)
+				if currentSizeMB >= lastReportedMB+progressReportIntervalMB {
+					backupProgressListener(currentSizeMB)
+					lastReportedMB = currentSizeMB
+				}
+			}
+		}
+
+		if readErr != nil {
+			if readErr != io.EOF {
+				return totalBytesWritten, readErr
+			}
+			break
+		}
+	}
+
+	return totalBytesWritten, nil
+}
+
+func (uc *CreateMysqlBackupUsecase) createBackupContext(
+	parentCtx context.Context,
+) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithTimeout(parentCtx, backupTimeout)
+
+	go func() {
+		ticker := time.NewTicker(shutdownCheckInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-parentCtx.Done():
+				cancel()
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	return ctx, cancel
+}
+
+func (uc *CreateMysqlBackupUsecase) setupBackupEncryption(
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	storageWriter io.WriteCloser,
+) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
+	metadata := usecases_common.BackupMetadata{}
+
+	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
+		metadata.Encryption = backups_config.BackupEncryptionNone
+		uc.logger.Info("Encryption disabled for backup", "backupId", backupID)
+		return storageWriter, nil, metadata, nil
+	}
+
+	salt, err := backup_encryption.GenerateSalt()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := backup_encryption.GenerateNonce()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	masterKey, err := uc.secretKeyService.GetSecretKey()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	encWriter, err := backup_encryption.NewEncryptionWriter(
+		storageWriter,
+		masterKey,
+		backupID,
+		salt,
+		nonce,
+	)
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+	}
+
+	saltBase64 := base64.StdEncoding.EncodeToString(salt)
+	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
+	metadata.EncryptionSalt = &saltBase64
+	metadata.EncryptionIV = &nonceBase64
+	metadata.Encryption = backups_config.BackupEncryptionEncrypted
+
+	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
+	return encWriter, encWriter, metadata, nil
+}
+
+func (uc *CreateMysqlBackupUsecase) cleanupOnCancellation(
+	zstdWriter *zstd.Encoder,
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+	saveErrCh chan error,
+) {
+	if zstdWriter != nil {
+		go func() {
+			if closeErr := zstdWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close zstd writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if encryptionWriter != nil {
+		go func() {
+			if closeErr := encryptionWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close encrypting writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer during cancellation", "error", err)
+	}
+
+	<-saveErrCh
+}
+
+func (uc *CreateMysqlBackupUsecase) closeWriters(
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+) error {
+	encryptionCloseErrCh := make(chan error, 1)
+	if encryptionWriter != nil {
+		go func() {
+			closeErr := encryptionWriter.Close()
+			if closeErr != nil {
+				uc.logger.Error("Failed to close encrypting writer", "error", closeErr)
+			}
+			encryptionCloseErrCh <- closeErr
+		}()
+	} else {
+		encryptionCloseErrCh <- nil
+	}
+
+	encryptionCloseErr := <-encryptionCloseErrCh
+	if encryptionCloseErr != nil {
+		if err := storageWriter.Close(); err != nil {
+			uc.logger.Error("Failed to close pipe writer after encryption error", "error", err)
+		}
+		return fmt.Errorf("failed to close encryption writer: %w", encryptionCloseErr)
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+func (uc *CreateMysqlBackupUsecase) checkCancellationReason() error {
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("backup cancelled due to shutdown")
+	}
+	return fmt.Errorf("backup cancelled")
+}
+
+func (uc *CreateMysqlBackupUsecase) buildMysqldumpErrorMessage(
+	waitErr error,
+	stderrOutput []byte,
+	mysqlBin string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf(
+		"%s failed: %v – stderr: %s",
+		filepath.Base(mysqlBin),
+		waitErr,
+		stderrStr,
+	)
+
+	exitErr, ok := waitErr.(*exec.ExitError)
+	if !ok {
+		return errors.New(errorMsg)
+	}
+
+	exitCode := exitErr.ExitCode()
+
+	if exitCode == exitCodeGenericError || exitCode == exitCodeConnectionError {
+		return uc.handleConnectionErrors(stderrStr)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func (uc *CreateMysqlBackupUsecase) handleConnectionErrors(stderrStr string) error {
+	if containsIgnoreCase(stderrStr, "access denied") {
+		return fmt.Errorf(
+			"MySQL access denied. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "can't connect") ||
+		containsIgnoreCase(stderrStr, "connection refused") {
+		return fmt.Errorf(
+			"MySQL connection refused. Check if the server is running and accessible. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "unknown database") {
+		return fmt.Errorf(
+			"MySQL database does not exist. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") {
+		return fmt.Errorf(
+			"MySQL SSL connection failed. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"MySQL connection timeout. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return fmt.Errorf("MySQL connection or authentication error. stderr: %s", stderrStr)
+}
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/backups/backups/usecases/mysql/di.go

@@ -0,0 +1,17 @@
+package usecases_mysql
+
+import (
+	"postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/logger"
+)
+
+var createMysqlBackupUsecase = &CreateMysqlBackupUsecase{
+	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
+	encryption.GetFieldEncryptor(),
+}
+
+func GetCreateMysqlBackupUsecase() *CreateMysqlBackupUsecase {
+	return createMysqlBackupUsecase
+}

backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go

@@ -2,6 +2,7 @@ package usecases_postgresql
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -14,20 +15,42 @@ import (
 	"time"
 
 	"postgresus-backend/internal/config"
+	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
+	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/storages"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/tools"
 
 	"github.com/google/uuid"
 )
 
+const (
+	backupTimeout            = 23 * time.Hour
+	shutdownCheckInterval    = 1 * time.Second
+	copyBufferSize           = 8 * 1024 * 1024
+	progressReportIntervalMB = 1.0
+	pgConnectTimeout         = 30
+	compressionLevel         = 5
+	exitCodeAccessViolation  = -1073741819
+	exitCodeGenericError     = 1
+	exitCodeConnectionError  = 2
+)
+
 type CreatePostgresqlBackupUsecase struct {
-	logger *slog.Logger
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+	fieldEncryptor   encryption.FieldEncryptor
+}
+
+type writeResult struct {
+	bytesWritten int
+	writeErr     error
 }
 
-// Execute creates a backup of the database
 func (uc *CreatePostgresqlBackupUsecase) Execute(
 	ctx context.Context,
 	backupID uuid.UUID,
@@ -37,7 +60,7 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) error {
+) (*usecases_common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating PostgreSQL backup via pg_dump custom format",
 		"databaseId",
@@ -47,38 +70,24 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 	)
 
 	if !backupConfig.IsBackupsEnabled {
-		return fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
+		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
 	}
 
 	pg := db.Postgresql
 
 	if pg == nil {
-		return fmt.Errorf("postgresql database configuration is required for pg_dump backups")
+		return nil, fmt.Errorf("postgresql database configuration is required for pg_dump backups")
 	}
 
 	if pg.Database == nil || *pg.Database == "" {
-		return fmt.Errorf("database name is required for pg_dump backups")
+		return nil, fmt.Errorf("database name is required for pg_dump backups")
 	}
 
-	args := []string{
-		"-Fc",           // custom format with built-in compression
-		"--no-password", // Use environment variable for password, prevent prompts
-		"-h", pg.Host,
-		"-p", strconv.Itoa(pg.Port),
-		"-U", pg.Username,
-		"-d", *pg.Database,
-		"--verbose", // Add verbose output to help with debugging
-	}
+	args := uc.buildPgDumpArgs(pg)
 
-	// Use zstd compression level 5 for PostgreSQL 16+ (better compression and speed)
-	// Fall back to gzip compression level 5 for older versions (12-15)
-	if pg.Version == tools.PostgresqlVersion12 || pg.Version == tools.PostgresqlVersion13 ||
-		pg.Version == tools.PostgresqlVersion14 || pg.Version == tools.PostgresqlVersion15 {
-		args = append(args, "-Z", "5")
-		uc.logger.Info("Using gzip compression level 5 (zstd not available)", "version", pg.Version)
-	} else {
-		args = append(args, "--compress=zstd:5")
-		uc.logger.Info("Using zstd compression level 5", "version", pg.Version)
+	decryptedPassword, err := uc.fieldEncryptor.Decrypt(db.ID, pg.Password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt database password: %w", err)
 	}
 
 	return uc.streamToStorage(
@@ -92,7 +101,7 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 			config.GetEnv().PostgresesInstallDir,
 		),
 		args,
-		pg.Password,
+		decryptedPassword,
 		storage,
 		db,
 		backupProgressListener,
@@ -110,124 +119,38 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	db *databases.Database,
 	backupProgressListener func(completedMBs float64),
-) error {
+) (*usecases_common.BackupMetadata, error) {
 	uc.logger.Info("Streaming PostgreSQL backup to storage", "pgBin", pgBin, "args", args)
 
-	// if backup not fit into 23 hours, Postgresus
-	// seems not to work for such database size
-	ctx, cancel := context.WithTimeout(parentCtx, 23*time.Hour)
+	ctx, cancel := uc.createBackupContext(parentCtx)
 	defer cancel()
 
-	// Monitor for shutdown and cancel context if needed
-	go func() {
-		ticker := time.NewTicker(1 * time.Second)
-		defer ticker.Stop()
-
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				if config.IsShouldShutdown() {
-					cancel()
-					return
-				}
-			}
-		}
-	}()
-
-	// Create temporary .pgpass file as a more reliable alternative to PGPASSWORD
-	pgpassFile, err := uc.createTempPgpassFile(db.Postgresql, password)
+	pgpassFile, err := uc.setupPgpassFile(db.Postgresql, password)
 	if err != nil {
-		return fmt.Errorf("failed to create temporary .pgpass file: %w", err)
+		return nil, err
 	}
 	defer func() {
 		if pgpassFile != "" {
-			_ = os.Remove(pgpassFile)
+			// Remove the entire temp directory (which contains the .pgpass file)
+			_ = os.RemoveAll(filepath.Dir(pgpassFile))
 		}
 	}()
 
-	// Verify .pgpass file was created successfully
-	if pgpassFile == "" {
-		return fmt.Errorf("temporary .pgpass file was not created")
-	}
-
-	// Verify .pgpass file was created correctly
-	if info, err := os.Stat(pgpassFile); err == nil {
-		uc.logger.Info("Temporary .pgpass file created successfully",
-			"pgpassFile", pgpassFile,
-			"size", info.Size(),
-			"mode", info.Mode(),
-		)
-	} else {
-		return fmt.Errorf("failed to verify .pgpass file: %w", err)
-	}
-
 	cmd := exec.CommandContext(ctx, pgBin, args...)
 	uc.logger.Info("Executing PostgreSQL backup command", "command", cmd.String())
 
-	// Start with system environment variables to preserve Windows PATH, SystemRoot, etc.
-	cmd.Env = os.Environ()
-
-	// Use the .pgpass file for authentication
-	cmd.Env = append(cmd.Env, "PGPASSFILE="+pgpassFile)
-	uc.logger.Info("Using temporary .pgpass file for authentication", "pgpassFile", pgpassFile)
-
-	// Debug password setup (without exposing the actual password)
-	uc.logger.Info("Setting up PostgreSQL environment",
-		"passwordLength", len(password),
-		"passwordEmpty", password == "",
-		"pgBin", pgBin,
-		"usingPgpassFile", true,
-		"parallelJobs", backupConfig.CpuCount,
-	)
-
-	// Add PostgreSQL-specific environment variables
-	cmd.Env = append(cmd.Env, "PGCLIENTENCODING=UTF8")
-	cmd.Env = append(cmd.Env, "PGCONNECT_TIMEOUT=30")
-
-	// Add encoding-related environment variables to handle character encoding issues
-	cmd.Env = append(cmd.Env, "LC_ALL=C.UTF-8")
-	cmd.Env = append(cmd.Env, "LANG=C.UTF-8")
-
-	// Add PostgreSQL-specific encoding settings
-	cmd.Env = append(cmd.Env, "PGOPTIONS=--client-encoding=UTF8")
-
-	shouldRequireSSL := db.Postgresql.IsHttps
-
-	// Require SSL when explicitly configured
-	if shouldRequireSSL {
-		cmd.Env = append(cmd.Env, "PGSSLMODE=require")
-		uc.logger.Info("Using required SSL mode", "configuredHttps", db.Postgresql.IsHttps)
-	} else {
-		// SSL not explicitly required, but prefer it if available
-		cmd.Env = append(cmd.Env, "PGSSLMODE=prefer")
-		uc.logger.Info("Using preferred SSL mode", "configuredHttps", db.Postgresql.IsHttps)
-	}
-
-	// Set other SSL parameters to avoid certificate issues
-	cmd.Env = append(cmd.Env, "PGSSLCERT=")     // No client certificate
-	cmd.Env = append(cmd.Env, "PGSSLKEY=")      // No client key
-	cmd.Env = append(cmd.Env, "PGSSLROOTCERT=") // No root certificate verification
-	cmd.Env = append(cmd.Env, "PGSSLCRL=")      // No certificate revocation list
-
-	// Verify executable exists and is accessible
-	if _, err := exec.LookPath(pgBin); err != nil {
-		return fmt.Errorf(
-			"PostgreSQL executable not found or not accessible: %s - %w",
-			pgBin,
-			err,
-		)
+	if err := uc.setupPgEnvironment(cmd, pgpassFile, db.Postgresql.IsHttps, password, backupConfig.CpuCount, pgBin); err != nil {
+		return nil, err
 	}
 
 	pgStdout, err := cmd.StdoutPipe()
 	if err != nil {
-		return fmt.Errorf("stdout pipe: %w", err)
+		return nil, fmt.Errorf("stdout pipe: %w", err)
 	}
 
 	pgStderr, err := cmd.StderrPipe()
 	if err != nil {
-		return fmt.Errorf("stderr pipe: %w", err)
+		return nil, fmt.Errorf("stderr pipe: %w", err)
 	}
 
 	// Capture stderr in a separate goroutine to ensure we don't miss any error output
@@ -237,23 +160,31 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 		stderrCh <- stderrOutput
 	}()
 
-	// A pipe connecting pg_dump output → storage
 	storageReader, storageWriter := io.Pipe()
 
-	// Create a counting writer to track bytes
-	countingWriter := &CountingWriter{writer: storageWriter}
+	finalWriter, encryptionWriter, backupMetadata, err := uc.setupBackupEncryption(
+		backupID,
+		backupConfig,
+		storageWriter,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	countingWriter := usecases_common.NewCountingWriter(finalWriter)
 
 	// The backup ID becomes the object key / filename in storage
 
 	// Start streaming into storage in its own goroutine
 	saveErrCh := make(chan error, 1)
 	go func() {
-		saveErrCh <- storage.SaveFile(uc.logger, backupID, storageReader)
+		saveErr := storage.SaveFile(ctx, uc.fieldEncryptor, uc.logger, backupID, storageReader)
+		saveErrCh <- saveErr
 	}()
 
 	// Start pg_dump
 	if err = cmd.Start(); err != nil {
-		return fmt.Errorf("start %s: %w", filepath.Base(pgBin), err)
+		return nil, fmt.Errorf("start %s: %w", filepath.Base(pgBin), err)
 	}
 
 	// Copy pg output directly to storage with shutdown checks
@@ -270,37 +201,22 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 		copyResultCh <- err
 	}()
 
-	// Wait for the copy to finish first, then the dump process
 	copyErr := <-copyResultCh
 	bytesWritten := <-bytesWrittenCh
 	waitErr := cmd.Wait()
 
-	// Check for shutdown or cancellation before finalizing
 	select {
 	case <-ctx.Done():
-		if pipeWriter, ok := countingWriter.writer.(*io.PipeWriter); ok {
-			if err := pipeWriter.Close(); err != nil {
-				uc.logger.Error("Failed to close counting writer", "error", err)
-			}
-		}
-
-		<-saveErrCh // Wait for storage to finish
-
-		if config.IsShouldShutdown() {
-			return fmt.Errorf("backup cancelled due to shutdown")
-		}
-		return fmt.Errorf("backup cancelled")
+		uc.cleanupOnCancellation(encryptionWriter, storageWriter, saveErrCh)
+		return nil, uc.checkCancellationReason()
 	default:
 	}
 
-	// Close the pipe writer to signal end of data
-	if pipeWriter, ok := countingWriter.writer.(*io.PipeWriter); ok {
-		if err := pipeWriter.Close(); err != nil {
-			uc.logger.Error("Failed to close counting writer", "error", err)
-		}
+	if err := uc.closeWriters(encryptionWriter, storageWriter); err != nil {
+		<-saveErrCh
+		return nil, err
 	}
 
-	// Wait until storage ends reading
 	saveErr := <-saveErrCh
 	stderrOutput := <-stderrCh
 
@@ -312,149 +228,34 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 
 	switch {
 	case waitErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		// Enhanced error handling for PostgreSQL connection and SSL issues
-		stderrStr := string(stderrOutput)
-		errorMsg := fmt.Sprintf(
-			"%s failed: %v – stderr: %s",
-			filepath.Base(pgBin),
-			waitErr,
-			stderrStr,
-		)
-
-		// Check for specific PostgreSQL error patterns
-		if exitErr, ok := waitErr.(*exec.ExitError); ok {
-			exitCode := exitErr.ExitCode()
-
-			// Enhanced debugging for exit status 1 with empty stderr
-			if exitCode == 1 && strings.TrimSpace(stderrStr) == "" {
-				uc.logger.Error("pg_dump failed with exit status 1 but no stderr output",
-					"pgBin", pgBin,
-					"args", args,
-					"env_vars", []string{
-						"PGCLIENTENCODING=UTF8",
-						"PGCONNECT_TIMEOUT=30",
-						"LC_ALL=C.UTF-8",
-						"LANG=C.UTF-8",
-						"PGOPTIONS=--client-encoding=UTF8",
-					},
-				)
-
-				errorMsg = fmt.Sprintf(
-					"%s failed with exit status 1 but provided no error details. "+
-						"This often indicates: "+
-						"1) Connection timeout or refused connection, "+
-						"2) Authentication failure with incorrect credentials, "+
-						"3) Database does not exist, "+
-						"4) Network connectivity issues, "+
-						"5) PostgreSQL server not running. "+
-						"Command executed: %s %s",
-					filepath.Base(pgBin),
-					pgBin,
-					strings.Join(args, " "),
-				)
-			} else if exitCode == -1073741819 { // 0xC0000005 in decimal
-				uc.logger.Error("PostgreSQL tool crashed with access violation",
-					"pgBin", pgBin,
-					"args", args,
-					"exitCode", fmt.Sprintf("0x%X", uint32(exitCode)),
-				)
-
-				errorMsg = fmt.Sprintf(
-					"%s crashed with access violation (0xC0000005). This may indicate incompatible PostgreSQL version, corrupted installation, or connection issues. stderr: %s",
-					filepath.Base(pgBin),
-					stderrStr,
-				)
-			} else if exitCode == 1 || exitCode == 2 {
-				// Check for common connection and authentication issues
-				if containsIgnoreCase(stderrStr, "pg_hba.conf") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection rejected by server configuration (pg_hba.conf). The server may not allow connections from your IP address or may require different authentication settings. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "no password supplied") || containsIgnoreCase(stderrStr, "fe_sendauth") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL authentication failed - no password supplied. "+
-							"PGPASSWORD environment variable may not be working correctly on this system. "+
-							"Password length: %d, Password empty: %v. "+
-							"Consider using a .pgpass file as an alternative. stderr: %s",
-						len(password),
-						password == "",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "ssl") && containsIgnoreCase(stderrStr, "connection") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL SSL connection failed. The server may require SSL encryption or have SSL configuration issues. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "connection") && containsIgnoreCase(stderrStr, "refused") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection refused. Check if the server is running and accessible from your network. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "authentication") || containsIgnoreCase(stderrStr, "password") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL authentication failed. Check username and password. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "timeout") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection timeout. The server may be unreachable or overloaded. stderr: %s",
-						stderrStr,
-					)
-				}
-			}
-		}
-
-		return errors.New(errorMsg)
+		return nil, uc.buildPgDumpErrorMessage(waitErr, stderrOutput, pgBin, args, password)
 	case copyErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		return fmt.Errorf("copy to storage: %w", copyErr)
+		return nil, fmt.Errorf("copy to storage: %w", copyErr)
 	case saveErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		return fmt.Errorf("save to storage: %w", saveErr)
+		return nil, fmt.Errorf("save to storage: %w", saveErr)
 	}
 
-	return nil
+	return &backupMetadata, nil
 }
 
-// copyWithShutdownCheck copies data from src to dst while checking for shutdown
 func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 	ctx context.Context,
 	dst io.Writer,
 	src io.Reader,
 	backupProgressListener func(completedMBs float64),
 ) (int64, error) {
-	buf := make([]byte, 32*1024) // 32KB buffer
+	buf := make([]byte, copyBufferSize)
 	var totalBytesWritten int64
-
-	// Progress reporting interval - report every 1MB of data
 	var lastReportedMB float64
-	const reportIntervalMB = 1.0
 
 	for {
 		select {
@@ -469,7 +270,23 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 
 		bytesRead, readErr := src.Read(buf)
 		if bytesRead > 0 {
-			bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+			writeResultCh := make(chan writeResult, 1)
+			go func() {
+				bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+				writeResultCh <- writeResult{bytesWritten, writeErr}
+			}()
+
+			var bytesWritten int
+			var writeErr error
+
+			select {
+			case <-ctx.Done():
+				return totalBytesWritten, fmt.Errorf("copy cancelled during write: %w", ctx.Err())
+			case result := <-writeResultCh:
+				bytesWritten = result.bytesWritten
+				writeErr = result.writeErr
+			}
+
 			if bytesWritten < 0 || bytesRead < bytesWritten {
 				bytesWritten = 0
 				if writeErr == nil {
@@ -487,12 +304,9 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 
 			totalBytesWritten += int64(bytesWritten)
 
-			// Report progress based on total size
 			if backupProgressListener != nil {
 				currentSizeMB := float64(totalBytesWritten) / (1024 * 1024)
-
-				// Only report if we've written at least 1MB more data than last report
-				if currentSizeMB >= lastReportedMB+reportIntervalMB {
+				if currentSizeMB >= lastReportedMB+progressReportIntervalMB {
 					backupProgressListener(currentSizeMB)
 					lastReportedMB = currentSizeMB
 				}
@@ -503,7 +317,6 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 			if readErr != io.EOF {
 				return totalBytesWritten, readErr
 			}
-
 			break
 		}
 	}
@@ -511,12 +324,417 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 	return totalBytesWritten, nil
 }
 
-// containsIgnoreCase checks if a string contains a substring, ignoring case
-func containsIgnoreCase(str, substr string) bool {
-	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+func (uc *CreatePostgresqlBackupUsecase) buildPgDumpArgs(pg *pgtypes.PostgresqlDatabase) []string {
+	args := []string{
+		"-Fc",
+		"--no-password",
+		"-h", pg.Host,
+		"-p", strconv.Itoa(pg.Port),
+		"-U", pg.Username,
+		"-d", *pg.Database,
+		"--verbose",
+	}
+
+	for _, schema := range pg.IncludeSchemas {
+		args = append(args, "-n", schema)
+	}
+
+	compressionArgs := uc.getCompressionArgs(pg.Version)
+	return append(args, compressionArgs...)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) getCompressionArgs(
+	version tools.PostgresqlVersion,
+) []string {
+	if uc.isOlderPostgresVersion(version) {
+		uc.logger.Info("Using gzip compression level 5 (zstd not available)", "version", version)
+		return []string{"-Z", strconv.Itoa(compressionLevel)}
+	}
+
+	uc.logger.Info("Using zstd compression level 5", "version", version)
+	return []string{fmt.Sprintf("--compress=zstd:%d", compressionLevel)}
+}
+
+func (uc *CreatePostgresqlBackupUsecase) isOlderPostgresVersion(
+	version tools.PostgresqlVersion,
+) bool {
+	return version == tools.PostgresqlVersion12 ||
+		version == tools.PostgresqlVersion13 ||
+		version == tools.PostgresqlVersion14 ||
+		version == tools.PostgresqlVersion15
+}
+
+func (uc *CreatePostgresqlBackupUsecase) createBackupContext(
+	parentCtx context.Context,
+) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithTimeout(parentCtx, backupTimeout)
+
+	go func() {
+		ticker := time.NewTicker(shutdownCheckInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-parentCtx.Done():
+				cancel()
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	return ctx, cancel
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupPgpassFile(
+	pgConfig *pgtypes.PostgresqlDatabase,
+	password string,
+) (string, error) {
+	pgpassFile, err := uc.createTempPgpassFile(pgConfig, password)
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary .pgpass file: %w", err)
+	}
+
+	if pgpassFile == "" {
+		return "", fmt.Errorf("temporary .pgpass file was not created")
+	}
+
+	if info, err := os.Stat(pgpassFile); err == nil {
+		uc.logger.Info("Temporary .pgpass file created successfully",
+			"pgpassFile", pgpassFile,
+			"size", info.Size(),
+			"mode", info.Mode(),
+		)
+	} else {
+		return "", fmt.Errorf("failed to verify .pgpass file: %w", err)
+	}
+
+	return pgpassFile, nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupPgEnvironment(
+	cmd *exec.Cmd,
+	pgpassFile string,
+	shouldRequireSSL bool,
+	password string,
+	cpuCount int,
+	pgBin string,
+) error {
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, "PGPASSFILE="+pgpassFile)
+
+	uc.logger.Info("Using temporary .pgpass file for authentication", "pgpassFile", pgpassFile)
+	uc.logger.Info("Setting up PostgreSQL environment",
+		"passwordLength", len(password),
+		"passwordEmpty", password == "",
+		"pgBin", pgBin,
+		"usingPgpassFile", true,
+		"parallelJobs", cpuCount,
+	)
+
+	cmd.Env = append(cmd.Env,
+		"PGCLIENTENCODING=UTF8",
+		"PGCONNECT_TIMEOUT="+strconv.Itoa(pgConnectTimeout),
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+	)
+
+	if shouldRequireSSL {
+		cmd.Env = append(cmd.Env, "PGSSLMODE=require")
+		uc.logger.Info("Using required SSL mode", "configuredHttps", shouldRequireSSL)
+	} else {
+		cmd.Env = append(cmd.Env, "PGSSLMODE=prefer")
+		uc.logger.Info("Using preferred SSL mode", "configuredHttps", shouldRequireSSL)
+	}
+
+	cmd.Env = append(cmd.Env,
+		"PGSSLCERT=",
+		"PGSSLKEY=",
+		"PGSSLROOTCERT=",
+		"PGSSLCRL=",
+	)
+
+	if _, err := exec.LookPath(pgBin); err != nil {
+		return fmt.Errorf("PostgreSQL executable not found or not accessible: %s - %w", pgBin, err)
+	}
+
+	return nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	storageWriter io.WriteCloser,
+) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
+	metadata := usecases_common.BackupMetadata{}
+
+	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
+		metadata.Encryption = backups_config.BackupEncryptionNone
+		uc.logger.Info("Encryption disabled for backup", "backupId", backupID)
+		return storageWriter, nil, metadata, nil
+	}
+
+	salt, err := backup_encryption.GenerateSalt()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := backup_encryption.GenerateNonce()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	masterKey, err := uc.secretKeyService.GetSecretKey()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	encWriter, err := backup_encryption.NewEncryptionWriter(
+		storageWriter,
+		masterKey,
+		backupID,
+		salt,
+		nonce,
+	)
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+	}
+
+	saltBase64 := base64.StdEncoding.EncodeToString(salt)
+	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
+	metadata.EncryptionSalt = &saltBase64
+	metadata.EncryptionIV = &nonceBase64
+	metadata.Encryption = backups_config.BackupEncryptionEncrypted
+
+	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
+	return encWriter, encWriter, metadata, nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) cleanupOnCancellation(
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+	saveErrCh chan error,
+) {
+	if encryptionWriter != nil {
+		go func() {
+			if closeErr := encryptionWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close encrypting writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer during cancellation", "error", err)
+	}
+
+	<-saveErrCh
+}
+
+func (uc *CreatePostgresqlBackupUsecase) closeWriters(
+	encryptionWriter *backup_encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+) error {
+	encryptionCloseErrCh := make(chan error, 1)
+	if encryptionWriter != nil {
+		go func() {
+			closeErr := encryptionWriter.Close()
+			if closeErr != nil {
+				uc.logger.Error("Failed to close encrypting writer", "error", closeErr)
+			}
+			encryptionCloseErrCh <- closeErr
+		}()
+	} else {
+		encryptionCloseErrCh <- nil
+	}
+
+	encryptionCloseErr := <-encryptionCloseErrCh
+	if encryptionCloseErr != nil {
+		if err := storageWriter.Close(); err != nil {
+			uc.logger.Error("Failed to close pipe writer after encryption error", "error", err)
+		}
+		return fmt.Errorf("failed to close encryption writer: %w", encryptionCloseErr)
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) checkCancellation(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		if config.IsShouldShutdown() {
+			return fmt.Errorf("backup cancelled due to shutdown")
+		}
+		return fmt.Errorf("backup cancelled")
+	default:
+		return nil
+	}
+}
+
+func (uc *CreatePostgresqlBackupUsecase) checkCancellationReason() error {
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("backup cancelled due to shutdown")
+	}
+	return fmt.Errorf("backup cancelled")
+}
+
+func (uc *CreatePostgresqlBackupUsecase) buildPgDumpErrorMessage(
+	waitErr error,
+	stderrOutput []byte,
+	pgBin string,
+	args []string,
+	password string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf("%s failed: %v – stderr: %s", filepath.Base(pgBin), waitErr, stderrStr)
+
+	exitErr, ok := waitErr.(*exec.ExitError)
+	if !ok {
+		return errors.New(errorMsg)
+	}
+
+	exitCode := exitErr.ExitCode()
+
+	if exitCode == exitCodeGenericError && strings.TrimSpace(stderrStr) == "" {
+		return uc.handleExitCode1NoStderr(pgBin, args)
+	}
+
+	if exitCode == exitCodeAccessViolation {
+		return uc.handleAccessViolation(pgBin, stderrStr)
+	}
+
+	if exitCode == exitCodeGenericError || exitCode == exitCodeConnectionError {
+		return uc.handleConnectionErrors(stderrStr, password)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleExitCode1NoStderr(
+	pgBin string,
+	args []string,
+) error {
+	uc.logger.Error("pg_dump failed with exit status 1 but no stderr output",
+		"pgBin", pgBin,
+		"args", args,
+		"env_vars", []string{
+			"PGCLIENTENCODING=UTF8",
+			"PGCONNECT_TIMEOUT=" + strconv.Itoa(pgConnectTimeout),
+			"LC_ALL=C.UTF-8",
+			"LANG=C.UTF-8",
+		},
+	)
+
+	return fmt.Errorf(
+		"%s failed with exit status 1 but provided no error details. "+
+			"This often indicates: "+
+			"1) Connection timeout or refused connection, "+
+			"2) Authentication failure with incorrect credentials, "+
+			"3) Database does not exist, "+
+			"4) Network connectivity issues, "+
+			"5) PostgreSQL server not running. "+
+			"Command executed: %s %s",
+		filepath.Base(pgBin),
+		pgBin,
+		strings.Join(args, " "),
+	)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleAccessViolation(
+	pgBin string,
+	stderrStr string,
+) error {
+	uc.logger.Error("PostgreSQL tool crashed with access violation",
+		"pgBin", pgBin,
+		"exitCode", "0xC0000005",
+	)
+
+	return fmt.Errorf(
+		"%s crashed with access violation (0xC0000005). "+
+			"This may indicate incompatible PostgreSQL version, corrupted installation, or connection issues. "+
+			"stderr: %s",
+		filepath.Base(pgBin),
+		stderrStr,
+	)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleConnectionErrors(
+	stderrStr string,
+	password string,
+) error {
+	if containsIgnoreCase(stderrStr, "pg_hba.conf") {
+		return fmt.Errorf(
+			"PostgreSQL connection rejected by server configuration (pg_hba.conf). "+
+				"The server may not allow connections from your IP address or may require different authentication settings. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "no password supplied") ||
+		containsIgnoreCase(stderrStr, "fe_sendauth") {
+		return fmt.Errorf(
+			"PostgreSQL authentication failed - no password supplied. "+
+				"PGPASSWORD environment variable may not be working correctly on this system. "+
+				"Password length: %d, Password empty: %v. "+
+				"Consider using a .pgpass file as an alternative. "+
+				"stderr: %s",
+			len(password),
+			password == "",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") && containsIgnoreCase(stderrStr, "connection") {
+		return fmt.Errorf(
+			"PostgreSQL SSL connection failed. "+
+				"The server may require SSL encryption or have SSL configuration issues. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "connection") && containsIgnoreCase(stderrStr, "refused") {
+		return fmt.Errorf(
+			"PostgreSQL connection refused. "+
+				"Check if the server is running and accessible from your network. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "authentication") ||
+		containsIgnoreCase(stderrStr, "password") {
+		return fmt.Errorf(
+			"PostgreSQL authentication failed. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"PostgreSQL connection timeout. The server may be unreachable or overloaded. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return fmt.Errorf("PostgreSQL connection or authentication error. stderr: %s", stderrStr)
 }
 
-// createTempPgpassFile creates a temporary .pgpass file with the given password
 func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 	pgConfig *pgtypes.PostgresqlDatabase,
 	password string,
@@ -525,14 +743,17 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 		return "", nil
 	}
 
+	escapedHost := tools.EscapePgpassField(pgConfig.Host)
+	escapedUsername := tools.EscapePgpassField(pgConfig.Username)
+	escapedPassword := tools.EscapePgpassField(password)
+
 	pgpassContent := fmt.Sprintf("%s:%d:*:%s:%s",
-		pgConfig.Host,
+		escapedHost,
 		pgConfig.Port,
-		pgConfig.Username,
-		password,
+		escapedUsername,
+		escapedPassword,
 	)
 
-	// it always create unique directory like /tmp/pgpass-1234567890
 	tempDir, err := os.MkdirTemp("", "pgpass")
 	if err != nil {
 		return "", fmt.Errorf("failed to create temporary directory: %w", err)
@@ -546,3 +767,7 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 
 	return pgpassFile, nil
 }
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/backups/backups/usecases/postgresql/di.go

@@ -1,11 +1,15 @@
 package usecases_postgresql
 
 import (
+	"postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
 var createPostgresqlBackupUsecase = &CreatePostgresqlBackupUsecase{
 	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
+	encryption.GetFieldEncryptor(),
 }
 
 func GetCreatePostgresqlBackupUsecase() *CreatePostgresqlBackupUsecase {

backend/internal/features/backups/backups/usecases/postgresql/interfaces.go

@@ -1,20 +0,0 @@
-package usecases_postgresql
-
-import "io"
-
-// CountingWriter wraps an io.Writer and counts the bytes written to it
-type CountingWriter struct {
-	writer       io.Writer
-	bytesWritten int64
-}
-
-func (cw *CountingWriter) Write(p []byte) (n int, err error) {
-	n, err = cw.writer.Write(p)
-	cw.bytesWritten += int64(n)
-	return n, err
-}
-
-// GetBytesWritten returns the total number of bytes written
-func (cw *CountingWriter) GetBytesWritten() int64 {
-	return cw.bytesWritten
-}

backend/internal/features/backups/config/controller.go

@@ -20,15 +20,15 @@ func (c *BackupConfigController) RegisterRoutes(router *gin.RouterGroup) {
 
 // SaveBackupConfig
 // @Summary Save backup configuration
-// @Description Save or update backup configuration for a database
+// @Description Save or update backup configuration for a database. Encryption can be set to NONE (no encryption) or ENCRYPTED (AES-256-GCM encryption).
 // @Tags backup-configs
 // @Accept json
 // @Produce json
-// @Param request body BackupConfig true "Backup configuration data"
-// @Success 200 {object} BackupConfig
-// @Failure 400
-// @Failure 401
-// @Failure 500
+// @Param request body BackupConfig true "Backup configuration data (encryption field: NONE or ENCRYPTED)"
+// @Success 200 {object} BackupConfig "Returns the saved backup configuration including encryption settings"
+// @Failure 400 {object} map[string]string "Invalid encryption value or other validation errors"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 500 {object} map[string]string "Internal server error"
 // @Router /backup-configs/save [post]
 func (c *BackupConfigController) SaveBackupConfig(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)
@@ -57,14 +57,14 @@ func (c *BackupConfigController) SaveBackupConfig(ctx *gin.Context) {
 
 // GetBackupConfigByDbID
 // @Summary Get backup configuration by database ID
-// @Description Get backup configuration for a specific database
+// @Description Get backup configuration for a specific database including encryption settings (NONE or ENCRYPTED)
 // @Tags backup-configs
 // @Produce json
 // @Param id path string true "Database ID"
-// @Success 200 {object} BackupConfig
-// @Failure 400
-// @Failure 401
-// @Failure 404
+// @Success 200 {object} BackupConfig "Returns backup configuration with encryption field"
+// @Failure 400 {object} map[string]string "Invalid database ID"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 404 {object} map[string]string "Backup configuration not found"
 // @Router /backup-configs/database/{id} [get]
 func (c *BackupConfigController) GetBackupConfigByDbID(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)

backend/internal/features/backups/config/controller_test.go

@@ -368,6 +368,86 @@ func Test_IsStorageUsing_PermissionsEnforced(t *testing.T) {
 	}
 }
 
+func Test_SaveBackupConfig_WithEncryptionNone_ConfigSaved(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		CpuCount:            2,
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.Equal(t, BackupEncryptionNone, response.Encryption)
+}
+
+func Test_SaveBackupConfig_WithEncryptionEncrypted_ConfigSaved(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		CpuCount:            2,
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionEncrypted,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.Equal(t, BackupEncryptionEncrypted, response.Encryption)
+}
+
 func createTestDatabaseViaAPI(
 	name string,
 	workspaceID uuid.UUID,

backend/internal/features/backups/config/enums.go

@@ -6,3 +6,10 @@ const (
 	NotificationBackupFailed  BackupNotificationType = "BACKUP_FAILED"
 	NotificationBackupSuccess BackupNotificationType = "BACKUP_SUCCESS"
 )
+
+type BackupEncryption string
+
+const (
+	BackupEncryptionNone      BackupEncryption = "NONE"
+	BackupEncryptionEncrypted BackupEncryption = "ENCRYPTED"
+)

backend/internal/features/backups/config/model.go

@@ -31,6 +31,8 @@ type BackupConfig struct {
 	MaxFailedTriesCount int  `json:"maxFailedTriesCount" gorm:"column:max_failed_tries_count;type:int;not null"`
 
 	CpuCount int `json:"cpuCount" gorm:"type:int;not null"`
+
+	Encryption BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
 }
 
 func (h *BackupConfig) TableName() string {
@@ -88,6 +90,11 @@ func (b *BackupConfig) Validate() error {
 		return errors.New("max failed tries count must be greater than 0")
 	}
 
+	if b.Encryption != "" && b.Encryption != BackupEncryptionNone &&
+		b.Encryption != BackupEncryptionEncrypted {
+		return errors.New("encryption must be NONE or ENCRYPTED")
+	}
+
 	return nil
 }
 
@@ -103,5 +110,6 @@ func (b *BackupConfig) Copy(newDatabaseID uuid.UUID) *BackupConfig {
 		IsRetryIfFailed:     b.IsRetryIfFailed,
 		MaxFailedTriesCount: b.MaxFailedTriesCount,
 		CpuCount:            b.CpuCount,
+		Encryption:          b.Encryption,
 	}
 }

backend/internal/features/backups/config/service.go

@@ -171,6 +171,7 @@ func (s *BackupConfigService) initializeDefaultConfig(
 		CpuCount:            1,
 		IsRetryIfFailed:     true,
 		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
 	})
 
 	return err

backend/internal/features/databases/controller.go

@@ -26,7 +26,8 @@ func (c *DatabaseController) RegisterRoutes(router *gin.RouterGroup) {
 	router.POST("/databases/test-connection-direct", c.TestDatabaseConnectionDirect)
 	router.POST("/databases/:id/copy", c.CopyDatabase)
 	router.GET("/databases/notifier/:id/is-using", c.IsNotifierUsing)
-
+	router.POST("/databases/is-readonly", c.IsUserReadOnly)
+	router.POST("/databases/create-readonly-user", c.CreateReadOnlyUser)
 }
 
 // CreateDatabase
@@ -330,3 +331,76 @@ func (c *DatabaseController) CopyDatabase(ctx *gin.Context) {
 
 	ctx.JSON(http.StatusCreated, copiedDatabase)
 }
+
+// IsUserReadOnly
+// @Summary Check if database user is read-only
+// @Description Check if current database credentials have only read (SELECT) privileges
+// @Tags databases
+// @Accept json
+// @Produce json
+// @Security BearerAuth
+// @Param request body Database true "Database configuration to check"
+// @Success 200 {object} IsReadOnlyResponse
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 403 {object} map[string]string
+// @Router /databases/is-readonly [post]
+func (c *DatabaseController) IsUserReadOnly(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	var request Database
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	isReadOnly, err := c.databaseService.IsUserReadOnly(user, &request)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, IsReadOnlyResponse{IsReadOnly: isReadOnly})
+}
+
+// CreateReadOnlyUser
+// @Summary Create read-only database user
+// @Description Create a new PostgreSQL user with read-only privileges for backup operations
+// @Tags databases
+// @Accept json
+// @Produce json
+// @Security BearerAuth
+// @Param request body Database true "Database configuration to create user for"
+// @Success 200 {object} CreateReadOnlyUserResponse
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 403 {object} map[string]string
+// @Router /databases/create-readonly-user [post]
+func (c *DatabaseController) CreateReadOnlyUser(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	var request Database
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	username, password, err := c.databaseService.CreateReadOnlyUser(user, &request)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, CreateReadOnlyUserResponse{
+		Username: username,
+		Password: password,
+	})
+}

backend/internal/features/databases/controller_test.go

@@ -11,11 +11,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 
+	"postgresus-backend/internal/features/databases/databases/mariadb"
 	"postgresus-backend/internal/features/databases/databases/postgresql"
 	users_enums "postgresus-backend/internal/features/users/enums"
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 	"postgresus-backend/internal/util/tools"
 )
@@ -769,6 +771,71 @@ func createTestDatabaseViaAPI(
 	return &database
 }
 
+func Test_CreateDatabase_PasswordIsEncryptedInDB(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	testDbName := "test_db"
+	plainPassword := "my-super-secret-password-123"
+	request := Database{
+		Name:        "Test Database",
+		WorkspaceID: &workspace.ID,
+		Type:        DatabaseTypePostgres,
+		Postgresql: &postgresql.PostgresqlDatabase{
+			Version:  tools.PostgresqlVersion16,
+			Host:     "localhost",
+			Port:     5432,
+			Username: "postgres",
+			Password: plainPassword,
+			Database: &testDbName,
+		},
+	}
+
+	var createdDatabase Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/create",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusCreated,
+		&createdDatabase,
+	)
+
+	repository := &DatabaseRepository{}
+	databaseFromDB, err := repository.FindByID(createdDatabase.ID)
+	assert.NoError(t, err)
+	assert.NotNil(t, databaseFromDB)
+	assert.NotNil(t, databaseFromDB.Postgresql)
+
+	assert.True(
+		t,
+		strings.HasPrefix(databaseFromDB.Postgresql.Password, "enc:"),
+		"Password should be encrypted in database with 'enc:' prefix, got: %s",
+		databaseFromDB.Postgresql.Password,
+	)
+
+	encryptor := encryption.GetFieldEncryptor()
+	decryptedPassword, err := encryptor.Decrypt(
+		databaseFromDB.ID,
+		databaseFromDB.Postgresql.Password,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, plainPassword, decryptedPassword,
+		"Decrypted password should match original plaintext password")
+
+	test_utils.MakeDeleteRequest(
+		t,
+		router,
+		"/api/v1/databases/"+createdDatabase.ID.String(),
+		"Bearer "+owner.Token,
+		http.StatusNoContent,
+	)
+
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
 func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 	testCases := []struct {
 		name                string
@@ -815,12 +882,67 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, database *Database) {
-				assert.Equal(t, "original-password-secret", database.Postgresql.Password)
+				assert.True(t, strings.HasPrefix(database.Postgresql.Password, "enc:"),
+					"Password should be encrypted in database")
+
+				encryptor := encryption.GetFieldEncryptor()
+				decrypted, err := encryptor.Decrypt(database.ID, database.Postgresql.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password-secret", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, database *Database) {
 				assert.Equal(t, "", database.Postgresql.Password)
 			},
 		},
+		{
+			name:         "MariaDB Database",
+			databaseType: DatabaseTypeMariadb,
+			createDatabase: func(workspaceID uuid.UUID) *Database {
+				testDbName := "test_db"
+				return &Database{
+					WorkspaceID: &workspaceID,
+					Name:        "Test MariaDB Database",
+					Type:        DatabaseTypeMariadb,
+					Mariadb: &mariadb.MariadbDatabase{
+						Version:  tools.MariadbVersion1011,
+						Host:     "localhost",
+						Port:     3306,
+						Username: "root",
+						Password: "original-password-secret",
+						Database: &testDbName,
+					},
+				}
+			},
+			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+				testDbName := "updated_test_db"
+				return &Database{
+					ID:          databaseID,
+					WorkspaceID: &workspaceID,
+					Name:        "Updated MariaDB Database",
+					Type:        DatabaseTypeMariadb,
+					Mariadb: &mariadb.MariadbDatabase{
+						Version:  tools.MariadbVersion114,
+						Host:     "updated-host",
+						Port:     3307,
+						Username: "updated_user",
+						Password: "",
+						Database: &testDbName,
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, database *Database) {
+				assert.True(t, strings.HasPrefix(database.Mariadb.Password, "enc:"),
+					"Password should be encrypted in database")
+
+				encryptor := encryption.GetFieldEncryptor()
+				decrypted, err := encryptor.Decrypt(database.ID, database.Mariadb.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password-secret", decrypted)
+			},
+			verifyHiddenData: func(t *testing.T, database *Database) {
+				assert.Equal(t, "", database.Mariadb.Password)
+			},
+		},
 	}
 
 	for _, tc := range testCases {

backend/internal/features/databases/databases/mariadb/model.go

@@ -0,0 +1,412 @@
+package mariadb
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"log/slog"
+	"regexp"
+	"strings"
+	"time"
+
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/tools"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
+)
+
+type MariadbDatabase struct {
+	ID         uuid.UUID  `json:"id"         gorm:"primaryKey;type:uuid;default:gen_random_uuid()"`
+	DatabaseID *uuid.UUID `json:"databaseId" gorm:"type:uuid;column:database_id"`
+
+	Version tools.MariadbVersion `json:"version" gorm:"type:text;not null"`
+
+	Host     string  `json:"host"     gorm:"type:text;not null"`
+	Port     int     `json:"port"     gorm:"type:int;not null"`
+	Username string  `json:"username" gorm:"type:text;not null"`
+	Password string  `json:"password" gorm:"type:text;not null"`
+	Database *string `json:"database" gorm:"type:text"`
+	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
+}
+
+func (m *MariadbDatabase) TableName() string {
+	return "mariadb_databases"
+}
+
+func (m *MariadbDatabase) Validate() error {
+	if m.Host == "" {
+		return errors.New("host is required")
+	}
+	if m.Port == 0 {
+		return errors.New("port is required")
+	}
+	if m.Username == "" {
+		return errors.New("username is required")
+	}
+	if m.Password == "" {
+		return errors.New("password is required")
+	}
+	return nil
+}
+
+func (m *MariadbDatabase) TestConnection(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	if m.Database == nil || *m.Database == "" {
+		return errors.New("database name is required for MariaDB backup")
+	}
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to MariaDB database '%s': %w", *m.Database, err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close MariaDB connection", "error", closeErr)
+		}
+	}()
+
+	db.SetConnMaxLifetime(15 * time.Second)
+	db.SetMaxOpenConns(1)
+	db.SetMaxIdleConns(1)
+
+	if err := db.PingContext(ctx); err != nil {
+		return fmt.Errorf("failed to ping MariaDB database '%s': %w", *m.Database, err)
+	}
+
+	detectedVersion, err := detectMariadbVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+	m.Version = detectedVersion
+
+	return nil
+}
+
+func (m *MariadbDatabase) HideSensitiveData() {
+	if m == nil {
+		return
+	}
+	m.Password = ""
+}
+
+func (m *MariadbDatabase) Update(incoming *MariadbDatabase) {
+	m.Version = incoming.Version
+	m.Host = incoming.Host
+	m.Port = incoming.Port
+	m.Username = incoming.Username
+	m.Database = incoming.Database
+	m.IsHttps = incoming.IsHttps
+
+	if incoming.Password != "" {
+		m.Password = incoming.Password
+	}
+}
+
+func (m *MariadbDatabase) EncryptSensitiveFields(
+	databaseID uuid.UUID,
+	encryptor encryption.FieldEncryptor,
+) error {
+	if m.Password != "" {
+		encrypted, err := encryptor.Encrypt(databaseID, m.Password)
+		if err != nil {
+			return err
+		}
+		m.Password = encrypted
+	}
+	return nil
+}
+
+func (m *MariadbDatabase) PopulateVersionIfEmpty(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if m.Version != "" {
+		return nil
+	}
+	return m.PopulateVersion(logger, encryptor, databaseID)
+}
+
+func (m *MariadbDatabase) PopulateVersion(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if m.Database == nil || *m.Database == "" {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	detectedVersion, err := detectMariadbVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+
+	m.Version = detectedVersion
+	return nil
+}
+
+func (m *MariadbDatabase) IsUserReadOnly(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (bool, error) {
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return false, fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return false, fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
+	if err != nil {
+		return false, fmt.Errorf("failed to check grants: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	writePrivileges := []string{
+		"INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER",
+		"INDEX", "GRANT OPTION", "ALL PRIVILEGES", "SUPER",
+	}
+
+	for rows.Next() {
+		var grant string
+		if err := rows.Scan(&grant); err != nil {
+			return false, fmt.Errorf("failed to scan grant: %w", err)
+		}
+
+		for _, priv := range writePrivileges {
+			if regexp.MustCompile(`(?i)\b` + priv + `\b`).MatchString(grant) {
+				return false, nil
+			}
+		}
+	}
+
+	if err := rows.Err(); err != nil {
+		return false, fmt.Errorf("error iterating grants: %w", err)
+	}
+
+	return true, nil
+}
+
+func (m *MariadbDatabase) CreateReadOnlyUser(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, string, error) {
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	maxRetries := 3
+	for attempt := range maxRetries {
+		// MariaDB 5.5 has a 16-character username limit, use shorter prefix
+		newUsername := fmt.Sprintf("pgs-%s", uuid.New().String()[:8])
+		newPassword := uuid.New().String()
+
+		tx, err := db.BeginTx(ctx, nil)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to begin transaction: %w", err)
+		}
+
+		success := false
+		defer func() {
+			if !success {
+				if rollbackErr := tx.Rollback(); rollbackErr != nil {
+					logger.Error("Failed to rollback transaction", "error", rollbackErr)
+				}
+			}
+		}()
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+			newUsername,
+			newPassword,
+		))
+		if err != nil {
+			if attempt < maxRetries-1 {
+				continue
+			}
+			return "", "", fmt.Errorf("failed to create user: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"GRANT SELECT, SHOW VIEW, LOCK TABLES, TRIGGER, EVENT ON `%s`.* TO '%s'@'%%'",
+			*m.Database,
+			newUsername,
+		))
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant database privileges: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"GRANT PROCESS ON *.* TO '%s'@'%%'",
+			newUsername,
+		))
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant PROCESS privilege: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, "FLUSH PRIVILEGES")
+		if err != nil {
+			return "", "", fmt.Errorf("failed to flush privileges: %w", err)
+		}
+
+		if err := tx.Commit(); err != nil {
+			return "", "", fmt.Errorf("failed to commit transaction: %w", err)
+		}
+
+		success = true
+		logger.Info(
+			"Read-only MariaDB user created successfully",
+			"username", newUsername,
+		)
+		return newUsername, newPassword, nil
+	}
+
+	return "", "", errors.New("failed to generate unique username after 3 attempts")
+}
+
+func (m *MariadbDatabase) buildDSN(password string, database string) string {
+	tlsConfig := "false"
+	if m.IsHttps {
+		tlsConfig = "true"
+	}
+
+	return fmt.Sprintf(
+		"%s:%s@tcp(%s:%d)/%s?parseTime=true&timeout=15s&tls=%s&charset=utf8mb4",
+		m.Username,
+		password,
+		m.Host,
+		m.Port,
+		database,
+		tlsConfig,
+	)
+}
+
+// detectMariadbVersion parses VERSION() output to detect MariaDB version
+// MariaDB returns strings like "10.11.6-MariaDB" or "11.4.2-MariaDB-1:11.4.2+maria~ubu2204"
+func detectMariadbVersion(ctx context.Context, db *sql.DB) (tools.MariadbVersion, error) {
+	var versionStr string
+	err := db.QueryRowContext(ctx, "SELECT VERSION()").Scan(&versionStr)
+	if err != nil {
+		return "", fmt.Errorf("failed to query MariaDB version: %w", err)
+	}
+
+	if !strings.Contains(strings.ToLower(versionStr), "mariadb") {
+		return "", fmt.Errorf(
+			"not a MariaDB server (version: %s). Use MySQL database type instead",
+			versionStr,
+		)
+	}
+
+	re := regexp.MustCompile(`^(\d+)\.(\d+)`)
+	matches := re.FindStringSubmatch(versionStr)
+	if len(matches) < 3 {
+		return "", fmt.Errorf("could not parse MariaDB version: %s", versionStr)
+	}
+
+	major := matches[1]
+	minor := matches[2]
+	versionKey := fmt.Sprintf("%s.%s", major, minor)
+
+	switch versionKey {
+	case "5.5":
+		return tools.MariadbVersion55, nil
+	case "10.1":
+		return tools.MariadbVersion101, nil
+	case "10.2":
+		return tools.MariadbVersion102, nil
+	case "10.3":
+		return tools.MariadbVersion103, nil
+	case "10.4":
+		return tools.MariadbVersion104, nil
+	case "10.5":
+		return tools.MariadbVersion105, nil
+	case "10.6":
+		return tools.MariadbVersion106, nil
+	case "10.11":
+		return tools.MariadbVersion1011, nil
+	case "11.4":
+		return tools.MariadbVersion114, nil
+	case "11.8":
+		return tools.MariadbVersion118, nil
+	case "12.0":
+		return tools.MariadbVersion120, nil
+	default:
+		return "", fmt.Errorf(
+			"unsupported MariaDB version: %s (supported: 5.5, 10.1-10.6, 10.11, 11.4, 11.8, 12.0)",
+			versionKey,
+		)
+	}
+}
+
+func decryptPasswordIfNeeded(
+	password string,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, error) {
+	if encryptor == nil {
+		return password, nil
+	}
+	return encryptor.Decrypt(databaseID, password)
+}

backend/internal/features/databases/databases/mariadb/readonly_user_test.go

@@ -0,0 +1,387 @@
+package mariadb
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/stretchr/testify/assert"
+
+	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/util/tools"
+)
+
+func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			mariadbModel := createMariadbModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			isReadOnly, err := mariadbModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.False(t, isReadOnly, "Root user should not be read-only")
+		})
+	}
+}
+
+func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_test`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS hack_table`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`
+				CREATE TABLE readonly_test (
+					id INT AUTO_INCREMENT PRIMARY KEY,
+					data VARCHAR(255) NOT NULL
+				)
+			`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(
+				`INSERT INTO readonly_test (data) VALUES ('test1'), ('test2')`,
+			)
+			assert.NoError(t, err)
+
+			mariadbModel := createMariadbModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "pgs-"))
+
+			if err != nil {
+				return
+			}
+
+			readOnlyModel := &MariadbDatabase{
+				Version:  mariadbModel.Version,
+				Host:     mariadbModel.Host,
+				Port:     mariadbModel.Port,
+				Username: username,
+				Password: password,
+				Database: mariadbModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "Created user should be read-only")
+
+			readOnlyDSN := fmt.Sprintf(
+				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
+				username,
+				password,
+				container.Host,
+				container.Port,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var count int
+			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM readonly_test")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, count)
+
+			_, err = readOnlyConn.Exec("INSERT INTO readonly_test (data) VALUES ('should-fail')")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("UPDATE readonly_test SET data = 'hacked' WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("DELETE FROM readonly_test WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			dropUserSafe(container.DB, username)
+		})
+	}
+}
+
+func Test_ReadOnlyUser_FutureTables_NoSelectPermission(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	mariadbModel := createMariadbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE future_table (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO future_table (data) VALUES ('future_data')`)
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var data string
+	err = readOnlyConn.Get(&data, "SELECT data FROM future_table LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "future_data", data)
+
+	dropUserSafe(container.DB, username)
+}
+
+func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	dashDbName := "test-db-with-dash"
+
+	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	}()
+
+	dashDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		container.Username, container.Password, container.Host, container.Port, dashDbName)
+	dashDB, err := sqlx.Connect("mysql", dashDSN)
+	assert.NoError(t, err)
+	defer dashDB.Close()
+
+	_, err = dashDB.Exec(`
+		CREATE TABLE dash_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+
+	_, err = dashDB.Exec(`INSERT INTO dash_test (data) VALUES ('test1'), ('test2')`)
+	assert.NoError(t, err)
+
+	mariadbModel := &MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &dashDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, username)
+	assert.NotEmpty(t, password)
+	assert.True(t, strings.HasPrefix(username, "pgs-"))
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, dashDbName)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	dropUserSafe(dashDB, username)
+}
+
+func Test_ReadOnlyUser_CannotDropOrAlterTables(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`DROP TABLE IF EXISTS drop_test`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE drop_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO drop_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	mariadbModel := createMariadbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	_, err = readOnlyConn.Exec("DROP TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("ALTER TABLE drop_test ADD COLUMN new_col VARCHAR(100)")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("TRUNCATE TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	dropUserSafe(container.DB, username)
+}
+
+type MariadbContainer struct {
+	Host     string
+	Port     int
+	Username string
+	Password string
+	Database string
+	Version  tools.MariadbVersion
+	DB       *sqlx.DB
+}
+
+func connectToMariadbContainer(
+	t *testing.T,
+	port string,
+	version tools.MariadbVersion,
+) *MariadbContainer {
+	if port == "" {
+		t.Skipf("MariaDB port not configured for version %s", version)
+	}
+
+	dbName := "testdb"
+	host := "127.0.0.1"
+	username := "root"
+	password := "rootpassword"
+
+	portInt, err := strconv.Atoi(port)
+	assert.NoError(t, err)
+
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, host, portInt, dbName)
+
+	db, err := sqlx.Connect("mysql", dsn)
+	if err != nil {
+		t.Skipf("Failed to connect to MariaDB %s: %v", version, err)
+	}
+
+	return &MariadbContainer{
+		Host:     host,
+		Port:     portInt,
+		Username: username,
+		Password: password,
+		Database: dbName,
+		Version:  version,
+		DB:       db,
+	}
+}
+
+func createMariadbModel(container *MariadbContainer) *MariadbDatabase {
+	return &MariadbDatabase{
+		Version:  container.Version,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &container.Database,
+		IsHttps:  false,
+	}
+}
+
+func dropUserSafe(db *sqlx.DB, username string) {
+	// MariaDB 5.5 doesn't support DROP USER IF EXISTS, so we ignore errors
+	_, _ = db.Exec(fmt.Sprintf("DROP USER '%s'@'%%'", username))
+}

backend/internal/features/databases/databases/mysql/model.go

@@ -0,0 +1,382 @@
+package mysql
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"log/slog"
+	"regexp"
+	"time"
+
+	"postgresus-backend/internal/util/encryption"
+	"postgresus-backend/internal/util/tools"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
+)
+
+type MysqlDatabase struct {
+	ID         uuid.UUID  `json:"id"         gorm:"primaryKey;type:uuid;default:gen_random_uuid()"`
+	DatabaseID *uuid.UUID `json:"databaseId" gorm:"type:uuid;column:database_id"`
+
+	Version tools.MysqlVersion `json:"version" gorm:"type:text;not null"`
+
+	Host     string  `json:"host"     gorm:"type:text;not null"`
+	Port     int     `json:"port"     gorm:"type:int;not null"`
+	Username string  `json:"username" gorm:"type:text;not null"`
+	Password string  `json:"password" gorm:"type:text;not null"`
+	Database *string `json:"database" gorm:"type:text"`
+	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
+}
+
+func (m *MysqlDatabase) TableName() string {
+	return "mysql_databases"
+}
+
+func (m *MysqlDatabase) Validate() error {
+	if m.Host == "" {
+		return errors.New("host is required")
+	}
+	if m.Port == 0 {
+		return errors.New("port is required")
+	}
+	if m.Username == "" {
+		return errors.New("username is required")
+	}
+	if m.Password == "" {
+		return errors.New("password is required")
+	}
+	return nil
+}
+
+func (m *MysqlDatabase) TestConnection(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	if m.Database == nil || *m.Database == "" {
+		return errors.New("database name is required for MySQL backup")
+	}
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to MySQL database '%s': %w", *m.Database, err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close MySQL connection", "error", closeErr)
+		}
+	}()
+
+	db.SetConnMaxLifetime(15 * time.Second)
+	db.SetMaxOpenConns(1)
+	db.SetMaxIdleConns(1)
+
+	if err := db.PingContext(ctx); err != nil {
+		return fmt.Errorf("failed to ping MySQL database '%s': %w", *m.Database, err)
+	}
+
+	detectedVersion, err := detectMysqlVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+	m.Version = detectedVersion
+
+	return nil
+}
+
+func (m *MysqlDatabase) HideSensitiveData() {
+	if m == nil {
+		return
+	}
+	m.Password = ""
+}
+
+func (m *MysqlDatabase) Update(incoming *MysqlDatabase) {
+	m.Version = incoming.Version
+	m.Host = incoming.Host
+	m.Port = incoming.Port
+	m.Username = incoming.Username
+	m.Database = incoming.Database
+	m.IsHttps = incoming.IsHttps
+
+	if incoming.Password != "" {
+		m.Password = incoming.Password
+	}
+}
+
+func (m *MysqlDatabase) EncryptSensitiveFields(
+	databaseID uuid.UUID,
+	encryptor encryption.FieldEncryptor,
+) error {
+	if m.Password != "" {
+		encrypted, err := encryptor.Encrypt(databaseID, m.Password)
+		if err != nil {
+			return err
+		}
+		m.Password = encrypted
+	}
+	return nil
+}
+
+func (m *MysqlDatabase) PopulateVersionIfEmpty(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if m.Version != "" {
+		return nil
+	}
+	return m.PopulateVersion(logger, encryptor, databaseID)
+}
+
+func (m *MysqlDatabase) PopulateVersion(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if m.Database == nil || *m.Database == "" {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	detectedVersion, err := detectMysqlVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+
+	m.Version = detectedVersion
+	return nil
+}
+
+func (m *MysqlDatabase) IsUserReadOnly(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (bool, error) {
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return false, fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return false, fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
+	if err != nil {
+		return false, fmt.Errorf("failed to check grants: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	writePrivileges := []string{
+		"INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER",
+		"INDEX", "GRANT OPTION", "ALL PRIVILEGES", "SUPER",
+	}
+
+	for rows.Next() {
+		var grant string
+		if err := rows.Scan(&grant); err != nil {
+			return false, fmt.Errorf("failed to scan grant: %w", err)
+		}
+
+		for _, priv := range writePrivileges {
+			if regexp.MustCompile(`(?i)\b` + priv + `\b`).MatchString(grant) {
+				return false, nil
+			}
+		}
+	}
+
+	if err := rows.Err(); err != nil {
+		return false, fmt.Errorf("error iterating grants: %w", err)
+	}
+
+	return true, nil
+}
+
+func (m *MysqlDatabase) CreateReadOnlyUser(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, string, error) {
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	maxRetries := 3
+	for attempt := range maxRetries {
+		newUsername := fmt.Sprintf("postgresus-%s", uuid.New().String()[:8])
+		newPassword := uuid.New().String()
+
+		tx, err := db.BeginTx(ctx, nil)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to begin transaction: %w", err)
+		}
+
+		success := false
+		defer func() {
+			if !success {
+				if rollbackErr := tx.Rollback(); rollbackErr != nil {
+					logger.Error("Failed to rollback transaction", "error", rollbackErr)
+				}
+			}
+		}()
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+			newUsername,
+			newPassword,
+		))
+		if err != nil {
+			if attempt < maxRetries-1 {
+				continue
+			}
+			return "", "", fmt.Errorf("failed to create user: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"GRANT SELECT, SHOW VIEW, LOCK TABLES, TRIGGER, EVENT ON `%s`.* TO '%s'@'%%'",
+			*m.Database,
+			newUsername,
+		))
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant database privileges: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, fmt.Sprintf(
+			"GRANT PROCESS ON *.* TO '%s'@'%%'",
+			newUsername,
+		))
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant PROCESS privilege: %w", err)
+		}
+
+		_, err = tx.ExecContext(ctx, "FLUSH PRIVILEGES")
+		if err != nil {
+			return "", "", fmt.Errorf("failed to flush privileges: %w", err)
+		}
+
+		if err := tx.Commit(); err != nil {
+			return "", "", fmt.Errorf("failed to commit transaction: %w", err)
+		}
+
+		success = true
+		logger.Info(
+			"Read-only MySQL user created successfully",
+			"username",
+			newUsername,
+		)
+		return newUsername, newPassword, nil
+	}
+
+	return "", "", errors.New("failed to generate unique username after 3 attempts")
+}
+
+func (m *MysqlDatabase) buildDSN(password string, database string) string {
+	tlsConfig := "false"
+	if m.IsHttps {
+		tlsConfig = "true"
+	}
+
+	return fmt.Sprintf(
+		"%s:%s@tcp(%s:%d)/%s?parseTime=true&timeout=15s&tls=%s&charset=utf8mb4",
+		m.Username,
+		password,
+		m.Host,
+		m.Port,
+		database,
+		tlsConfig,
+	)
+}
+
+func detectMysqlVersion(ctx context.Context, db *sql.DB) (tools.MysqlVersion, error) {
+	var versionStr string
+	err := db.QueryRowContext(ctx, "SELECT VERSION()").Scan(&versionStr)
+	if err != nil {
+		return "", fmt.Errorf("failed to query MySQL version: %w", err)
+	}
+
+	re := regexp.MustCompile(`^(\d+)\.(\d+)`)
+	matches := re.FindStringSubmatch(versionStr)
+	if len(matches) < 3 {
+		return "", fmt.Errorf("could not parse MySQL version: %s", versionStr)
+	}
+
+	major := matches[1]
+	minor := matches[2]
+
+	switch {
+	case major == "5" && minor == "7":
+		return tools.MysqlVersion57, nil
+	case major == "8" && minor == "0":
+		return tools.MysqlVersion80, nil
+	case major == "8" && minor == "4":
+		return tools.MysqlVersion84, nil
+	default:
+		return "", fmt.Errorf("unsupported MySQL version: %s.%s", major, minor)
+	}
+}
+
+func decryptPasswordIfNeeded(
+	password string,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, error) {
+	if encryptor == nil {
+		return password, nil
+	}
+	return encryptor.Decrypt(databaseID, password)
+}

backend/internal/features/databases/databases/mysql/readonly_user_test.go

@@ -0,0 +1,366 @@
+package mysql
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/stretchr/testify/assert"
+
+	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/util/tools"
+)
+
+func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			mysqlModel := createMysqlModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			isReadOnly, err := mysqlModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.False(t, isReadOnly, "Root user should not be read-only")
+		})
+	}
+}
+
+func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_test`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS hack_table`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`
+				CREATE TABLE readonly_test (
+					id INT AUTO_INCREMENT PRIMARY KEY,
+					data VARCHAR(255) NOT NULL
+				)
+			`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(
+				`INSERT INTO readonly_test (data) VALUES ('test1'), ('test2')`,
+			)
+			assert.NoError(t, err)
+
+			mysqlModel := createMysqlModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := mysqlModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "postgresus-"))
+
+			readOnlyModel := &MysqlDatabase{
+				Version:  mysqlModel.Version,
+				Host:     mysqlModel.Host,
+				Port:     mysqlModel.Port,
+				Username: username,
+				Password: password,
+				Database: mysqlModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "Created user should be read-only")
+
+			readOnlyDSN := fmt.Sprintf(
+				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
+				username,
+				password,
+				container.Host,
+				container.Port,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var count int
+			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM readonly_test")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, count)
+
+			_, err = readOnlyConn.Exec("INSERT INTO readonly_test (data) VALUES ('should-fail')")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("UPDATE readonly_test SET data = 'hacked' WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("DELETE FROM readonly_test WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = container.DB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", username))
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_ReadOnlyUser_FutureTables_NoSelectPermission(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMysqlContainer(t, env.TestMysql80Port, tools.MysqlVersion80)
+	defer container.DB.Close()
+
+	mysqlModel := createMysqlModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mysqlModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE future_table (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO future_table (data) VALUES ('future_data')`)
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var data string
+	err = readOnlyConn.Get(&data, "SELECT data FROM future_table LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "future_data", data)
+
+	_, err = container.DB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", username))
+	assert.NoError(t, err)
+}
+
+func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMysqlContainer(t, env.TestMysql80Port, tools.MysqlVersion80)
+	defer container.DB.Close()
+
+	dashDbName := "test-db-with-dash"
+
+	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	}()
+
+	dashDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		container.Username, container.Password, container.Host, container.Port, dashDbName)
+	dashDB, err := sqlx.Connect("mysql", dashDSN)
+	assert.NoError(t, err)
+	defer dashDB.Close()
+
+	_, err = dashDB.Exec(`
+		CREATE TABLE dash_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+
+	_, err = dashDB.Exec(`INSERT INTO dash_test (data) VALUES ('test1'), ('test2')`)
+	assert.NoError(t, err)
+
+	mysqlModel := &MysqlDatabase{
+		Version:  tools.MysqlVersion80,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &dashDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mysqlModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, username)
+	assert.NotEmpty(t, password)
+	assert.True(t, strings.HasPrefix(username, "postgresus-"))
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, dashDbName)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = dashDB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", username))
+	assert.NoError(t, err)
+}
+
+func Test_ReadOnlyUser_CannotDropOrAlterTables(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMysqlContainer(t, env.TestMysql80Port, tools.MysqlVersion80)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`DROP TABLE IF EXISTS drop_test`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE drop_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO drop_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	mysqlModel := createMysqlModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mysqlModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	_, err = readOnlyConn.Exec("DROP TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("ALTER TABLE drop_test ADD COLUMN new_col VARCHAR(100)")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("TRUNCATE TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = container.DB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", username))
+	assert.NoError(t, err)
+}
+
+type MysqlContainer struct {
+	Host     string
+	Port     int
+	Username string
+	Password string
+	Database string
+	Version  tools.MysqlVersion
+	DB       *sqlx.DB
+}
+
+func connectToMysqlContainer(
+	t *testing.T,
+	port string,
+	version tools.MysqlVersion,
+) *MysqlContainer {
+	if port == "" {
+		t.Skipf("MySQL port not configured for version %s", version)
+	}
+
+	dbName := "testdb"
+	host := "127.0.0.1"
+	username := "root"
+	password := "rootpassword"
+
+	portInt, err := strconv.Atoi(port)
+	assert.NoError(t, err)
+
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, host, portInt, dbName)
+
+	db, err := sqlx.Connect("mysql", dsn)
+	if err != nil {
+		t.Skipf("Failed to connect to MySQL %s: %v", version, err)
+	}
+
+	return &MysqlContainer{
+		Host:     host,
+		Port:     portInt,
+		Username: username,
+		Password: password,
+		Database: dbName,
+		Version:  version,
+		DB:       db,
+	}
+}
+
+func createMysqlModel(container *MysqlContainer) *MysqlDatabase {
+	return &MysqlDatabase{
+		Version:  container.Version,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &container.Database,
+		IsHttps:  false,
+	}
+}

backend/internal/features/databases/databases/postgresql/model.go

@@ -5,20 +5,21 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/tools"
 	"regexp"
-	"slices"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5"
+	"gorm.io/gorm"
 )
 
 type PostgresqlDatabase struct {
 	ID uuid.UUID `json:"id" gorm:"primaryKey;type:uuid;default:gen_random_uuid()"`
 
 	DatabaseID *uuid.UUID `json:"databaseId" gorm:"type:uuid;column:database_id"`
-	RestoreID  *uuid.UUID `json:"restoreId"  gorm:"type:uuid;column:restore_id"`
 
 	Version tools.PostgresqlVersion `json:"version" gorm:"type:text;not null"`
 
@@ -29,17 +30,40 @@ type PostgresqlDatabase struct {
 	Password string  `json:"password" gorm:"type:text;not null"`
 	Database *string `json:"database" gorm:"type:text"`
 	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
+
+	// backup settings
+	IncludeSchemas       []string `json:"includeSchemas" gorm:"-"`
+	IncludeSchemasString string   `json:"-"              gorm:"column:include_schemas;type:text;not null;default:''"`
+
+	// restore settings (not saved to DB)
+	IsExcludeExtensions bool `json:"isExcludeExtensions" gorm:"-"`
 }
 
 func (p *PostgresqlDatabase) TableName() string {
 	return "postgresql_databases"
 }
 
-func (p *PostgresqlDatabase) Validate() error {
-	if p.Version == "" {
-		return errors.New("version is required")
+func (p *PostgresqlDatabase) BeforeSave(_ *gorm.DB) error {
+	if len(p.IncludeSchemas) > 0 {
+		p.IncludeSchemasString = strings.Join(p.IncludeSchemas, ",")
+	} else {
+		p.IncludeSchemasString = ""
 	}
 
+	return nil
+}
+
+func (p *PostgresqlDatabase) AfterFind(_ *gorm.DB) error {
+	if p.IncludeSchemasString != "" {
+		p.IncludeSchemas = strings.Split(p.IncludeSchemasString, ",")
+	} else {
+		p.IncludeSchemas = []string{}
+	}
+
+	return nil
+}
+
+func (p *PostgresqlDatabase) Validate() error {
 	if p.Host == "" {
 		return errors.New("host is required")
 	}
@@ -59,11 +83,15 @@ func (p *PostgresqlDatabase) Validate() error {
 	return nil
 }
 
-func (p *PostgresqlDatabase) TestConnection(logger *slog.Logger) error {
+func (p *PostgresqlDatabase) TestConnection(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
-	return testSingleDatabaseConnection(logger, ctx, p)
+	return testSingleDatabaseConnection(logger, ctx, p, encryptor, databaseID)
 }
 
 func (p *PostgresqlDatabase) HideSensitiveData() {
@@ -81,25 +109,499 @@ func (p *PostgresqlDatabase) Update(incoming *PostgresqlDatabase) {
 	p.Username = incoming.Username
 	p.Database = incoming.Database
 	p.IsHttps = incoming.IsHttps
+	p.IncludeSchemas = incoming.IncludeSchemas
 
 	if incoming.Password != "" {
 		p.Password = incoming.Password
 	}
 }
 
+func (p *PostgresqlDatabase) EncryptSensitiveFields(
+	databaseID uuid.UUID,
+	encryptor encryption.FieldEncryptor,
+) error {
+	if p.Password != "" {
+		encrypted, err := encryptor.Encrypt(databaseID, p.Password)
+		if err != nil {
+			return err
+		}
+		p.Password = encrypted
+	}
+
+	return nil
+}
+
+// PopulateVersionIfEmpty detects and sets the PostgreSQL version if not already set.
+// This should be called before encrypting sensitive fields.
+func (p *PostgresqlDatabase) PopulateVersionIfEmpty(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if p.Version != "" {
+		return nil
+	}
+	return p.PopulateVersion(logger, encryptor, databaseID)
+}
+
+// PopulateVersion detects and sets the PostgreSQL version by querying the database.
+func (p *PostgresqlDatabase) PopulateVersion(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) error {
+	if p.Database == nil || *p.Database == "" {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	connStr := buildConnectionStringForDB(p, *p.Database, password)
+
+	conn, err := pgx.Connect(ctx, connStr)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := conn.Close(ctx); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	detectedVersion, err := detectDatabaseVersion(ctx, conn)
+	if err != nil {
+		return err
+	}
+
+	p.Version = detectedVersion
+	return nil
+}
+
+// IsUserReadOnly checks if the database user has read-only privileges.
+//
+// This method performs a comprehensive security check by examining:
+// - Role-level attributes (superuser, createrole, createdb)
+// - Database-level privileges (CREATE, TEMP)
+// - Table-level write permissions (INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER)
+//
+// A user is considered read-only only if they have ZERO write privileges
+// across all three levels. This ensures the database user follows the
+// principle of least privilege for backup operations.
+func (p *PostgresqlDatabase) IsUserReadOnly(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (bool, error) {
+	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
+	if err != nil {
+		return false, fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	connStr := buildConnectionStringForDB(p, *p.Database, password)
+
+	conn, err := pgx.Connect(ctx, connStr)
+	if err != nil {
+		return false, fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := conn.Close(ctx); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	// LEVEL 1: Check role-level attributes
+	var isSuperuser, canCreateRole, canCreateDB bool
+	err = conn.QueryRow(ctx, `
+		SELECT
+			rolsuper,
+			rolcreaterole,
+			rolcreatedb
+		FROM pg_roles
+		WHERE rolname = current_user
+	`).Scan(&isSuperuser, &canCreateRole, &canCreateDB)
+	if err != nil {
+		return false, fmt.Errorf("failed to check role attributes: %w", err)
+	}
+
+	if isSuperuser || canCreateRole || canCreateDB {
+		return false, nil
+	}
+
+	// LEVEL 2: Check database-level privileges
+	var canCreate, canTemp bool
+	err = conn.QueryRow(ctx, `
+		SELECT
+			has_database_privilege(current_user, current_database(), 'CREATE') as can_create,
+			has_database_privilege(current_user, current_database(), 'TEMP') as can_temp
+	`).Scan(&canCreate, &canTemp)
+	if err != nil {
+		return false, fmt.Errorf("failed to check database privileges: %w", err)
+	}
+
+	if canCreate || canTemp {
+		return false, nil
+	}
+
+	// LEVEL 2.5: Check schema-level CREATE privileges
+	schemaRows, err := conn.Query(ctx, `
+		SELECT DISTINCT nspname
+		FROM pg_namespace n
+		WHERE has_schema_privilege(current_user, n.nspname, 'CREATE')
+		AND nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+	`)
+	if err != nil {
+		return false, fmt.Errorf("failed to check schema privileges: %w", err)
+	}
+	defer schemaRows.Close()
+
+	// If user has CREATE privilege on any schema, they're not read-only
+	if schemaRows.Next() {
+		return false, nil
+	}
+
+	if err := schemaRows.Err(); err != nil {
+		return false, fmt.Errorf("error iterating schema privileges: %w", err)
+	}
+
+	// LEVEL 3: Check table-level write permissions
+	rows, err := conn.Query(ctx, `
+		SELECT DISTINCT privilege_type
+		FROM information_schema.role_table_grants
+		WHERE grantee = current_user
+		AND table_schema NOT IN ('pg_catalog', 'information_schema')
+	`)
+	if err != nil {
+		return false, fmt.Errorf("failed to check table privileges: %w", err)
+	}
+	defer rows.Close()
+
+	writePrivileges := map[string]bool{
+		"INSERT":     true,
+		"UPDATE":     true,
+		"DELETE":     true,
+		"TRUNCATE":   true,
+		"REFERENCES": true,
+		"TRIGGER":    true,
+	}
+
+	for rows.Next() {
+		var privilege string
+		if err := rows.Scan(&privilege); err != nil {
+			return false, fmt.Errorf("failed to scan privilege: %w", err)
+		}
+
+		if writePrivileges[privilege] {
+			return false, nil
+		}
+	}
+
+	if err := rows.Err(); err != nil {
+		return false, fmt.Errorf("error iterating privileges: %w", err)
+	}
+
+	return true, nil
+}
+
+// CreateReadOnlyUser creates a new PostgreSQL user with read-only privileges.
+//
+// This method performs the following operations atomically in a single transaction:
+// 1. Creates a PostgreSQL user with a UUID-based password
+// 2. Grants CONNECT privilege on the database
+// 3. Grants USAGE on all non-system schemas
+// 4. Grants SELECT on all existing tables and sequences
+// 5. Sets default privileges for future tables and sequences
+//
+// Security features:
+// - Username format: "postgresus-{8-char-uuid}" for uniqueness
+// - Password: Full UUID (36 characters) for strong entropy
+// - Transaction safety: All operations rollback on any failure
+// - Retry logic: Up to 3 attempts if username collision occurs
+// - Pre-validation: Checks CREATEROLE privilege before starting transaction
+func (p *PostgresqlDatabase) CreateReadOnlyUser(
+	ctx context.Context,
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, string, error) {
+	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	connStr := buildConnectionStringForDB(p, *p.Database, password)
+
+	conn, err := pgx.Connect(ctx, connStr)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := conn.Close(ctx); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	// Pre-validate: Check if current user can create roles
+	var canCreateRole, isSuperuser bool
+	err = conn.QueryRow(ctx, `
+		SELECT rolcreaterole, rolsuper
+		FROM pg_roles
+		WHERE rolname = current_user
+	`).Scan(&canCreateRole, &isSuperuser)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to check permissions: %w", err)
+	}
+	if !canCreateRole && !isSuperuser {
+		return "", "", errors.New("current database user lacks CREATEROLE privilege")
+	}
+
+	// Retry logic for username collision
+	maxRetries := 3
+	for attempt := range maxRetries {
+		// Generate base username for PostgreSQL user creation
+		baseUsername := fmt.Sprintf("postgresus-%s", uuid.New().String()[:8])
+
+		// For Supabase session pooler, the username format for connection is "username.projectid"
+		// but the actual PostgreSQL user must be created with just the base name.
+		// The pooler will strip the ".projectid" suffix when authenticating.
+		connectionUsername := baseUsername
+		if isSupabaseConnection(p.Host, p.Username) {
+			if supabaseProjectID := extractSupabaseProjectID(p.Username); supabaseProjectID != "" {
+				connectionUsername = fmt.Sprintf("%s.%s", baseUsername, supabaseProjectID)
+			}
+		}
+
+		newPassword := uuid.New().String()
+
+		tx, err := conn.Begin(ctx)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to begin transaction: %w", err)
+		}
+
+		success := false
+		defer func() {
+			if !success {
+				if rollbackErr := tx.Rollback(ctx); rollbackErr != nil {
+					logger.Error("Failed to rollback transaction", "error", rollbackErr)
+				}
+			}
+		}()
+
+		// Step 1: Create PostgreSQL user with LOGIN privilege
+		// Note: We use baseUsername for the actual PostgreSQL user name if Supabase is used
+		_, err = tx.Exec(
+			ctx,
+			fmt.Sprintf(`CREATE USER "%s" WITH PASSWORD '%s' LOGIN`, baseUsername, newPassword),
+		)
+		if err != nil {
+			if err.Error() != "" && attempt < maxRetries-1 {
+				continue
+			}
+			return "", "", fmt.Errorf("failed to create user: %w", err)
+		}
+
+		// Step 1.5: Revoke CREATE privilege from PUBLIC role on public schema
+		// This is necessary because all PostgreSQL users inherit CREATE privilege on the
+		// public schema through the PUBLIC role. This is a one-time operation that affects
+		// the entire database, making it more secure by default.
+		// Note: This only affects the public schema; other schemas are unaffected.
+		_, err = tx.Exec(ctx, `REVOKE CREATE ON SCHEMA public FROM PUBLIC`)
+		if err != nil {
+			logger.Error("Failed to revoke CREATE on public from PUBLIC", "error", err)
+			if !strings.Contains(err.Error(), "schema \"public\" does not exist") &&
+				!strings.Contains(err.Error(), "permission denied") {
+				return "", "", fmt.Errorf("failed to revoke CREATE from PUBLIC: %w", err)
+			}
+		}
+
+		// Now revoke from the specific user as well (belt and suspenders)
+		_, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE CREATE ON SCHEMA public FROM "%s"`, baseUsername))
+		if err != nil {
+			logger.Error(
+				"Failed to revoke CREATE on public schema from user",
+				"error",
+				err,
+				"username",
+				baseUsername,
+			)
+		}
+
+		// Step 2: Grant database connection privilege and revoke TEMP
+		_, err = tx.Exec(
+			ctx,
+			fmt.Sprintf(`GRANT CONNECT ON DATABASE "%s" TO "%s"`, *p.Database, baseUsername),
+		)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant connect privilege: %w", err)
+		}
+
+		// Revoke TEMP privilege from PUBLIC role (like CREATE on public schema, TEMP is granted to PUBLIC by default)
+		_, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM PUBLIC`, *p.Database))
+		if err != nil {
+			logger.Warn("Failed to revoke TEMP from PUBLIC", "error", err)
+		}
+
+		// Also revoke from the specific user (belt and suspenders)
+		_, err = tx.Exec(
+			ctx,
+			fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM "%s"`, *p.Database, baseUsername),
+		)
+		if err != nil {
+			logger.Warn("Failed to revoke TEMP privilege", "error", err, "username", baseUsername)
+		}
+
+		// Step 3: Discover all user-created schemas
+		rows, err := tx.Query(ctx, `
+			SELECT schema_name
+			FROM information_schema.schemata
+			WHERE schema_name NOT IN ('pg_catalog', 'information_schema')
+		`)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get schemas: %w", err)
+		}
+
+		var schemas []string
+		for rows.Next() {
+			var schema string
+			if err := rows.Scan(&schema); err != nil {
+				rows.Close()
+				return "", "", fmt.Errorf("failed to scan schema: %w", err)
+			}
+			schemas = append(schemas, schema)
+		}
+		rows.Close()
+
+		if err := rows.Err(); err != nil {
+			return "", "", fmt.Errorf("error iterating schemas: %w", err)
+		}
+
+		// Step 4: Grant USAGE on each schema and explicitly prevent CREATE
+		for _, schema := range schemas {
+			// Revoke CREATE specifically (handles inheritance from PUBLIC role)
+			_, err = tx.Exec(
+				ctx,
+				fmt.Sprintf(`REVOKE CREATE ON SCHEMA "%s" FROM "%s"`, schema, baseUsername),
+			)
+			if err != nil {
+				logger.Warn(
+					"Failed to revoke CREATE on schema",
+					"error",
+					err,
+					"schema",
+					schema,
+					"username",
+					baseUsername,
+				)
+			}
+
+			// Grant only USAGE (not CREATE)
+			_, err = tx.Exec(
+				ctx,
+				fmt.Sprintf(`GRANT USAGE ON SCHEMA "%s" TO "%s"`, schema, baseUsername),
+			)
+			if err != nil {
+				return "", "", fmt.Errorf("failed to grant usage on schema %s: %w", schema, err)
+			}
+		}
+
+		// Step 5: Grant SELECT on ALL existing tables and sequences
+		grantSelectSQL := fmt.Sprintf(`
+			DO $$
+			DECLARE
+				schema_rec RECORD;
+			BEGIN
+				FOR schema_rec IN
+					SELECT schema_name
+					FROM information_schema.schemata
+					WHERE schema_name NOT IN ('pg_catalog', 'information_schema')
+				LOOP
+					EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %%I TO "%s"', schema_rec.schema_name);
+					EXECUTE format('GRANT SELECT ON ALL SEQUENCES IN SCHEMA %%I TO "%s"', schema_rec.schema_name);
+				END LOOP;
+			END $$;
+		`, baseUsername, baseUsername)
+
+		_, err = tx.Exec(ctx, grantSelectSQL)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to grant select on tables: %w", err)
+		}
+
+		// Step 6: Set default privileges for FUTURE tables and sequences
+		defaultPrivilegesSQL := fmt.Sprintf(`
+			DO $$
+			DECLARE
+				schema_rec RECORD;
+			BEGIN
+				FOR schema_rec IN
+					SELECT schema_name
+					FROM information_schema.schemata
+					WHERE schema_name NOT IN ('pg_catalog', 'information_schema')
+				LOOP
+					EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %%I GRANT SELECT ON TABLES TO "%s"', schema_rec.schema_name);
+					EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %%I GRANT SELECT ON SEQUENCES TO "%s"', schema_rec.schema_name);
+				END LOOP;
+			END $$;
+		`, baseUsername, baseUsername)
+
+		_, err = tx.Exec(ctx, defaultPrivilegesSQL)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to set default privileges: %w", err)
+		}
+
+		// Step 7: Verify user creation before committing
+		var verifyUsername string
+		err = tx.QueryRow(ctx, fmt.Sprintf(`SELECT rolname FROM pg_roles WHERE rolname = '%s'`, baseUsername)).
+			Scan(&verifyUsername)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to verify user creation: %w", err)
+		}
+
+		if err := tx.Commit(ctx); err != nil {
+			return "", "", fmt.Errorf("failed to commit transaction: %w", err)
+		}
+
+		success = true
+		// Return connectionUsername (with project ID suffix for Supabase) for the caller to use when connecting
+		logger.Info(
+			"Read-only user created successfully",
+			"username",
+			baseUsername,
+			"connectionUsername",
+			connectionUsername,
+		)
+		return connectionUsername, newPassword, nil
+	}
+
+	return "", "", errors.New("failed to generate unique username after 3 attempts")
+}
+
 // testSingleDatabaseConnection tests connection to a specific database for pg_dump
 func testSingleDatabaseConnection(
 	logger *slog.Logger,
 	ctx context.Context,
 	postgresDb *PostgresqlDatabase,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
 ) error {
 	// For single database backup, we need to connect to the specific database
 	if postgresDb.Database == nil || *postgresDb.Database == "" {
 		return errors.New("database name is required for single database backup (pg_dump)")
 	}
 
+	// Decrypt password if needed
+	password, err := decryptPasswordIfNeeded(postgresDb.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
 	// Build connection string for the specific database
-	connStr := buildConnectionStringForDB(postgresDb, *postgresDb.Database)
+	connStr := buildConnectionStringForDB(postgresDb, *postgresDb.Database, password)
 
 	// Test connection
 	conn, err := pgx.Connect(ctx, connStr)
@@ -116,10 +618,12 @@ func testSingleDatabaseConnection(
 		}
 	}()
 
-	// Check version after successful connection
-	if err := verifyDatabaseVersion(ctx, conn, postgresDb.Version); err != nil {
+	// Detect and set the database version automatically
+	detectedVersion, err := detectDatabaseVersion(ctx, conn)
+	if err != nil {
 		return err
 	}
+	postgresDb.Version = detectedVersion
 
 	// Test if we can perform basic operations (like pg_dump would need)
 	if err := testBasicOperations(ctx, conn, *postgresDb.Database); err != nil {
@@ -133,35 +637,31 @@ func testSingleDatabaseConnection(
 	return nil
 }
 
-// verifyDatabaseVersion checks if the actual database version matches the specified version
-func verifyDatabaseVersion(
-	ctx context.Context,
-	conn *pgx.Conn,
-	expectedVersion tools.PostgresqlVersion,
-) error {
+// detectDatabaseVersion queries and returns the PostgreSQL major version
+func detectDatabaseVersion(ctx context.Context, conn *pgx.Conn) (tools.PostgresqlVersion, error) {
 	var versionStr string
 	err := conn.QueryRow(ctx, "SELECT version()").Scan(&versionStr)
 	if err != nil {
-		return fmt.Errorf("failed to query database version: %w", err)
+		return "", fmt.Errorf("failed to query database version: %w", err)
 	}
 
 	// Parse version from string like "PostgreSQL 14.2 on x86_64-pc-linux-gnu..."
-	re := regexp.MustCompile(`PostgreSQL (\d+)\.`)
+	// or "PostgreSQL 16 maintained by Postgre BY..." (some builds omit minor version)
+	re := regexp.MustCompile(`PostgreSQL (\d+)`)
 	matches := re.FindStringSubmatch(versionStr)
 	if len(matches) < 2 {
-		return fmt.Errorf("could not parse version from: %s", versionStr)
+		return "", fmt.Errorf("could not parse version from: %s", versionStr)
 	}
 
-	actualVersion := tools.GetPostgresqlVersionEnum(matches[1])
-	if actualVersion != expectedVersion {
-		return fmt.Errorf(
-			"you specified wrong version. Real version is %s, but you specified %s",
-			actualVersion,
-			expectedVersion,
-		)
-	}
+	majorVersion := matches[1]
 
-	return nil
+	// Map to known PostgresqlVersion enum values
+	switch majorVersion {
+	case "12", "13", "14", "15", "16", "17", "18":
+		return tools.PostgresqlVersion(majorVersion), nil
+	default:
+		return "", fmt.Errorf("unsupported PostgreSQL version: %s", majorVersion)
+	}
 }
 
 // testBasicOperations tests basic operations that backup tools need
@@ -182,116 +682,42 @@ func testBasicOperations(ctx context.Context, conn *pgx.Conn, dbName string) err
 }
 
 // buildConnectionStringForDB builds connection string for specific database
-func buildConnectionStringForDB(p *PostgresqlDatabase, dbName string) string {
+func buildConnectionStringForDB(p *PostgresqlDatabase, dbName string, password string) string {
 	sslMode := "disable"
 	if p.IsHttps {
 		sslMode = "require"
 	}
 
-	return fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=%s",
+	return fmt.Sprintf(
+		"host=%s port=%d user=%s password=%s dbname=%s sslmode=%s default_query_exec_mode=simple_protocol standard_conforming_strings=on client_encoding=UTF8",
 		p.Host,
 		p.Port,
 		p.Username,
-		p.Password,
+		password,
 		dbName,
 		sslMode,
 	)
 }
 
-func (p *PostgresqlDatabase) InstallExtensions(extensions []tools.PostgresqlExtension) error {
-	if len(extensions) == 0 {
-		return nil
+func decryptPasswordIfNeeded(
+	password string,
+	encryptor encryption.FieldEncryptor,
+	databaseID uuid.UUID,
+) (string, error) {
+	if encryptor == nil {
+		return password, nil
 	}
-
-	if p.Database == nil || *p.Database == "" {
-		return errors.New("database name is required for installing extensions")
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	// Build connection string for the specific database
-	connStr := buildConnectionStringForDB(p, *p.Database)
-
-	// Connect to database
-	conn, err := pgx.Connect(ctx, connStr)
-	if err != nil {
-		return fmt.Errorf("failed to connect to database '%s': %w", *p.Database, err)
-	}
-	defer func() {
-		if closeErr := conn.Close(ctx); closeErr != nil {
-			fmt.Println("failed to close connection: %w", closeErr)
-		}
-	}()
-
-	// Check which extensions are already installed
-	installedExtensions, err := p.getInstalledExtensions(ctx, conn)
-	if err != nil {
-		return fmt.Errorf("failed to check installed extensions: %w", err)
-	}
-
-	// Install missing extensions
-	for _, extension := range extensions {
-		if contains(installedExtensions, string(extension)) {
-			continue // Extension already installed
-		}
-
-		if err := p.installExtension(ctx, conn, string(extension)); err != nil {
-			return fmt.Errorf("failed to install extension '%s': %w", extension, err)
-		}
-	}
-
-	return nil
+	return encryptor.Decrypt(databaseID, password)
 }
 
-// getInstalledExtensions queries the database for currently installed extensions
-func (p *PostgresqlDatabase) getInstalledExtensions(
-	ctx context.Context,
-	conn *pgx.Conn,
-) ([]string, error) {
-	query := "SELECT extname FROM pg_extension"
-
-	rows, err := conn.Query(ctx, query)
-	if err != nil {
-		return nil, fmt.Errorf("failed to query installed extensions: %w", err)
-	}
-	defer rows.Close()
-
-	var extensions []string
-	for rows.Next() {
-		var extname string
-
-		if err := rows.Scan(&extname); err != nil {
-			return nil, fmt.Errorf("failed to scan extension name: %w", err)
-		}
-
-		extensions = append(extensions, extname)
-	}
-
-	if err := rows.Err(); err != nil {
-		return nil, fmt.Errorf("error iterating over extension rows: %w", err)
-	}
-
-	return extensions, nil
+func isSupabaseConnection(host, username string) bool {
+	return strings.Contains(strings.ToLower(host), "supabase") ||
+		strings.Contains(strings.ToLower(username), "supabase")
 }
 
-// installExtension installs a single PostgreSQL extension
-func (p *PostgresqlDatabase) installExtension(
-	ctx context.Context,
-	conn *pgx.Conn,
-	extensionName string,
-) error {
-	query := fmt.Sprintf("CREATE EXTENSION IF NOT EXISTS %s", extensionName)
-
-	_, err := conn.Exec(ctx, query)
-	if err != nil {
-		return fmt.Errorf("failed to execute CREATE EXTENSION: %w", err)
+func extractSupabaseProjectID(username string) string {
+	if idx := strings.Index(username, "."); idx != -1 {
+		return username[idx+1:]
 	}
-
-	return nil
-}
-
-// contains checks if a string slice contains a specific string
-func contains(slice []string, item string) bool {
-	return slices.Contains(slice, item)
+	return ""
 }

backend/internal/features/databases/databases/postgresql/readonly_user_test.go

@@ -0,0 +1,505 @@
+package postgresql
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	_ "github.com/lib/pq"
+	"github.com/stretchr/testify/assert"
+
+	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/util/tools"
+)
+
+func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			pgModel := createPostgresModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			isReadOnly, err := pgModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.False(t, isReadOnly, "Admin user should not be read-only")
+		})
+	}
+}
+
+func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`
+			DROP TABLE IF EXISTS readonly_test CASCADE;
+			DROP TABLE IF EXISTS hack_table CASCADE;
+			DROP TABLE IF EXISTS future_table CASCADE;
+			CREATE TABLE readonly_test (
+				id SERIAL PRIMARY KEY,
+				data TEXT NOT NULL
+			);
+			INSERT INTO readonly_test (data) VALUES ('test1'), ('test2');
+		`)
+			assert.NoError(t, err)
+
+			pgModel := createPostgresModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "postgresus-"))
+
+			readOnlyModel := &PostgresqlDatabase{
+				Version:  pgModel.Version,
+				Host:     pgModel.Host,
+				Port:     pgModel.Port,
+				Username: username,
+				Password: password,
+				Database: pgModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "Created user should be read-only")
+
+			readOnlyDSN := fmt.Sprintf(
+				"host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+				container.Host,
+				container.Port,
+				username,
+				password,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var count int
+			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM readonly_test")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, count)
+
+			_, err = readOnlyConn.Exec("INSERT INTO readonly_test (data) VALUES ('should-fail')")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("UPDATE readonly_test SET data = 'hacked' WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("DELETE FROM readonly_test WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "permission denied")
+
+			// Clean up: Drop user with CASCADE to handle default privilege dependencies
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+			if err != nil {
+				t.Logf("Warning: Failed to drop owned objects: %v", err)
+			}
+
+			_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_ReadOnlyUser_FutureTables_HaveSelectPermission(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	pgModel := createPostgresModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`
+		CREATE TABLE future_table (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO future_table (data) VALUES ('future_data');
+	`)
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, username, password, container.Database)
+	readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var data string
+	err = readOnlyConn.Get(&data, "SELECT data FROM future_table LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "future_data", data)
+
+	// Clean up: Drop user with CASCADE to handle default privilege dependencies
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+	if err != nil {
+		t.Logf("Warning: Failed to drop owned objects: %v", err)
+	}
+
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+	assert.NoError(t, err)
+}
+
+func Test_ReadOnlyUser_MultipleSchemas_AllAccessible(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`
+		CREATE SCHEMA IF NOT EXISTS schema_a;
+		CREATE SCHEMA IF NOT EXISTS schema_b;
+		CREATE TABLE schema_a.table_a (id INT, data TEXT);
+		CREATE TABLE schema_b.table_b (id INT, data TEXT);
+		INSERT INTO schema_a.table_a VALUES (1, 'data_a');
+		INSERT INTO schema_b.table_b VALUES (2, 'data_b');
+	`)
+	assert.NoError(t, err)
+
+	pgModel := createPostgresModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, username, password, container.Database)
+	readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var dataA string
+	err = readOnlyConn.Get(&dataA, "SELECT data FROM schema_a.table_a LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "data_a", dataA)
+
+	var dataB string
+	err = readOnlyConn.Get(&dataB, "SELECT data FROM schema_b.table_b LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "data_b", dataB)
+
+	// Clean up: Drop user with CASCADE to handle default privilege dependencies
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+	if err != nil {
+		t.Logf("Warning: Failed to drop owned objects: %v", err)
+	}
+
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`DROP SCHEMA schema_a CASCADE; DROP SCHEMA schema_b CASCADE;`)
+	assert.NoError(t, err)
+}
+
+func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	dashDbName := "test-db-with-dash"
+
+	_, err := container.DB.Exec(fmt.Sprintf(`DROP DATABASE IF EXISTS "%s"`, dashDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(`CREATE DATABASE "%s"`, dashDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf(`DROP DATABASE IF EXISTS "%s"`, dashDbName))
+	}()
+
+	dashDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, container.Username, container.Password, dashDbName)
+	dashDB, err := sqlx.Connect("postgres", dashDSN)
+	assert.NoError(t, err)
+	defer dashDB.Close()
+
+	_, err = dashDB.Exec(`
+		CREATE TABLE dash_test (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO dash_test (data) VALUES ('test1'), ('test2');
+	`)
+	assert.NoError(t, err)
+
+	pgModel := &PostgresqlDatabase{
+		Version:  tools.GetPostgresqlVersionEnum("16"),
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &dashDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, username)
+	assert.NotEmpty(t, password)
+	assert.True(t, strings.HasPrefix(username, "postgresus-"))
+
+	readOnlyDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, username, password, dashDbName)
+	readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+
+	_, err = dashDB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+	if err != nil {
+		t.Logf("Warning: Failed to drop owned objects: %v", err)
+	}
+
+	_, err = dashDB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+	assert.NoError(t, err)
+}
+
+func Test_CreateReadOnlyUser_Supabase_UserCanReadButNotWrite(t *testing.T) {
+	env := config.GetEnv()
+
+	if env.TestSupabaseHost == "" {
+		t.Skip("Skipping Supabase test: missing environment variables")
+	}
+
+	portInt, err := strconv.Atoi(env.TestSupabasePort)
+	assert.NoError(t, err)
+
+	dsn := fmt.Sprintf(
+		"host=%s port=%d user=%s password=%s dbname=%s sslmode=require",
+		env.TestSupabaseHost,
+		portInt,
+		env.TestSupabaseUsername,
+		env.TestSupabasePassword,
+		env.TestSupabaseDatabase,
+	)
+
+	adminDB, err := sqlx.Connect("postgres", dsn)
+	assert.NoError(t, err)
+	defer adminDB.Close()
+
+	tableName := fmt.Sprintf(
+		"readonly_test_%s",
+		strings.ReplaceAll(uuid.New().String()[:8], "-", ""),
+	)
+	_, err = adminDB.Exec(fmt.Sprintf(`
+		DROP TABLE IF EXISTS public.%s CASCADE;
+		CREATE TABLE public.%s (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO public.%s (data) VALUES ('test1'), ('test2');
+	`, tableName, tableName, tableName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = adminDB.Exec(fmt.Sprintf(`DROP TABLE IF EXISTS public.%s CASCADE`, tableName))
+	}()
+
+	pgModel := &PostgresqlDatabase{
+		Host:     env.TestSupabaseHost,
+		Port:     portInt,
+		Username: env.TestSupabaseUsername,
+		Password: env.TestSupabasePassword,
+		Database: &env.TestSupabaseDatabase,
+		IsHttps:  true,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	connectionUsername, newPassword, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, connectionUsername)
+	assert.NotEmpty(t, newPassword)
+	assert.True(t, strings.HasPrefix(connectionUsername, "postgresus-"))
+
+	baseUsername := connectionUsername
+	if idx := strings.Index(connectionUsername, "."); idx != -1 {
+		baseUsername = connectionUsername[:idx]
+	}
+
+	defer func() {
+		_, _ = adminDB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, baseUsername))
+		_, _ = adminDB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, baseUsername))
+	}()
+
+	readOnlyDSN := fmt.Sprintf(
+		"host=%s port=%d user=%s password=%s dbname=%s sslmode=require",
+		env.TestSupabaseHost,
+		portInt,
+		connectionUsername,
+		newPassword,
+		env.TestSupabaseDatabase,
+	)
+	readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, fmt.Sprintf("SELECT COUNT(*) FROM public.%s", tableName))
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec(
+		fmt.Sprintf("INSERT INTO public.%s (data) VALUES ('should-fail')", tableName),
+	)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+
+	_, err = readOnlyConn.Exec(
+		fmt.Sprintf("UPDATE public.%s SET data = 'hacked' WHERE id = 1", tableName),
+	)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+
+	_, err = readOnlyConn.Exec(fmt.Sprintf("DELETE FROM public.%s WHERE id = 1", tableName))
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+
+	_, err = readOnlyConn.Exec("CREATE TABLE public.hack_table (id INT)")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+}
+
+type PostgresContainer struct {
+	Host     string
+	Port     int
+	Username string
+	Password string
+	Database string
+	DB       *sqlx.DB
+}
+
+func connectToPostgresContainer(t *testing.T, port string) *PostgresContainer {
+	dbName := "testdb"
+	password := "testpassword"
+	username := "testuser"
+	host := "localhost"
+
+	portInt, err := strconv.Atoi(port)
+	assert.NoError(t, err)
+
+	dsn := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		host, portInt, username, password, dbName)
+
+	db, err := sqlx.Connect("postgres", dsn)
+	assert.NoError(t, err)
+
+	var versionStr string
+	err = db.Get(&versionStr, "SELECT version()")
+	assert.NoError(t, err)
+
+	return &PostgresContainer{
+		Host:     host,
+		Port:     portInt,
+		Username: username,
+		Password: password,
+		Database: dbName,
+		DB:       db,
+	}
+}
+
+func createPostgresModel(container *PostgresContainer) *PostgresqlDatabase {
+	var versionStr string
+	err := container.DB.Get(&versionStr, "SELECT version()")
+	if err != nil {
+		return nil
+	}
+
+	version := extractPostgresVersion(versionStr)
+
+	return &PostgresqlDatabase{
+		Version:  version,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &container.Database,
+		IsHttps:  false,
+	}
+}
+
+func extractPostgresVersion(versionStr string) tools.PostgresqlVersion {
+	if strings.Contains(versionStr, "PostgreSQL 12") {
+		return tools.GetPostgresqlVersionEnum("12")
+	} else if strings.Contains(versionStr, "PostgreSQL 13") {
+		return tools.GetPostgresqlVersionEnum("13")
+	} else if strings.Contains(versionStr, "PostgreSQL 14") {
+		return tools.GetPostgresqlVersionEnum("14")
+	} else if strings.Contains(versionStr, "PostgreSQL 15") {
+		return tools.GetPostgresqlVersionEnum("15")
+	} else if strings.Contains(versionStr, "PostgreSQL 16") {
+		return tools.GetPostgresqlVersionEnum("16")
+	} else if strings.Contains(versionStr, "PostgreSQL 17") {
+		return tools.GetPostgresqlVersionEnum("17")
+	}
+
+	return tools.GetPostgresqlVersionEnum("16")
+}

backend/internal/features/databases/di.go

@@ -5,6 +5,7 @@ import (
 	"postgresus-backend/internal/features/notifiers"
 	users_services "postgresus-backend/internal/features/users/services"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
@@ -19,6 +20,7 @@ var databaseService = &DatabaseService{
 	[]DatabaseCopyListener{},
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
+	encryption.GetFieldEncryptor(),
 }
 
 var databaseController = &DatabaseController{

backend/internal/features/databases/dto.go

@@ -0,0 +1,10 @@
+package databases
+
+type CreateReadOnlyUserResponse struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type IsReadOnlyResponse struct {
+	IsReadOnly bool `json:"isReadOnly"`
+}

backend/internal/features/databases/enums.go

@@ -4,6 +4,8 @@ type DatabaseType string
 
 const (
 	DatabaseTypePostgres DatabaseType = "POSTGRES"
+	DatabaseTypeMysql    DatabaseType = "MYSQL"
+	DatabaseTypeMariadb  DatabaseType = "MARIADB"
 )
 
 type HealthStatus string

backend/internal/features/databases/interfaces.go

@@ -2,6 +2,7 @@ package databases
 
 import (
 	"log/slog"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -11,7 +12,11 @@ type DatabaseValidator interface {
 }
 
 type DatabaseConnector interface {
-	TestConnection(logger *slog.Logger) error
+	TestConnection(
+		logger *slog.Logger,
+		encryptor encryption.FieldEncryptor,
+		databaseID uuid.UUID,
+	) error
 
 	HideSensitiveData()
 }

backend/internal/features/databases/model.go

@@ -3,8 +3,11 @@ package databases
 import (
 	"errors"
 	"log/slog"
+	"postgresus-backend/internal/features/databases/databases/mariadb"
+	"postgresus-backend/internal/features/databases/databases/mysql"
 	"postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/notifiers"
+	"postgresus-backend/internal/util/encryption"
 	"time"
 
 	"github.com/google/uuid"
@@ -20,6 +23,8 @@ type Database struct {
 	Type        DatabaseType `json:"type"        gorm:"column:type;type:text;not null"`
 
 	Postgresql *postgresql.PostgresqlDatabase `json:"postgresql,omitempty" gorm:"foreignKey:DatabaseID"`
+	Mysql      *mysql.MysqlDatabase           `json:"mysql,omitempty"      gorm:"foreignKey:DatabaseID"`
+	Mariadb    *mariadb.MariadbDatabase       `json:"mariadb,omitempty"    gorm:"foreignKey:DatabaseID"`
 
 	Notifiers []notifiers.Notifier `json:"notifiers" gorm:"many2many:database_notifiers;"`
 
@@ -41,8 +46,17 @@ func (d *Database) Validate() error {
 		if d.Postgresql == nil {
 			return errors.New("postgresql database is required")
 		}
-
 		return d.Postgresql.Validate()
+	case DatabaseTypeMysql:
+		if d.Mysql == nil {
+			return errors.New("mysql database is required")
+		}
+		return d.Mysql.Validate()
+	case DatabaseTypeMariadb:
+		if d.Mariadb == nil {
+			return errors.New("mariadb database is required")
+		}
+		return d.Mariadb.Validate()
 	default:
 		return errors.New("invalid database type: " + string(d.Type))
 	}
@@ -56,14 +70,46 @@ func (d *Database) ValidateUpdate(old, new Database) error {
 	return nil
 }
 
-func (d *Database) TestConnection(logger *slog.Logger) error {
-	return d.getSpecificDatabase().TestConnection(logger)
+func (d *Database) TestConnection(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+) error {
+	return d.getSpecificDatabase().TestConnection(logger, encryptor, d.ID)
 }
 
 func (d *Database) HideSensitiveData() {
 	d.getSpecificDatabase().HideSensitiveData()
 }
 
+func (d *Database) EncryptSensitiveFields(encryptor encryption.FieldEncryptor) error {
+	if d.Postgresql != nil {
+		return d.Postgresql.EncryptSensitiveFields(d.ID, encryptor)
+	}
+	if d.Mysql != nil {
+		return d.Mysql.EncryptSensitiveFields(d.ID, encryptor)
+	}
+	if d.Mariadb != nil {
+		return d.Mariadb.EncryptSensitiveFields(d.ID, encryptor)
+	}
+	return nil
+}
+
+func (d *Database) PopulateVersionIfEmpty(
+	logger *slog.Logger,
+	encryptor encryption.FieldEncryptor,
+) error {
+	if d.Postgresql != nil {
+		return d.Postgresql.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+	}
+	if d.Mysql != nil {
+		return d.Mysql.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+	}
+	if d.Mariadb != nil {
+		return d.Mariadb.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+	}
+	return nil
+}
+
 func (d *Database) Update(incoming *Database) {
 	d.Name = incoming.Name
 	d.Type = incoming.Type
@@ -74,6 +120,14 @@ func (d *Database) Update(incoming *Database) {
 		if d.Postgresql != nil && incoming.Postgresql != nil {
 			d.Postgresql.Update(incoming.Postgresql)
 		}
+	case DatabaseTypeMysql:
+		if d.Mysql != nil && incoming.Mysql != nil {
+			d.Mysql.Update(incoming.Mysql)
+		}
+	case DatabaseTypeMariadb:
+		if d.Mariadb != nil && incoming.Mariadb != nil {
+			d.Mariadb.Update(incoming.Mariadb)
+		}
 	}
 }
 
@@ -81,6 +135,10 @@ func (d *Database) getSpecificDatabase() DatabaseConnector {
 	switch d.Type {
 	case DatabaseTypePostgres:
 		return d.Postgresql
+	case DatabaseTypeMysql:
+		return d.Mysql
+	case DatabaseTypeMariadb:
+		return d.Mariadb
 	}
 
 	panic("invalid database type: " + string(d.Type))

backend/internal/features/databases/repository.go

@@ -2,6 +2,8 @@ package databases
 
 import (
 	"errors"
+	"postgresus-backend/internal/features/databases/databases/mariadb"
+	"postgresus-backend/internal/features/databases/databases/mysql"
 	"postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/storage"
 
@@ -25,26 +27,33 @@ func (r *DatabaseRepository) Save(database *Database) (*Database, error) {
 			if database.Postgresql == nil {
 				return errors.New("postgresql configuration is required for PostgreSQL database")
 			}
-
-			// Ensure DatabaseID is always set and never nil
 			database.Postgresql.DatabaseID = &database.ID
+		case DatabaseTypeMysql:
+			if database.Mysql == nil {
+				return errors.New("mysql configuration is required for MySQL database")
+			}
+			database.Mysql.DatabaseID = &database.ID
+		case DatabaseTypeMariadb:
+			if database.Mariadb == nil {
+				return errors.New("mariadb configuration is required for MariaDB database")
+			}
+			database.Mariadb.DatabaseID = &database.ID
 		}
 
 		if isNew {
 			if err := tx.Create(database).
-				Omit("Postgresql", "Notifiers").
+				Omit("Postgresql", "Mysql", "Mariadb", "Notifiers").
 				Error; err != nil {
 				return err
 			}
 		} else {
 			if err := tx.Save(database).
-				Omit("Postgresql", "Notifiers").
+				Omit("Postgresql", "Mysql", "Mariadb", "Notifiers").
 				Error; err != nil {
 				return err
 			}
 		}
 
-		// Save the specific database type
 		switch database.Type {
 		case DatabaseTypePostgres:
 			database.Postgresql.DatabaseID = &database.ID
@@ -58,6 +67,30 @@ func (r *DatabaseRepository) Save(database *Database) (*Database, error) {
 					return err
 				}
 			}
+		case DatabaseTypeMysql:
+			database.Mysql.DatabaseID = &database.ID
+			if database.Mysql.ID == uuid.Nil {
+				database.Mysql.ID = uuid.New()
+				if err := tx.Create(database.Mysql).Error; err != nil {
+					return err
+				}
+			} else {
+				if err := tx.Save(database.Mysql).Error; err != nil {
+					return err
+				}
+			}
+		case DatabaseTypeMariadb:
+			database.Mariadb.DatabaseID = &database.ID
+			if database.Mariadb.ID == uuid.Nil {
+				database.Mariadb.ID = uuid.New()
+				if err := tx.Create(database.Mariadb).Error; err != nil {
+					return err
+				}
+			} else {
+				if err := tx.Save(database.Mariadb).Error; err != nil {
+					return err
+				}
+			}
 		}
 
 		if err := tx.
@@ -83,6 +116,8 @@ func (r *DatabaseRepository) FindByID(id uuid.UUID) (*Database, error) {
 	if err := storage.
 		GetDb().
 		Preload("Postgresql").
+		Preload("Mysql").
+		Preload("Mariadb").
 		Preload("Notifiers").
 		Where("id = ?", id).
 		First(&database).Error; err != nil {
@@ -98,6 +133,8 @@ func (r *DatabaseRepository) FindByWorkspaceID(workspaceID uuid.UUID) ([]*Databa
 	if err := storage.
 		GetDb().
 		Preload("Postgresql").
+		Preload("Mysql").
+		Preload("Mariadb").
 		Preload("Notifiers").
 		Where("workspace_id = ?", workspaceID).
 		Order("CASE WHEN health_status = 'UNAVAILABLE' THEN 1 WHEN health_status = 'AVAILABLE' THEN 2 WHEN health_status IS NULL THEN 3 ELSE 4 END, name ASC").
@@ -128,6 +165,18 @@ func (r *DatabaseRepository) Delete(id uuid.UUID) error {
 				Delete(&postgresql.PostgresqlDatabase{}).Error; err != nil {
 				return err
 			}
+		case DatabaseTypeMysql:
+			if err := tx.
+				Where("database_id = ?", id).
+				Delete(&mysql.MysqlDatabase{}).Error; err != nil {
+				return err
+			}
+		case DatabaseTypeMariadb:
+			if err := tx.
+				Where("database_id = ?", id).
+				Delete(&mariadb.MariadbDatabase{}).Error; err != nil {
+				return err
+			}
 		}
 
 		if err := tx.Delete(&Database{}, id).Error; err != nil {
@@ -158,6 +207,8 @@ func (r *DatabaseRepository) GetAllDatabases() ([]*Database, error) {
 	if err := storage.
 		GetDb().
 		Preload("Postgresql").
+		Preload("Mysql").
+		Preload("Mariadb").
 		Preload("Notifiers").
 		Find(&databases).Error; err != nil {
 		return nil, err

backend/internal/features/databases/service.go

@@ -1,16 +1,20 @@
 package databases
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"log/slog"
 	"time"
 
 	audit_logs "postgresus-backend/internal/features/audit_logs"
+	"postgresus-backend/internal/features/databases/databases/mariadb"
+	"postgresus-backend/internal/features/databases/databases/mysql"
 	"postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/notifiers"
 	users_models "postgresus-backend/internal/features/users/models"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -26,6 +30,7 @@ type DatabaseService struct {
 
 	workspaceService *workspaces_services.WorkspaceService
 	auditLogService  *audit_logs.AuditLogService
+	fieldEncryptor   encryption.FieldEncryptor
 }
 
 func (s *DatabaseService) AddDbCreationListener(
@@ -65,6 +70,14 @@ func (s *DatabaseService) CreateDatabase(
 		return nil, err
 	}
 
+	if err := database.PopulateVersionIfEmpty(s.logger, s.fieldEncryptor); err != nil {
+		return nil, fmt.Errorf("failed to auto-detect database version: %w", err)
+	}
+
+	if err := database.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
+		return nil, fmt.Errorf("failed to encrypt sensitive fields: %w", err)
+	}
+
 	database, err = s.dbRepository.Save(database)
 	if err != nil {
 		return nil, err
@@ -118,6 +131,14 @@ func (s *DatabaseService) UpdateDatabase(
 		return err
 	}
 
+	if err := existingDatabase.PopulateVersionIfEmpty(s.logger, s.fieldEncryptor); err != nil {
+		return fmt.Errorf("failed to auto-detect database version: %w", err)
+	}
+
+	if err := existingDatabase.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
+		return fmt.Errorf("failed to encrypt sensitive fields: %w", err)
+	}
+
 	_, err = s.dbRepository.Save(existingDatabase)
 	if err != nil {
 		return err
@@ -250,7 +271,7 @@ func (s *DatabaseService) TestDatabaseConnection(
 		return errors.New("insufficient permissions to test connection for this database")
 	}
 
-	err = database.TestConnection(s.logger)
+	err = database.TestConnection(s.logger, s.fieldEncryptor)
 	if err != nil {
 		lastSaveError := err.Error()
 		database.LastBackupErrorMessage = &lastSaveError
@@ -294,7 +315,7 @@ func (s *DatabaseService) TestDatabaseConnectionDirect(
 		usingDatabase = database
 	}
 
-	return usingDatabase.TestConnection(s.logger)
+	return usingDatabase.TestConnection(s.logger, s.fieldEncryptor)
 }
 
 func (s *DatabaseService) GetDatabaseByID(
@@ -385,6 +406,34 @@ func (s *DatabaseService) CopyDatabase(
 				IsHttps:    existingDatabase.Postgresql.IsHttps,
 			}
 		}
+	case DatabaseTypeMysql:
+		if existingDatabase.Mysql != nil {
+			newDatabase.Mysql = &mysql.MysqlDatabase{
+				ID:         uuid.Nil,
+				DatabaseID: nil,
+				Version:    existingDatabase.Mysql.Version,
+				Host:       existingDatabase.Mysql.Host,
+				Port:       existingDatabase.Mysql.Port,
+				Username:   existingDatabase.Mysql.Username,
+				Password:   existingDatabase.Mysql.Password,
+				Database:   existingDatabase.Mysql.Database,
+				IsHttps:    existingDatabase.Mysql.IsHttps,
+			}
+		}
+	case DatabaseTypeMariadb:
+		if existingDatabase.Mariadb != nil {
+			newDatabase.Mariadb = &mariadb.MariadbDatabase{
+				ID:         uuid.Nil,
+				DatabaseID: nil,
+				Version:    existingDatabase.Mariadb.Version,
+				Host:       existingDatabase.Mariadb.Host,
+				Port:       existingDatabase.Mariadb.Port,
+				Username:   existingDatabase.Mariadb.Username,
+				Password:   existingDatabase.Mariadb.Password,
+				Database:   existingDatabase.Mariadb.Database,
+				IsHttps:    existingDatabase.Mariadb.IsHttps,
+			}
+		}
 	}
 
 	if err := newDatabase.Validate(); err != nil {
@@ -446,3 +495,176 @@ func (s *DatabaseService) OnBeforeWorkspaceDeletion(workspaceID uuid.UUID) error
 
 	return nil
 }
+
+func (s *DatabaseService) IsUserReadOnly(
+	user *users_models.User,
+	database *Database,
+) (bool, error) {
+	var usingDatabase *Database
+
+	if database.ID != uuid.Nil {
+		existingDatabase, err := s.dbRepository.FindByID(database.ID)
+		if err != nil {
+			return false, err
+		}
+
+		if existingDatabase.WorkspaceID == nil {
+			return false, errors.New("cannot check user for database without workspace")
+		}
+
+		canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
+			*existingDatabase.WorkspaceID,
+			user,
+		)
+		if err != nil {
+			return false, err
+		}
+		if !canAccess {
+			return false, errors.New("insufficient permissions to access this database")
+		}
+
+		if database.WorkspaceID != nil && *existingDatabase.WorkspaceID != *database.WorkspaceID {
+			return false, errors.New("database does not belong to this workspace")
+		}
+
+		existingDatabase.Update(database)
+
+		if err := existingDatabase.Validate(); err != nil {
+			return false, err
+		}
+
+		usingDatabase = existingDatabase
+	} else {
+		if database.WorkspaceID != nil {
+			canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(*database.WorkspaceID, user)
+			if err != nil {
+				return false, err
+			}
+			if !canAccess {
+				return false, errors.New("insufficient permissions to access this workspace")
+			}
+		}
+
+		usingDatabase = database
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	switch usingDatabase.Type {
+	case DatabaseTypePostgres:
+		return usingDatabase.Postgresql.IsUserReadOnly(
+			ctx,
+			s.logger,
+			s.fieldEncryptor,
+			usingDatabase.ID,
+		)
+	case DatabaseTypeMysql:
+		return usingDatabase.Mysql.IsUserReadOnly(
+			ctx,
+			s.logger,
+			s.fieldEncryptor,
+			usingDatabase.ID,
+		)
+	case DatabaseTypeMariadb:
+		return usingDatabase.Mariadb.IsUserReadOnly(
+			ctx,
+			s.logger,
+			s.fieldEncryptor,
+			usingDatabase.ID,
+		)
+	default:
+		return false, errors.New("read-only check not supported for this database type")
+	}
+}
+
+func (s *DatabaseService) CreateReadOnlyUser(
+	user *users_models.User,
+	database *Database,
+) (string, string, error) {
+	var usingDatabase *Database
+
+	if database.ID != uuid.Nil {
+		existingDatabase, err := s.dbRepository.FindByID(database.ID)
+		if err != nil {
+			return "", "", err
+		}
+
+		if existingDatabase.WorkspaceID == nil {
+			return "", "", errors.New("cannot create user for database without workspace")
+		}
+
+		canManage, err := s.workspaceService.CanUserManageDBs(*existingDatabase.WorkspaceID, user)
+		if err != nil {
+			return "", "", err
+		}
+		if !canManage {
+			return "", "", errors.New("insufficient permissions to manage this database")
+		}
+
+		if database.WorkspaceID != nil && *existingDatabase.WorkspaceID != *database.WorkspaceID {
+			return "", "", errors.New("database does not belong to this workspace")
+		}
+
+		existingDatabase.Update(database)
+
+		if err := existingDatabase.Validate(); err != nil {
+			return "", "", err
+		}
+
+		usingDatabase = existingDatabase
+	} else {
+		if database.WorkspaceID != nil {
+			canManage, err := s.workspaceService.CanUserManageDBs(*database.WorkspaceID, user)
+			if err != nil {
+				return "", "", err
+			}
+			if !canManage {
+				return "", "", errors.New("insufficient permissions to manage this workspace")
+			}
+		}
+
+		usingDatabase = database
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	var username, password string
+	var err error
+
+	switch usingDatabase.Type {
+	case DatabaseTypePostgres:
+		username, password, err = usingDatabase.Postgresql.CreateReadOnlyUser(
+			ctx, s.logger, s.fieldEncryptor, usingDatabase.ID,
+		)
+	case DatabaseTypeMysql:
+		username, password, err = usingDatabase.Mysql.CreateReadOnlyUser(
+			ctx, s.logger, s.fieldEncryptor, usingDatabase.ID,
+		)
+	case DatabaseTypeMariadb:
+		username, password, err = usingDatabase.Mariadb.CreateReadOnlyUser(
+			ctx, s.logger, s.fieldEncryptor, usingDatabase.ID,
+		)
+	default:
+		return "", "", errors.New("read-only user creation not supported for this database type")
+	}
+
+	if err != nil {
+		return "", "", err
+	}
+
+	if usingDatabase.WorkspaceID != nil {
+		s.auditLogService.WriteAuditLog(
+			fmt.Sprintf(
+				"Read-only user created for database: %s (username: %s)",
+				usingDatabase.Name,
+				username,
+			),
+			&user.ID,
+			usingDatabase.WorkspaceID,
+		)
+	}
+
+	return username, password, nil
+}

backend/internal/features/encryption/secrets/di.go

@@ -0,0 +1,9 @@
+package secrets
+
+var secretKeyService = &SecretKeyService{
+	nil,
+}
+
+func GetSecretKeyService() *SecretKeyService {
+	return secretKeyService
+}

backend/internal/features/encryption/secrets/model.go

@@ -0,0 +1 @@
+package secrets

backend/internal/features/encryption/secrets/service.go

@@ -0,0 +1,73 @@
+package secrets
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"postgresus-backend/internal/config"
+	user_models "postgresus-backend/internal/features/users/models"
+	"postgresus-backend/internal/storage"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type SecretKeyService struct {
+	cachedKey *string
+}
+
+func (s *SecretKeyService) MigrateKeyFromDbToFileIfExist() error {
+	var secretKey user_models.SecretKey
+
+	err := storage.GetDb().First(&secretKey).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil
+		}
+		return fmt.Errorf("failed to check for secret key in database: %w", err)
+	}
+
+	if secretKey.Secret == "" {
+		return nil
+	}
+
+	secretKeyPath := config.GetEnv().SecretKeyPath
+	if err := os.WriteFile(secretKeyPath, []byte(secretKey.Secret), 0600); err != nil {
+		return fmt.Errorf("failed to write secret key to file: %w", err)
+	}
+
+	if err := storage.GetDb().Exec("DELETE FROM secret_keys").Error; err != nil {
+		return fmt.Errorf("failed to delete secret key from database: %w", err)
+	}
+
+	return nil
+}
+
+func (s *SecretKeyService) GetSecretKey() (string, error) {
+	if s.cachedKey != nil {
+		return *s.cachedKey, nil
+	}
+
+	secretKeyPath := config.GetEnv().SecretKeyPath
+	data, err := os.ReadFile(secretKeyPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			newKey := s.generateNewSecretKey()
+			if err := os.WriteFile(secretKeyPath, []byte(newKey), 0600); err != nil {
+				return "", fmt.Errorf("failed to write new secret key: %w", err)
+			}
+			s.cachedKey = &newKey
+			return newKey, nil
+		}
+		return "", fmt.Errorf("failed to read secret key file: %w", err)
+	}
+
+	key := string(data)
+	s.cachedKey = &key
+	return key, nil
+}
+
+func (s *SecretKeyService) generateNewSecretKey() string {
+	return uuid.New().String() + uuid.New().String()
+}

backend/internal/features/intervals/enums.go

@@ -7,4 +7,5 @@ const (
 	IntervalDaily   IntervalType = "DAILY"
 	IntervalWeekly  IntervalType = "WEEKLY"
 	IntervalMonthly IntervalType = "MONTHLY"
+	IntervalCron    IntervalType = "CRON"
 )

backend/internal/features/intervals/model.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/robfig/cron/v3"
 	"gorm.io/gorm"
 )
 
@@ -12,11 +13,13 @@ type Interval struct {
 	ID       uuid.UUID    `json:"id"       gorm:"primaryKey;type:uuid;default:gen_random_uuid()"`
 	Interval IntervalType `json:"interval" gorm:"type:text;not null"`
 
-	TimeOfDay *string `json:"timeOfDay"            gorm:"type:text;"`
+	TimeOfDay *string `json:"timeOfDay"                gorm:"type:text;"`
 	// only for WEEKLY
-	Weekday *int `json:"weekday,omitempty"    gorm:"type:int"`
+	Weekday *int `json:"weekday,omitempty"        gorm:"type:int"`
 	// only for MONTHLY
-	DayOfMonth *int `json:"dayOfMonth,omitempty" gorm:"type:int"`
+	DayOfMonth *int `json:"dayOfMonth,omitempty"     gorm:"type:int"`
+	// only for CRON
+	CronExpression *string `json:"cronExpression,omitempty" gorm:"type:text"`
 }
 
 func (i *Interval) BeforeSave(tx *gorm.DB) error {
@@ -40,6 +43,16 @@ func (i *Interval) Validate() error {
 		return errors.New("day of month is required for monthly intervals")
 	}
 
+	// for cron interval cron expression is required and must be valid
+	if i.Interval == IntervalCron {
+		if i.CronExpression == nil || *i.CronExpression == "" {
+			return errors.New("cron expression is required for cron intervals")
+		}
+		if err := i.validateCronExpression(*i.CronExpression); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -59,6 +72,8 @@ func (i *Interval) ShouldTriggerBackup(now time.Time, lastBackupTime *time.Time)
 		return i.shouldTriggerWeekly(now, *lastBackupTime)
 	case IntervalMonthly:
 		return i.shouldTriggerMonthly(now, *lastBackupTime)
+	case IntervalCron:
+		return i.shouldTriggerCron(now, *lastBackupTime)
 	default:
 		return false
 	}
@@ -66,11 +81,12 @@ func (i *Interval) ShouldTriggerBackup(now time.Time, lastBackupTime *time.Time)
 
 func (i *Interval) Copy() *Interval {
 	return &Interval{
-		ID:         uuid.Nil,
-		Interval:   i.Interval,
-		TimeOfDay:  i.TimeOfDay,
-		Weekday:    i.Weekday,
-		DayOfMonth: i.DayOfMonth,
+		ID:             uuid.Nil,
+		Interval:       i.Interval,
+		TimeOfDay:      i.TimeOfDay,
+		Weekday:        i.Weekday,
+		DayOfMonth:     i.DayOfMonth,
+		CronExpression: i.CronExpression,
 	}
 }
 
@@ -204,3 +220,31 @@ func getStartOfWeek(t time.Time) time.Time {
 func getStartOfMonth(t time.Time) time.Time {
 	return time.Date(t.Year(), t.Month(), 1, 0, 0, 0, 0, t.Location())
 }
+
+// cron trigger: check if we've passed a scheduled cron time since last backup
+func (i *Interval) shouldTriggerCron(now, lastBackup time.Time) bool {
+	if i.CronExpression == nil || *i.CronExpression == "" {
+		return false
+	}
+
+	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow)
+	schedule, err := parser.Parse(*i.CronExpression)
+	if err != nil {
+		return false
+	}
+
+	// Find the next scheduled time after the last backup
+	nextAfterLastBackup := schedule.Next(lastBackup)
+
+	// If we're at or past that next scheduled time, trigger
+	return now.After(nextAfterLastBackup) || now.Equal(nextAfterLastBackup)
+}
+
+func (i *Interval) validateCronExpression(expr string) error {
+	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow)
+	_, err := parser.Parse(expr)
+	if err != nil {
+		return errors.New("invalid cron expression: " + err.Error())
+	}
+	return nil
+}

backend/internal/features/intervals/model_test.go

@@ -457,6 +457,144 @@ func TestInterval_ShouldTriggerBackup_Monthly(t *testing.T) {
 	)
 }
 
+func TestInterval_ShouldTriggerBackup_Cron(t *testing.T) {
+	cronExpr := "0 2 * * *" // Daily at 2:00 AM
+	interval := &Interval{
+		ID:             uuid.New(),
+		Interval:       IntervalCron,
+		CronExpression: &cronExpr,
+	}
+
+	t.Run("No previous backup: Trigger backup immediately", func(t *testing.T) {
+		now := time.Date(2024, 1, 15, 10, 0, 0, 0, time.UTC)
+		should := interval.ShouldTriggerBackup(now, nil)
+		assert.True(t, should)
+	})
+
+	t.Run("Before scheduled cron time: Do not trigger backup", func(t *testing.T) {
+		now := time.Date(2024, 1, 15, 1, 59, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 2, 0, 0, 0, time.UTC) // Yesterday at 2 AM
+		should := interval.ShouldTriggerBackup(now, &lastBackup)
+		assert.False(t, should)
+	})
+
+	t.Run("Exactly at scheduled cron time: Trigger backup", func(t *testing.T) {
+		now := time.Date(2024, 1, 15, 2, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 2, 0, 0, 0, time.UTC) // Yesterday at 2 AM
+		should := interval.ShouldTriggerBackup(now, &lastBackup)
+		assert.True(t, should)
+	})
+
+	t.Run("After scheduled cron time: Trigger backup", func(t *testing.T) {
+		now := time.Date(2024, 1, 15, 3, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 2, 0, 0, 0, time.UTC) // Yesterday at 2 AM
+		should := interval.ShouldTriggerBackup(now, &lastBackup)
+		assert.True(t, should)
+	})
+
+	t.Run("Backup already done after scheduled time: Do not trigger again", func(t *testing.T) {
+		now := time.Date(2024, 1, 15, 10, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 15, 2, 5, 0, 0, time.UTC) // Today at 2:05 AM
+		should := interval.ShouldTriggerBackup(now, &lastBackup)
+		assert.False(t, should)
+	})
+
+	t.Run("Weekly cron expression: 0 3 * * 1 (Monday at 3 AM)", func(t *testing.T) {
+		weeklyCron := "0 3 * * 1" // Every Monday at 3 AM
+		weeklyInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &weeklyCron,
+		}
+
+		// Monday Jan 15, 2024 at 3:00 AM
+		monday := time.Date(2024, 1, 15, 3, 0, 0, 0, time.UTC)
+		// Last backup was previous Monday
+		lastBackup := time.Date(2024, 1, 8, 3, 0, 0, 0, time.UTC)
+
+		should := weeklyInterval.ShouldTriggerBackup(monday, &lastBackup)
+		assert.True(t, should)
+	})
+
+	t.Run("Complex cron expression: 30 4 1,15 * * (1st and 15th at 4:30 AM)", func(t *testing.T) {
+		complexCron := "30 4 1,15 * *" // 1st and 15th of each month at 4:30 AM
+		complexInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &complexCron,
+		}
+
+		// Jan 15, 2024 at 4:30 AM
+		now := time.Date(2024, 1, 15, 4, 30, 0, 0, time.UTC)
+		// Last backup was Jan 1
+		lastBackup := time.Date(2024, 1, 1, 4, 30, 0, 0, time.UTC)
+
+		should := complexInterval.ShouldTriggerBackup(now, &lastBackup)
+		assert.True(t, should)
+	})
+
+	t.Run("Every 6 hours cron expression: 0 */6 * * *", func(t *testing.T) {
+		sixHourlyCron := "0 */6 * * *" // Every 6 hours (0:00, 6:00, 12:00, 18:00)
+		sixHourlyInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &sixHourlyCron,
+		}
+
+		// 12:00 - next trigger after 6:00
+		now := time.Date(2024, 1, 15, 12, 0, 0, 0, time.UTC)
+		// Last backup was at 6:00
+		lastBackup := time.Date(2024, 1, 15, 6, 0, 0, 0, time.UTC)
+
+		should := sixHourlyInterval.ShouldTriggerBackup(now, &lastBackup)
+		assert.True(t, should)
+	})
+
+	t.Run("Invalid cron expression returns false", func(t *testing.T) {
+		invalidCron := "invalid cron"
+		invalidInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &invalidCron,
+		}
+
+		now := time.Date(2024, 1, 15, 10, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 10, 0, 0, 0, time.UTC)
+
+		should := invalidInterval.ShouldTriggerBackup(now, &lastBackup)
+		assert.False(t, should)
+	})
+
+	t.Run("Empty cron expression returns false", func(t *testing.T) {
+		emptyCron := ""
+		emptyInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &emptyCron,
+		}
+
+		now := time.Date(2024, 1, 15, 10, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 10, 0, 0, 0, time.UTC)
+
+		should := emptyInterval.ShouldTriggerBackup(now, &lastBackup)
+		assert.False(t, should)
+	})
+
+	t.Run("Nil cron expression returns false", func(t *testing.T) {
+		nilInterval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: nil,
+		}
+
+		now := time.Date(2024, 1, 15, 10, 0, 0, 0, time.UTC)
+		lastBackup := time.Date(2024, 1, 14, 10, 0, 0, 0, time.UTC)
+
+		should := nilInterval.ShouldTriggerBackup(now, &lastBackup)
+		assert.False(t, should)
+	})
+}
+
 func TestInterval_Validate(t *testing.T) {
 	t.Run("Daily interval requires time of day", func(t *testing.T) {
 		interval := &Interval{
@@ -526,4 +664,60 @@ func TestInterval_Validate(t *testing.T) {
 		err := interval.Validate()
 		assert.NoError(t, err)
 	})
+
+	t.Run("Cron interval requires cron expression", func(t *testing.T) {
+		interval := &Interval{
+			ID:       uuid.New(),
+			Interval: IntervalCron,
+		}
+		err := interval.Validate()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cron expression is required")
+	})
+
+	t.Run("Cron interval with empty expression is invalid", func(t *testing.T) {
+		emptyCron := ""
+		interval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &emptyCron,
+		}
+		err := interval.Validate()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cron expression is required")
+	})
+
+	t.Run("Cron interval with invalid expression is invalid", func(t *testing.T) {
+		invalidCron := "invalid cron"
+		interval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &invalidCron,
+		}
+		err := interval.Validate()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "invalid cron expression")
+	})
+
+	t.Run("Valid cron interval with daily expression", func(t *testing.T) {
+		cronExpr := "0 2 * * *" // Daily at 2 AM
+		interval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &cronExpr,
+		}
+		err := interval.Validate()
+		assert.NoError(t, err)
+	})
+
+	t.Run("Valid cron interval with complex expression", func(t *testing.T) {
+		cronExpr := "30 4 1,15 * *" // 1st and 15th of each month at 4:30 AM
+		interval := &Interval{
+			ID:             uuid.New(),
+			Interval:       IntervalCron,
+			CronExpression: &cronExpr,
+		}
+		err := interval.Validate()
+		assert.NoError(t, err)
+	})
 }

backend/internal/features/notifiers/controller_test.go

@@ -453,70 +453,6 @@ func Test_CrossWorkspaceSecurity_CannotAccessNotifierFromAnotherWorkspace(t *tes
 	workspaces_testing.RemoveTestWorkspace(workspace2, router)
 }
 
-func createRouter() *gin.Engine {
-	gin.SetMode(gin.TestMode)
-	router := gin.New()
-
-	v1 := router.Group("/api/v1")
-	protected := v1.Group("").Use(users_middleware.AuthMiddleware(users_services.GetUserService()))
-
-	if routerGroup, ok := protected.(*gin.RouterGroup); ok {
-		GetNotifierController().RegisterRoutes(routerGroup)
-		workspaces_controllers.GetWorkspaceController().RegisterRoutes(routerGroup)
-		workspaces_controllers.GetMembershipController().RegisterRoutes(routerGroup)
-	}
-
-	audit_logs.SetupDependencies()
-
-	return router
-}
-
-func createNewNotifier(workspaceID uuid.UUID) *Notifier {
-	return &Notifier{
-		WorkspaceID:  workspaceID,
-		Name:         "Test Notifier " + uuid.New().String(),
-		NotifierType: NotifierTypeWebhook,
-		WebhookNotifier: &webhook_notifier.WebhookNotifier{
-			WebhookURL:    "https://webhook.site/test-" + uuid.New().String(),
-			WebhookMethod: webhook_notifier.WebhookMethodPOST,
-		},
-	}
-}
-
-func createTelegramNotifier(workspaceID uuid.UUID) *Notifier {
-	env := config.GetEnv()
-	return &Notifier{
-		WorkspaceID:  workspaceID,
-		Name:         "Test Telegram Notifier " + uuid.New().String(),
-		NotifierType: NotifierTypeTelegram,
-		TelegramNotifier: &telegram_notifier.TelegramNotifier{
-			BotToken:     env.TestTelegramBotToken,
-			TargetChatID: env.TestTelegramChatID,
-		},
-	}
-}
-
-func verifyNotifierData(t *testing.T, expected *Notifier, actual *Notifier) {
-	assert.Equal(t, expected.Name, actual.Name)
-	assert.Equal(t, expected.NotifierType, actual.NotifierType)
-	assert.Equal(t, expected.WorkspaceID, actual.WorkspaceID)
-}
-
-func deleteNotifier(
-	t *testing.T,
-	router *gin.Engine,
-	notifierID, workspaceID uuid.UUID,
-	token string,
-) {
-	test_utils.MakeDeleteRequest(
-		t,
-		router,
-		fmt.Sprintf("/api/v1/notifiers/%s", notifierID.String()),
-		"Bearer "+token,
-		http.StatusOK,
-	)
-}
-
 func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 	testCases := []struct {
 		name                string
@@ -553,7 +489,13 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
-				assert.Equal(t, "original-bot-token-12345", notifier.TelegramNotifier.BotToken)
+				assert.True(
+					t,
+					isEncrypted(notifier.TelegramNotifier.BotToken),
+					"BotToken should be encrypted in DB",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.TelegramNotifier.BotToken)
+				assert.Equal(t, "original-bot-token-12345", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
 				assert.Equal(t, "", notifier.TelegramNotifier.BotToken)
@@ -592,7 +534,13 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
-				assert.Equal(t, "original-password-secret", notifier.EmailNotifier.SMTPPassword)
+				assert.True(
+					t,
+					isEncrypted(notifier.EmailNotifier.SMTPPassword),
+					"SMTPPassword should be encrypted in DB",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.EmailNotifier.SMTPPassword)
+				assert.Equal(t, "original-password-secret", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
 				assert.Equal(t, "", notifier.EmailNotifier.SMTPPassword)
@@ -625,7 +573,13 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
-				assert.Equal(t, "xoxb-original-slack-token", notifier.SlackNotifier.BotToken)
+				assert.True(
+					t,
+					isEncrypted(notifier.SlackNotifier.BotToken),
+					"BotToken should be encrypted in DB",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.SlackNotifier.BotToken)
+				assert.Equal(t, "xoxb-original-slack-token", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
 				assert.Equal(t, "", notifier.SlackNotifier.BotToken)
@@ -656,11 +610,17 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
-				assert.Equal(
+				assert.True(
 					t,
-					"https://discord.com/api/webhooks/123/original-token",
+					isEncrypted(notifier.DiscordNotifier.ChannelWebhookURL),
+					"WebhookURL should be encrypted in DB",
+				)
+				decrypted := decryptField(
+					t,
+					notifier.ID,
 					notifier.DiscordNotifier.ChannelWebhookURL,
 				)
+				assert.Equal(t, "https://discord.com/api/webhooks/123/original-token", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
 				assert.Equal(t, "", notifier.DiscordNotifier.ChannelWebhookURL)
@@ -691,10 +651,16 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.TeamsNotifier.WebhookURL),
+					"WebhookURL should be encrypted in DB",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.TeamsNotifier.WebhookURL)
 				assert.Equal(
 					t,
 					"https://outlook.office.com/webhook/original-token",
-					notifier.TeamsNotifier.WebhookURL,
+					decrypted,
 				)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
@@ -813,3 +779,263 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 		})
 	}
 }
+
+func Test_CreateNotifier_AllSensitiveFieldsEncryptedInDB(t *testing.T) {
+	testCases := []struct {
+		name                      string
+		createNotifier            func(workspaceID uuid.UUID) *Notifier
+		verifySensitiveEncryption func(t *testing.T, notifier *Notifier)
+	}{
+		{
+			name: "Telegram Notifier - BotToken encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Telegram",
+					NotifierType: NotifierTypeTelegram,
+					TelegramNotifier: &telegram_notifier.TelegramNotifier{
+						BotToken:     "plain-telegram-token-123",
+						TargetChatID: "123456789",
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.TelegramNotifier.BotToken),
+					"BotToken should be encrypted",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.TelegramNotifier.BotToken)
+				assert.Equal(t, "plain-telegram-token-123", decrypted)
+			},
+		},
+		{
+			name: "Email Notifier - SMTPPassword encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Email",
+					NotifierType: NotifierTypeEmail,
+					EmailNotifier: &email_notifier.EmailNotifier{
+						TargetEmail:  "test@example.com",
+						SMTPHost:     "smtp.example.com",
+						SMTPPort:     587,
+						SMTPUser:     "user@example.com",
+						SMTPPassword: "plain-smtp-password-456",
+						From:         "noreply@example.com",
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.EmailNotifier.SMTPPassword),
+					"SMTPPassword should be encrypted",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.EmailNotifier.SMTPPassword)
+				assert.Equal(t, "plain-smtp-password-456", decrypted)
+			},
+		},
+		{
+			name: "Slack Notifier - BotToken encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Slack",
+					NotifierType: NotifierTypeSlack,
+					SlackNotifier: &slack_notifier.SlackNotifier{
+						BotToken:     "plain-slack-token-789",
+						TargetChatID: "C0123456789",
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.SlackNotifier.BotToken),
+					"BotToken should be encrypted",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.SlackNotifier.BotToken)
+				assert.Equal(t, "plain-slack-token-789", decrypted)
+			},
+		},
+		{
+			name: "Discord Notifier - WebhookURL encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Discord",
+					NotifierType: NotifierTypeDiscord,
+					DiscordNotifier: &discord_notifier.DiscordNotifier{
+						ChannelWebhookURL: "https://discord.com/api/webhooks/123/abc",
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.DiscordNotifier.ChannelWebhookURL),
+					"WebhookURL should be encrypted",
+				)
+				decrypted := decryptField(
+					t,
+					notifier.ID,
+					notifier.DiscordNotifier.ChannelWebhookURL,
+				)
+				assert.Equal(t, "https://discord.com/api/webhooks/123/abc", decrypted)
+			},
+		},
+		{
+			name: "Teams Notifier - WebhookURL encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Teams",
+					NotifierType: NotifierTypeTeams,
+					TeamsNotifier: &teams_notifier.TeamsNotifier{
+						WebhookURL: "https://outlook.office.com/webhook/test123",
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.TeamsNotifier.WebhookURL),
+					"WebhookURL should be encrypted",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.TeamsNotifier.WebhookURL)
+				assert.Equal(t, "https://outlook.office.com/webhook/test123", decrypted)
+			},
+		},
+		{
+			name: "Webhook Notifier - WebhookURL encrypted",
+			createNotifier: func(workspaceID uuid.UUID) *Notifier {
+				return &Notifier{
+					WorkspaceID:  workspaceID,
+					Name:         "Test Webhook",
+					NotifierType: NotifierTypeWebhook,
+					WebhookNotifier: &webhook_notifier.WebhookNotifier{
+						WebhookURL:    "https://webhook.example.com/test456",
+						WebhookMethod: webhook_notifier.WebhookMethodPOST,
+					},
+				}
+			},
+			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
+				assert.True(
+					t,
+					isEncrypted(notifier.WebhookNotifier.WebhookURL),
+					"WebhookURL should be encrypted",
+				)
+				decrypted := decryptField(t, notifier.ID, notifier.WebhookNotifier.WebhookURL)
+				assert.Equal(t, "https://webhook.example.com/test456", decrypted)
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			router := createRouter()
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+			// Create notifier via API (plaintext credentials)
+			var createdNotifier Notifier
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/notifiers",
+				"Bearer "+owner.Token,
+				tc.createNotifier(workspace.ID),
+				http.StatusOK,
+				&createdNotifier,
+			)
+
+			// Read from DB directly (bypass service layer)
+			repository := &NotifierRepository{}
+			notifierFromDB, err := repository.FindByID(createdNotifier.ID)
+			assert.NoError(t, err)
+
+			// Verify encryption
+			tc.verifySensitiveEncryption(t, notifierFromDB)
+
+			// Cleanup
+			deleteNotifier(t, router, createdNotifier.ID, workspace.ID, owner.Token)
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
+		})
+	}
+}
+
+func createRouter() *gin.Engine {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	v1 := router.Group("/api/v1")
+	protected := v1.Group("").Use(users_middleware.AuthMiddleware(users_services.GetUserService()))
+
+	if routerGroup, ok := protected.(*gin.RouterGroup); ok {
+		GetNotifierController().RegisterRoutes(routerGroup)
+		workspaces_controllers.GetWorkspaceController().RegisterRoutes(routerGroup)
+		workspaces_controllers.GetMembershipController().RegisterRoutes(routerGroup)
+	}
+
+	audit_logs.SetupDependencies()
+
+	return router
+}
+
+func createNewNotifier(workspaceID uuid.UUID) *Notifier {
+	return &Notifier{
+		WorkspaceID:  workspaceID,
+		Name:         "Test Notifier " + uuid.New().String(),
+		NotifierType: NotifierTypeWebhook,
+		WebhookNotifier: &webhook_notifier.WebhookNotifier{
+			WebhookURL:    "https://webhook.site/test-" + uuid.New().String(),
+			WebhookMethod: webhook_notifier.WebhookMethodPOST,
+		},
+	}
+}
+
+func createTelegramNotifier(workspaceID uuid.UUID) *Notifier {
+	env := config.GetEnv()
+	return &Notifier{
+		WorkspaceID:  workspaceID,
+		Name:         "Test Telegram Notifier " + uuid.New().String(),
+		NotifierType: NotifierTypeTelegram,
+		TelegramNotifier: &telegram_notifier.TelegramNotifier{
+			BotToken:     env.TestTelegramBotToken,
+			TargetChatID: env.TestTelegramChatID,
+		},
+	}
+}
+
+func verifyNotifierData(t *testing.T, expected *Notifier, actual *Notifier) {
+	assert.Equal(t, expected.Name, actual.Name)
+	assert.Equal(t, expected.NotifierType, actual.NotifierType)
+	assert.Equal(t, expected.WorkspaceID, actual.WorkspaceID)
+}
+
+func deleteNotifier(
+	t *testing.T,
+	router *gin.Engine,
+	notifierID, workspaceID uuid.UUID,
+	token string,
+) {
+	test_utils.MakeDeleteRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/notifiers/%s", notifierID.String()),
+		"Bearer "+token,
+		http.StatusOK,
+	)
+}
+
+func isEncrypted(value string) bool {
+	return len(value) > 4 && value[:4] == "enc:"
+}
+
+func decryptField(t *testing.T, notifierID uuid.UUID, encryptedValue string) string {
+	encryptor := GetNotifierService().fieldEncryptor
+	decrypted, err := encryptor.Decrypt(notifierID, encryptedValue)
+	assert.NoError(t, err)
+	return decrypted
+}

backend/internal/features/notifiers/di.go

@@ -3,6 +3,7 @@ package notifiers
 import (
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
@@ -12,6 +13,7 @@ var notifierService = &NotifierService{
 	logger.GetLogger(),
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
+	encryption.GetFieldEncryptor(),
 }
 var notifierController = &NotifierController{
 	notifierService,

backend/internal/features/notifiers/interfaces.go

@@ -1,11 +1,21 @@
 package notifiers
 
-import "log/slog"
+import (
+	"log/slog"
+	"postgresus-backend/internal/util/encryption"
+)
 
 type NotificationSender interface {
-	Send(logger *slog.Logger, heading string, message string) error
+	Send(
+		encryptor encryption.FieldEncryptor,
+		logger *slog.Logger,
+		heading string,
+		message string,
+	) error
 
-	Validate() error
+	Validate(encryptor encryption.FieldEncryptor) error
 
 	HideSensitiveData()
+
+	EncryptSensitiveData(encryptor encryption.FieldEncryptor) error
 }

backend/internal/features/notifiers/model.go

@@ -9,6 +9,7 @@ import (
 	teams_notifier "postgresus-backend/internal/features/notifiers/models/teams"
 	telegram_notifier "postgresus-backend/internal/features/notifiers/models/telegram"
 	webhook_notifier "postgresus-backend/internal/features/notifiers/models/webhook"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -33,16 +34,21 @@ func (n *Notifier) TableName() string {
 	return "notifiers"
 }
 
-func (n *Notifier) Validate() error {
+func (n *Notifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if n.Name == "" {
 		return errors.New("name is required")
 	}
 
-	return n.getSpecificNotifier().Validate()
+	return n.getSpecificNotifier().Validate(encryptor)
 }
 
-func (n *Notifier) Send(logger *slog.Logger, heading string, message string) error {
-	err := n.getSpecificNotifier().Send(logger, heading, message)
+func (n *Notifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading string,
+	message string,
+) error {
+	err := n.getSpecificNotifier().Send(encryptor, logger, heading, message)
 
 	if err != nil {
 		lastSendError := err.Error()
@@ -58,6 +64,10 @@ func (n *Notifier) HideSensitiveData() {
 	n.getSpecificNotifier().HideSensitiveData()
 }
 
+func (n *Notifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	return n.getSpecificNotifier().EncryptSensitiveData(encryptor)
+}
+
 func (n *Notifier) Update(incoming *Notifier) {
 	n.Name = incoming.Name
 	n.NotifierType = incoming.NotifierType

backend/internal/features/notifiers/models/discord/model.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -21,7 +22,7 @@ func (d *DiscordNotifier) TableName() string {
 	return "discord_notifiers"
 }
 
-func (d *DiscordNotifier) Validate() error {
+func (d *DiscordNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if d.ChannelWebhookURL == "" {
 		return errors.New("webhook URL is required")
 	}
@@ -29,7 +30,17 @@ func (d *DiscordNotifier) Validate() error {
 	return nil
 }
 
-func (d *DiscordNotifier) Send(logger *slog.Logger, heading string, message string) error {
+func (d *DiscordNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading string,
+	message string,
+) error {
+	webhookURL, err := encryptor.Decrypt(d.NotifierID, d.ChannelWebhookURL)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt webhook URL: %w", err)
+	}
+
 	fullMessage := heading
 	if message != "" {
 		fullMessage = fmt.Sprintf("%s\n\n%s", heading, message)
@@ -44,7 +55,7 @@ func (d *DiscordNotifier) Send(logger *slog.Logger, heading string, message stri
 		return fmt.Errorf("failed to marshal Discord payload: %w", err)
 	}
 
-	req, err := http.NewRequest("POST", d.ChannelWebhookURL, bytes.NewReader(jsonPayload))
+	req, err := http.NewRequest("POST", webhookURL, bytes.NewReader(jsonPayload))
 	if err != nil {
 		return fmt.Errorf("failed to create request: %w", err)
 	}
@@ -81,3 +92,14 @@ func (d *DiscordNotifier) Update(incoming *DiscordNotifier) {
 		d.ChannelWebhookURL = incoming.ChannelWebhookURL
 	}
 }
+
+func (d *DiscordNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if d.ChannelWebhookURL != "" {
+		encrypted, err := encryptor.Encrypt(d.NotifierID, d.ChannelWebhookURL)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt webhook URL: %w", err)
+		}
+		d.ChannelWebhookURL = encrypted
+	}
+	return nil
+}

backend/internal/features/notifiers/models/email_notifier/auth.go

@@ -0,0 +1,28 @@
+package email_notifier
+
+import (
+	"errors"
+	"net/smtp"
+)
+
+type loginAuth struct {
+	username, password string
+}
+
+func (a *loginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	return "LOGIN", []byte{}, nil
+}
+
+func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
+	if more {
+		switch string(fromServer) {
+		case "Username:":
+			return []byte(a.username), nil
+		case "Password:":
+			return []byte(a.password), nil
+		default:
+			return nil, errors.New("unknown LOGIN challenge: " + string(fromServer))
+		}
+	}
+	return nil, nil
+}

backend/internal/features/notifiers/models/email_notifier/model.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net"
 	"net/smtp"
+	"postgresus-backend/internal/util/encryption"
 	"time"
 
 	"github.com/google/uuid"
@@ -34,7 +35,7 @@ func (e *EmailNotifier) TableName() string {
 	return "email_notifiers"
 }
 
-func (e *EmailNotifier) Validate() error {
+func (e *EmailNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if e.TargetEmail == "" {
 		return errors.New("target email is required")
 	}
@@ -55,8 +56,21 @@ func (e *EmailNotifier) Validate() error {
 	return nil
 }
 
-func (e *EmailNotifier) Send(logger *slog.Logger, heading string, message string) error {
-	// Compose email
+func (e *EmailNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	_ *slog.Logger,
+	heading string,
+	message string,
+) error {
+	var smtpPassword string
+	if e.SMTPPassword != "" {
+		decrypted, err := encryptor.Decrypt(e.NotifierID, e.SMTPPassword)
+		if err != nil {
+			return fmt.Errorf("failed to decrypt SMTP password: %w", err)
+		}
+		smtpPassword = decrypted
+	}
+
 	from := e.From
 	if from == "" {
 		from = e.SMTPUser
@@ -65,153 +79,13 @@ func (e *EmailNotifier) Send(logger *slog.Logger, heading string, message string
 		}
 	}
 
-	to := []string{e.TargetEmail}
+	emailContent := e.buildEmailContent(heading, message, from)
+	isAuthRequired := e.SMTPUser != "" && smtpPassword != ""
 
-	// Format the email content
-	subject := fmt.Sprintf("Subject: %s\r\n", heading)
-	mime := fmt.Sprintf(
-		"MIME-version: 1.0;\nContent-Type: %s; charset=\"%s\";\n\n",
-		MIMETypeHTML,
-		MIMECharsetUTF8,
-	)
-	body := message
-	fromHeader := fmt.Sprintf("From: %s\r\n", from)
-	toHeader := fmt.Sprintf("To: %s\r\n", e.TargetEmail)
-
-	// Combine all parts of the email
-	emailContent := []byte(fromHeader + toHeader + subject + mime + body)
-
-	addr := net.JoinHostPort(e.SMTPHost, fmt.Sprintf("%d", e.SMTPPort))
-	timeout := DefaultTimeout
-
-	// Determine if authentication is required
-	isAuthRequired := e.SMTPUser != "" && e.SMTPPassword != ""
-
-	// Handle different port scenarios
 	if e.SMTPPort == ImplicitTLSPort {
-		// Implicit TLS (port 465)
-		// Set up TLS config
-		tlsConfig := &tls.Config{
-			ServerName: e.SMTPHost,
-		}
-
-		// Dial with timeout
-		dialer := &net.Dialer{Timeout: timeout}
-		conn, err := tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
-		if err != nil {
-			return fmt.Errorf("failed to connect to SMTP server: %w", err)
-		}
-		defer func() {
-			_ = conn.Close()
-		}()
-
-		// Create SMTP client
-		client, err := smtp.NewClient(conn, e.SMTPHost)
-		if err != nil {
-			return fmt.Errorf("failed to create SMTP client: %w", err)
-		}
-		defer func() {
-			_ = client.Quit()
-		}()
-
-		// Set up authentication only if credentials are provided
-		if isAuthRequired {
-			auth := smtp.PlainAuth("", e.SMTPUser, e.SMTPPassword, e.SMTPHost)
-			if err := client.Auth(auth); err != nil {
-				return fmt.Errorf("SMTP authentication failed: %w", err)
-			}
-		}
-
-		// Set sender and recipients
-		if err := client.Mail(from); err != nil {
-			return fmt.Errorf("failed to set sender: %w", err)
-		}
-		for _, recipient := range to {
-			if err := client.Rcpt(recipient); err != nil {
-				return fmt.Errorf("failed to set recipient: %w", err)
-			}
-		}
-
-		// Send the email body
-		writer, err := client.Data()
-		if err != nil {
-			return fmt.Errorf("failed to get data writer: %w", err)
-		}
-		_, err = writer.Write(emailContent)
-		if err != nil {
-			return fmt.Errorf("failed to write email content: %w", err)
-		}
-		err = writer.Close()
-		if err != nil {
-			return fmt.Errorf("failed to close data writer: %w", err)
-		}
-
-		return nil
-	} else {
-		// STARTTLS (port 587) or other ports
-		// Create a custom dialer with timeout
-		dialer := &net.Dialer{Timeout: timeout}
-		conn, err := dialer.Dial("tcp", addr)
-		if err != nil {
-			return fmt.Errorf("failed to connect to SMTP server: %w", err)
-		}
-
-		// Create client from connection
-		client, err := smtp.NewClient(conn, e.SMTPHost)
-		if err != nil {
-			return fmt.Errorf("failed to create SMTP client: %w", err)
-		}
-		defer func() {
-			_ = client.Quit()
-		}()
-
-		// Send email using the client
-		if err := client.Hello(DefaultHelloName); err != nil {
-			return fmt.Errorf("SMTP hello failed: %w", err)
-		}
-
-		// Start TLS if available
-		if ok, _ := client.Extension("STARTTLS"); ok {
-			if err := client.StartTLS(&tls.Config{ServerName: e.SMTPHost}); err != nil {
-				return fmt.Errorf("STARTTLS failed: %w", err)
-			}
-		}
-
-		// Authenticate only if credentials are provided
-		if isAuthRequired {
-			auth := smtp.PlainAuth("", e.SMTPUser, e.SMTPPassword, e.SMTPHost)
-			if err := client.Auth(auth); err != nil {
-				return fmt.Errorf("SMTP authentication failed: %w", err)
-			}
-		}
-
-		if err := client.Mail(from); err != nil {
-			return fmt.Errorf("failed to set sender: %w", err)
-		}
-
-		for _, recipient := range to {
-			if err := client.Rcpt(recipient); err != nil {
-				return fmt.Errorf("failed to set recipient: %w", err)
-			}
-		}
-
-		writer, err := client.Data()
-		if err != nil {
-			return fmt.Errorf("failed to get data writer: %w", err)
-		}
-
-		_, err = writer.Write(emailContent)
-		if err != nil {
-			return fmt.Errorf("failed to write email content: %w", err)
-		}
-
-		err = writer.Close()
-		if err != nil {
-			return fmt.Errorf("failed to close data writer: %w", err)
-		}
-
-		return client.Quit()
+		return e.sendImplicitTLS(emailContent, from, smtpPassword, isAuthRequired)
 	}
+	return e.sendStartTLS(emailContent, from, smtpPassword, isAuthRequired)
 }
 
 func (e *EmailNotifier) HideSensitiveData() {
@@ -229,3 +103,177 @@ func (e *EmailNotifier) Update(incoming *EmailNotifier) {
 		e.SMTPPassword = incoming.SMTPPassword
 	}
 }
+
+func (e *EmailNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if e.SMTPPassword != "" {
+		encrypted, err := encryptor.Encrypt(e.NotifierID, e.SMTPPassword)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt SMTP password: %w", err)
+		}
+		e.SMTPPassword = encrypted
+	}
+	return nil
+}
+
+func (e *EmailNotifier) buildEmailContent(heading, message, from string) []byte {
+	subject := fmt.Sprintf("Subject: %s\r\n", heading)
+	mime := fmt.Sprintf(
+		"MIME-version: 1.0;\nContent-Type: %s; charset=\"%s\";\n\n",
+		MIMETypeHTML,
+		MIMECharsetUTF8,
+	)
+	fromHeader := fmt.Sprintf("From: %s\r\n", from)
+	toHeader := fmt.Sprintf("To: %s\r\n", e.TargetEmail)
+	return []byte(fromHeader + toHeader + subject + mime + message)
+}
+
+func (e *EmailNotifier) sendImplicitTLS(
+	emailContent []byte,
+	from string,
+	password string,
+	isAuthRequired bool,
+) error {
+	createClient := func() (*smtp.Client, func(), error) {
+		return e.createImplicitTLSClient()
+	}
+
+	client, cleanup, err := e.authenticateWithRetry(createClient, password, isAuthRequired)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return e.sendEmail(client, from, emailContent)
+}
+
+func (e *EmailNotifier) sendStartTLS(
+	emailContent []byte,
+	from string,
+	password string,
+	isAuthRequired bool,
+) error {
+	createClient := func() (*smtp.Client, func(), error) {
+		return e.createStartTLSClient()
+	}
+
+	client, cleanup, err := e.authenticateWithRetry(createClient, password, isAuthRequired)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	return e.sendEmail(client, from, emailContent)
+}
+
+func (e *EmailNotifier) createImplicitTLSClient() (*smtp.Client, func(), error) {
+	addr := net.JoinHostPort(e.SMTPHost, fmt.Sprintf("%d", e.SMTPPort))
+	tlsConfig := &tls.Config{ServerName: e.SMTPHost}
+	dialer := &net.Dialer{Timeout: DefaultTimeout}
+
+	conn, err := tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, e.SMTPHost)
+	if err != nil {
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	return client, func() { _ = client.Quit() }, nil
+}
+
+func (e *EmailNotifier) createStartTLSClient() (*smtp.Client, func(), error) {
+	addr := net.JoinHostPort(e.SMTPHost, fmt.Sprintf("%d", e.SMTPPort))
+	dialer := &net.Dialer{Timeout: DefaultTimeout}
+
+	conn, err := dialer.Dial("tcp", addr)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, e.SMTPHost)
+	if err != nil {
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	if err := client.Hello(DefaultHelloName); err != nil {
+		_ = client.Quit()
+		_ = conn.Close()
+		return nil, nil, fmt.Errorf("SMTP hello failed: %w", err)
+	}
+
+	if ok, _ := client.Extension("STARTTLS"); ok {
+		if err := client.StartTLS(&tls.Config{ServerName: e.SMTPHost}); err != nil {
+			_ = client.Quit()
+			_ = conn.Close()
+			return nil, nil, fmt.Errorf("STARTTLS failed: %w", err)
+		}
+	}
+
+	return client, func() { _ = client.Quit() }, nil
+}
+
+func (e *EmailNotifier) authenticateWithRetry(
+	createClient func() (*smtp.Client, func(), error),
+	password string,
+	isAuthRequired bool,
+) (*smtp.Client, func(), error) {
+	client, cleanup, err := createClient()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if !isAuthRequired {
+		return client, cleanup, nil
+	}
+
+	// Try PLAIN auth first
+	plainAuth := smtp.PlainAuth("", e.SMTPUser, password, e.SMTPHost)
+	if err := client.Auth(plainAuth); err == nil {
+		return client, cleanup, nil
+	}
+
+	// PLAIN auth failed, connection may be closed - recreate and try LOGIN auth
+	cleanup()
+
+	client, cleanup, err = createClient()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	loginAuth := &loginAuth{username: e.SMTPUser, password: password}
+	if err := client.Auth(loginAuth); err != nil {
+		cleanup()
+		return nil, nil, fmt.Errorf("SMTP authentication failed: %w", err)
+	}
+
+	return client, cleanup, nil
+}
+
+func (e *EmailNotifier) sendEmail(client *smtp.Client, from string, content []byte) error {
+	if err := client.Mail(from); err != nil {
+		return fmt.Errorf("failed to set sender: %w", err)
+	}
+
+	if err := client.Rcpt(e.TargetEmail); err != nil {
+		return fmt.Errorf("failed to set recipient: %w", err)
+	}
+
+	writer, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("failed to get data writer: %w", err)
+	}
+
+	if _, err = writer.Write(content); err != nil {
+		return fmt.Errorf("failed to write email content: %w", err)
+	}
+
+	if err = writer.Close(); err != nil {
+		return fmt.Errorf("failed to close data writer: %w", err)
+	}
+
+	return nil
+}

backend/internal/features/notifiers/models/slack/model.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"postgresus-backend/internal/util/encryption"
 	"strconv"
 	"strings"
 	"time"
@@ -23,7 +24,7 @@ type SlackNotifier struct {
 
 func (s *SlackNotifier) TableName() string { return "slack_notifiers" }
 
-func (s *SlackNotifier) Validate() error {
+func (s *SlackNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if s.BotToken == "" {
 		return errors.New("bot token is required")
 	}
@@ -43,7 +44,16 @@ func (s *SlackNotifier) Validate() error {
 	return nil
 }
 
-func (s *SlackNotifier) Send(logger *slog.Logger, heading, message string) error {
+func (s *SlackNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading, message string,
+) error {
+	botToken, err := encryptor.Decrypt(s.NotifierID, s.BotToken)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt bot token: %w", err)
+	}
+
 	full := fmt.Sprintf("*%s*", heading)
 
 	if message != "" {
@@ -60,6 +70,7 @@ func (s *SlackNotifier) Send(logger *slog.Logger, heading, message string) error
 		maxAttempts       = 5
 		defaultBackoff    = 2 * time.Second // when Retry-After header missing
 		backoffMultiplier = 1.5             // use exponential growth
+		requestTimeout    = 30 * time.Second
 	)
 
 	var (
@@ -67,6 +78,10 @@ func (s *SlackNotifier) Send(logger *slog.Logger, heading, message string) error
 		attempts = 0
 	)
 
+	client := &http.Client{
+		Timeout: requestTimeout,
+	}
+
 	for {
 		attempts++
 
@@ -80,9 +95,9 @@ func (s *SlackNotifier) Send(logger *slog.Logger, heading, message string) error
 		}
 
 		req.Header.Set("Content-Type", "application/json; charset=utf-8")
-		req.Header.Set("Authorization", "Bearer "+s.BotToken)
+		req.Header.Set("Authorization", "Bearer "+botToken)
 
-		resp, err := http.DefaultClient.Do(req)
+		resp, err := client.Do(req)
 		if err != nil {
 			return fmt.Errorf("send slack message: %w", err)
 		}
@@ -144,3 +159,14 @@ func (s *SlackNotifier) Update(incoming *SlackNotifier) {
 		s.BotToken = incoming.BotToken
 	}
 }
+
+func (s *SlackNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if s.BotToken != "" {
+		encrypted, err := encryptor.Encrypt(s.NotifierID, s.BotToken)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt bot token: %w", err)
+		}
+		s.BotToken = encrypted
+	}
+	return nil
+}

backend/internal/features/notifiers/models/teams/model.go

@@ -8,6 +8,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -21,11 +22,17 @@ func (TeamsNotifier) TableName() string {
 	return "teams_notifiers"
 }
 
-func (n *TeamsNotifier) Validate() error {
+func (n *TeamsNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if n.WebhookURL == "" {
 		return errors.New("webhook_url is required")
 	}
-	u, err := url.Parse(n.WebhookURL)
+
+	webhookURL, err := encryptor.Decrypt(n.NotifierID, n.WebhookURL)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt webhook URL: %w", err)
+	}
+
+	u, err := url.Parse(webhookURL)
 	if err != nil || (u.Scheme != "http" && u.Scheme != "https") {
 		return errors.New("invalid webhook_url")
 	}
@@ -33,8 +40,8 @@ func (n *TeamsNotifier) Validate() error {
 }
 
 type cardAttachment struct {
-	ContentType string      `json:"contentType"`
-	Content     interface{} `json:"content"`
+	ContentType string `json:"contentType"`
+	Content     any    `json:"content"`
 }
 
 type payload struct {
@@ -43,11 +50,20 @@ type payload struct {
 	Attachments []cardAttachment `json:"attachments,omitempty"`
 }
 
-func (n *TeamsNotifier) Send(logger *slog.Logger, heading, message string) error {
-	if err := n.Validate(); err != nil {
+func (n *TeamsNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading, message string,
+) error {
+	if err := n.Validate(encryptor); err != nil {
 		return err
 	}
 
+	webhookURL, err := encryptor.Decrypt(n.NotifierID, n.WebhookURL)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt webhook URL: %w", err)
+	}
+
 	card := map[string]any{
 		"type":    "AdaptiveCard",
 		"version": "1.4",
@@ -71,7 +87,7 @@ func (n *TeamsNotifier) Send(logger *slog.Logger, heading, message string) error
 	}
 
 	body, _ := json.Marshal(p)
-	req, err := http.NewRequest(http.MethodPost, n.WebhookURL, bytes.NewReader(body))
+	req, err := http.NewRequest(http.MethodPost, webhookURL, bytes.NewReader(body))
 	if err != nil {
 		return err
 	}
@@ -104,3 +120,14 @@ func (n *TeamsNotifier) Update(incoming *TeamsNotifier) {
 		n.WebhookURL = incoming.WebhookURL
 	}
 }
+
+func (n *TeamsNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if n.WebhookURL != "" {
+		encrypted, err := encryptor.Encrypt(n.NotifierID, n.WebhookURL)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt webhook URL: %w", err)
+		}
+		n.WebhookURL = encrypted
+	}
+	return nil
+}

backend/internal/features/notifiers/models/telegram/model.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"postgresus-backend/internal/util/encryption"
 	"strconv"
 	"strings"
 
@@ -24,7 +25,7 @@ func (t *TelegramNotifier) TableName() string {
 	return "telegram_notifiers"
 }
 
-func (t *TelegramNotifier) Validate() error {
+func (t *TelegramNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if t.BotToken == "" {
 		return errors.New("bot token is required")
 	}
@@ -36,13 +37,23 @@ func (t *TelegramNotifier) Validate() error {
 	return nil
 }
 
-func (t *TelegramNotifier) Send(logger *slog.Logger, heading string, message string) error {
+func (t *TelegramNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading string,
+	message string,
+) error {
+	botToken, err := encryptor.Decrypt(t.NotifierID, t.BotToken)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt bot token: %w", err)
+	}
+
 	fullMessage := heading
 	if message != "" {
 		fullMessage = fmt.Sprintf("%s\n\n%s", heading, message)
 	}
 
-	apiURL := fmt.Sprintf("https://api.telegram.org/bot%s/sendMessage", t.BotToken)
+	apiURL := fmt.Sprintf("https://api.telegram.org/bot%s/sendMessage", botToken)
 
 	data := url.Values{}
 	data.Set("chat_id", t.TargetChatID)
@@ -93,3 +104,14 @@ func (t *TelegramNotifier) Update(incoming *TelegramNotifier) {
 		t.BotToken = incoming.BotToken
 	}
 }
+
+func (t *TelegramNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if t.BotToken != "" {
+		encrypted, err := encryptor.Encrypt(t.NotifierID, t.BotToken)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt bot token: %w", err)
+		}
+		t.BotToken = encrypted
+	}
+	return nil
+}

backend/internal/features/notifiers/models/webhook/model.go

@@ -9,21 +9,59 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"postgresus-backend/internal/util/encryption"
+	"strings"
 
 	"github.com/google/uuid"
+	"gorm.io/gorm"
 )
 
+type WebhookHeader struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
 type WebhookNotifier struct {
 	NotifierID    uuid.UUID     `json:"notifierId"    gorm:"primaryKey;column:notifier_id"`
 	WebhookURL    string        `json:"webhookUrl"    gorm:"not null;column:webhook_url"`
 	WebhookMethod WebhookMethod `json:"webhookMethod" gorm:"not null;column:webhook_method"`
+	BodyTemplate  *string       `json:"bodyTemplate"  gorm:"column:body_template;type:text"`
+	HeadersJSON   string        `json:"-"             gorm:"column:headers;type:text"`
+
+	Headers []WebhookHeader `json:"headers" gorm:"-"`
 }
 
 func (t *WebhookNotifier) TableName() string {
 	return "webhook_notifiers"
 }
 
-func (t *WebhookNotifier) Validate() error {
+func (t *WebhookNotifier) BeforeSave(_ *gorm.DB) error {
+	if len(t.Headers) > 0 {
+		data, err := json.Marshal(t.Headers)
+
+		if err != nil {
+			return err
+		}
+
+		t.HeadersJSON = string(data)
+	} else {
+		t.HeadersJSON = "[]"
+	}
+
+	return nil
+}
+
+func (t *WebhookNotifier) AfterFind(_ *gorm.DB) error {
+	if t.HeadersJSON != "" {
+		if err := json.Unmarshal([]byte(t.HeadersJSON), &t.Headers); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (t *WebhookNotifier) Validate(encryptor encryption.FieldEncryptor) error {
 	if t.WebhookURL == "" {
 		return errors.New("webhook URL is required")
 	}
@@ -35,69 +73,22 @@ func (t *WebhookNotifier) Validate() error {
 	return nil
 }
 
-func (t *WebhookNotifier) Send(logger *slog.Logger, heading string, message string) error {
+func (t *WebhookNotifier) Send(
+	encryptor encryption.FieldEncryptor,
+	logger *slog.Logger,
+	heading string,
+	message string,
+) error {
+	webhookURL, err := encryptor.Decrypt(t.NotifierID, t.WebhookURL)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt webhook URL: %w", err)
+	}
+
 	switch t.WebhookMethod {
 	case WebhookMethodGET:
-		reqURL := fmt.Sprintf("%s?heading=%s&message=%s",
-			t.WebhookURL,
-			url.QueryEscape(heading),
-			url.QueryEscape(message),
-		)
-
-		resp, err := http.Get(reqURL)
-		if err != nil {
-			return fmt.Errorf("failed to send GET webhook: %w", err)
-		}
-		defer func() {
-			if cerr := resp.Body.Close(); cerr != nil {
-				logger.Error("failed to close response body", "error", cerr)
-			}
-		}()
-
-		if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-			body, _ := io.ReadAll(resp.Body)
-			return fmt.Errorf(
-				"webhook GET returned status: %s, body: %s",
-				resp.Status,
-				string(body),
-			)
-		}
-
-		return nil
-
+		return t.sendGET(webhookURL, heading, message, logger)
 	case WebhookMethodPOST:
-		payload := map[string]string{
-			"heading": heading,
-			"message": message,
-		}
-
-		body, err := json.Marshal(payload)
-		if err != nil {
-			return fmt.Errorf("failed to marshal webhook payload: %w", err)
-		}
-
-		resp, err := http.Post(t.WebhookURL, "application/json", bytes.NewReader(body))
-		if err != nil {
-			return fmt.Errorf("failed to send POST webhook: %w", err)
-		}
-
-		defer func() {
-			if cerr := resp.Body.Close(); cerr != nil {
-				logger.Error("failed to close response body", "error", cerr)
-			}
-		}()
-
-		if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-			body, _ := io.ReadAll(resp.Body)
-			return fmt.Errorf(
-				"webhook POST returned status: %s, body: %s",
-				resp.Status,
-				string(body),
-			)
-		}
-
-		return nil
-
+		return t.sendPOST(webhookURL, heading, message, logger)
 	default:
 		return fmt.Errorf("unsupported webhook method: %s", t.WebhookMethod)
 	}
@@ -109,4 +100,144 @@ func (t *WebhookNotifier) HideSensitiveData() {
 func (t *WebhookNotifier) Update(incoming *WebhookNotifier) {
 	t.WebhookURL = incoming.WebhookURL
 	t.WebhookMethod = incoming.WebhookMethod
+	t.BodyTemplate = incoming.BodyTemplate
+	t.Headers = incoming.Headers
+}
+
+func (t *WebhookNotifier) EncryptSensitiveData(encryptor encryption.FieldEncryptor) error {
+	if t.WebhookURL != "" {
+		encrypted, err := encryptor.Encrypt(t.NotifierID, t.WebhookURL)
+
+		if err != nil {
+			return fmt.Errorf("failed to encrypt webhook URL: %w", err)
+		}
+
+		t.WebhookURL = encrypted
+	}
+
+	return nil
+}
+
+func (t *WebhookNotifier) sendGET(webhookURL, heading, message string, logger *slog.Logger) error {
+	reqURL := fmt.Sprintf("%s?heading=%s&message=%s",
+		webhookURL,
+		url.QueryEscape(heading),
+		url.QueryEscape(message),
+	)
+
+	req, err := http.NewRequest(http.MethodGet, reqURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create GET request: %w", err)
+	}
+
+	t.applyHeaders(req)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send GET webhook: %w", err)
+	}
+
+	defer func() {
+		if cerr := resp.Body.Close(); cerr != nil {
+			logger.Error("failed to close response body", "error", cerr)
+		}
+	}()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf(
+			"webhook GET returned status: %s, body: %s",
+			resp.Status,
+			string(body),
+		)
+	}
+
+	return nil
+}
+
+func (t *WebhookNotifier) sendPOST(webhookURL, heading, message string, logger *slog.Logger) error {
+	body := t.buildRequestBody(heading, message)
+
+	req, err := http.NewRequest(http.MethodPost, webhookURL, bytes.NewReader(body))
+	if err != nil {
+		return fmt.Errorf("failed to create POST request: %w", err)
+	}
+
+	hasContentType := false
+
+	for _, h := range t.Headers {
+		if strings.EqualFold(h.Key, "Content-Type") {
+			hasContentType = true
+			break
+		}
+	}
+
+	if !hasContentType {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	t.applyHeaders(req)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send POST webhook: %w", err)
+	}
+
+	defer func() {
+		if cerr := resp.Body.Close(); cerr != nil {
+			logger.Error("failed to close response body", "error", cerr)
+		}
+	}()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf(
+			"webhook POST returned status: %s, body: %s",
+			resp.Status,
+			string(respBody),
+		)
+	}
+
+	return nil
+}
+
+func (t *WebhookNotifier) buildRequestBody(heading, message string) []byte {
+	if t.BodyTemplate != nil && *t.BodyTemplate != "" {
+		result := *t.BodyTemplate
+		result = strings.ReplaceAll(result, "{{heading}}", escapeJSONString(heading))
+		result = strings.ReplaceAll(result, "{{message}}", escapeJSONString(message))
+		return []byte(result)
+	}
+
+	payload := map[string]string{
+		"heading": heading,
+		"message": message,
+	}
+	body, _ := json.Marshal(payload)
+
+	return body
+}
+
+func (t *WebhookNotifier) applyHeaders(req *http.Request) {
+	for _, h := range t.Headers {
+		if h.Key != "" {
+			req.Header.Set(h.Key, h.Value)
+		}
+	}
+}
+
+func escapeJSONString(s string) string {
+	b, err := json.Marshal(s)
+	if err != nil || len(b) < 2 {
+		escaped := strings.ReplaceAll(s, `\`, `\\`)
+		escaped = strings.ReplaceAll(escaped, `"`, `\"`)
+		escaped = strings.ReplaceAll(escaped, "\n", `\n`)
+		escaped = strings.ReplaceAll(escaped, "\r", `\r`)
+		escaped = strings.ReplaceAll(escaped, "\t", `\t`)
+		return escaped
+	}
+
+	return string(b[1 : len(b)-1])
 }

backend/internal/features/notifiers/service.go

@@ -8,6 +8,7 @@ import (
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	users_models "postgresus-backend/internal/features/users/models"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -17,6 +18,7 @@ type NotifierService struct {
 	logger             *slog.Logger
 	workspaceService   *workspaces_services.WorkspaceService
 	auditLogService    *audit_logs.AuditLogService
+	fieldEncryptor     encryption.FieldEncryptor
 }
 
 func (s *NotifierService) SaveNotifier(
@@ -46,7 +48,11 @@ func (s *NotifierService) SaveNotifier(
 
 		existingNotifier.Update(notifier)
 
-		if err := existingNotifier.Validate(); err != nil {
+		if err := existingNotifier.EncryptSensitiveData(s.fieldEncryptor); err != nil {
+			return err
+		}
+
+		if err := existingNotifier.Validate(s.fieldEncryptor); err != nil {
 			return err
 		}
 
@@ -63,7 +69,11 @@ func (s *NotifierService) SaveNotifier(
 	} else {
 		notifier.WorkspaceID = workspaceID
 
-		if err := notifier.Validate(); err != nil {
+		if err := notifier.EncryptSensitiveData(s.fieldEncryptor); err != nil {
+			return err
+		}
+
+		if err := notifier.Validate(s.fieldEncryptor); err != nil {
 			return err
 		}
 
@@ -175,7 +185,7 @@ func (s *NotifierService) SendTestNotification(
 		return errors.New("insufficient permissions to test notifier in this workspace")
 	}
 
-	err = notifier.Send(s.logger, "Test message", "This is a test message")
+	err = notifier.Send(s.fieldEncryptor, s.logger, "Test message", "This is a test message")
 	if err != nil {
 		return err
 	}
@@ -205,16 +215,24 @@ func (s *NotifierService) SendTestNotificationToNotifier(
 
 		existingNotifier.Update(notifier)
 
-		if err := existingNotifier.Validate(); err != nil {
+		if err := existingNotifier.EncryptSensitiveData(s.fieldEncryptor); err != nil {
+			return err
+		}
+
+		if err := existingNotifier.Validate(s.fieldEncryptor); err != nil {
 			return err
 		}
 
 		usingNotifier = existingNotifier
 	} else {
+		if err := notifier.EncryptSensitiveData(s.fieldEncryptor); err != nil {
+			return err
+		}
+
 		usingNotifier = notifier
 	}
 
-	return usingNotifier.Send(s.logger, "Test message", "This is a test message")
+	return usingNotifier.Send(s.fieldEncryptor, s.logger, "Test message", "This is a test message")
 }
 
 func (s *NotifierService) SendNotification(
@@ -233,7 +251,7 @@ func (s *NotifierService) SendNotification(
 		return
 	}
 
-	err = notifiedFromDb.Send(s.logger, title, message)
+	err = notifiedFromDb.Send(s.fieldEncryptor, s.logger, title, message)
 	if err != nil {
 		errMsg := err.Error()
 		notifiedFromDb.LastSendError = &errMsg

backend/internal/features/restores/controller_test.go

@@ -1,6 +1,7 @@
 package restores
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -29,6 +30,7 @@ import (
 	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
 	workspaces_models "postgresus-backend/internal/features/workspaces/models"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	util_encryption "postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 	"postgresus-backend/internal/util/tools"
 )
@@ -169,6 +171,36 @@ func Test_RestoreBackup_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testing
 	assert.Contains(t, string(testResp.Body), "insufficient permissions")
 }
 
+func Test_RestoreBackup_WithIsExcludeExtensions_FlagPassedCorrectly(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	_, backup := createTestDatabaseWithBackupForRestore(workspace, owner, router)
+
+	request := RestoreBackupRequest{
+		PostgresqlDatabase: &postgresql.PostgresqlDatabase{
+			Version:             tools.PostgresqlVersion16,
+			Host:                "localhost",
+			Port:                5432,
+			Username:            "postgres",
+			Password:            "postgres",
+			IsExcludeExtensions: true,
+		},
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/restores/%s/restore", backup.ID.String()),
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+	)
+
+	assert.Contains(t, string(testResp.Body), "restore started successfully")
+}
+
 func Test_RestoreBackup_AuditLogWritten(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -309,6 +341,7 @@ func createTestBackup(
 	database *databases.Database,
 	owner *users_dto.SignInResponseDTO,
 ) *backups.Backup {
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
 	userService := users_services.GetUserService()
 	user, err := userService.GetUserFromToken(owner.Token)
 	if err != nil {
@@ -338,7 +371,7 @@ func createTestBackup(
 	dummyContent := []byte("dummy backup content for testing")
 	reader := strings.NewReader(string(dummyContent))
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-	if err := storages[0].SaveFile(logger, backup.ID, reader); err != nil {
+	if err := storages[0].SaveFile(context.Background(), fieldEncryptor, logger, backup.ID, reader); err != nil {
 		panic(fmt.Sprintf("Failed to create test backup file: %v", err))
 	}
 

backend/internal/features/restores/di.go

@@ -8,6 +8,7 @@ import (
 	"postgresus-backend/internal/features/restores/usecases"
 	"postgresus-backend/internal/features/storages"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
@@ -22,6 +23,7 @@ var restoreService = &RestoreService{
 	logger.GetLogger(),
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
+	encryption.GetFieldEncryptor(),
 }
 var restoreController = &RestoreController{
 	restoreService,

backend/internal/features/restores/dto.go

@@ -1,9 +1,13 @@
 package restores
 
 import (
+	"postgresus-backend/internal/features/databases/databases/mariadb"
+	"postgresus-backend/internal/features/databases/databases/mysql"
 	"postgresus-backend/internal/features/databases/databases/postgresql"
 )
 
 type RestoreBackupRequest struct {
 	PostgresqlDatabase *postgresql.PostgresqlDatabase `json:"postgresqlDatabase"`
+	MysqlDatabase      *mysql.MysqlDatabase           `json:"mysqlDatabase"`
+	MariadbDatabase    *mariadb.MariadbDatabase       `json:"mariadbDatabase"`
 }

backend/internal/features/restores/models/model.go

@@ -2,7 +2,6 @@ package models
 
 import (
 	"postgresus-backend/internal/features/backups/backups"
-	"postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/restores/enums"
 	"time"
 
@@ -16,8 +15,6 @@ type Restore struct {
 	BackupID uuid.UUID `json:"backupId" gorm:"column:backup_id;type:uuid;not null"`
 	Backup   *backups.Backup
 
-	Postgresql *postgresql.PostgresqlDatabase `json:"postgresql,omitempty" gorm:"foreignKey:RestoreID"`
-
 	FailMessage *string `json:"failMessage" gorm:"column:fail_message"`
 
 	RestoreDurationMs int64     `json:"restoreDurationMs" gorm:"column:restore_duration_ms;default:0"`

backend/internal/features/restores/repository.go

@@ -32,7 +32,6 @@ func (r *RestoreRepository) FindByBackupID(backupID uuid.UUID) ([]*models.Restor
 	if err := storage.
 		GetDb().
 		Preload("Backup").
-		Preload("Postgresql").
 		Where("backup_id = ?", backupID).
 		Order("created_at DESC").
 		Find(&restores).Error; err != nil {
@@ -48,7 +47,6 @@ func (r *RestoreRepository) FindByID(id uuid.UUID) (*models.Restore, error) {
 	if err := storage.
 		GetDb().
 		Preload("Backup").
-		Preload("Postgresql").
 		Where("id = ?", id).
 		First(&restore).Error; err != nil {
 		return nil, err
@@ -63,7 +61,6 @@ func (r *RestoreRepository) FindByStatus(status enums.RestoreStatus) ([]*models.
 	if err := storage.
 		GetDb().
 		Preload("Backup").
-		Preload("Postgresql").
 		Where("status = ?", status).
 		Order("created_at DESC").
 		Find(&restores).Error; err != nil {

backend/internal/features/restores/service.go

@@ -14,6 +14,7 @@ import (
 	"postgresus-backend/internal/features/storages"
 	users_models "postgresus-backend/internal/features/users/models"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/tools"
 	"time"
 
@@ -30,6 +31,7 @@ type RestoreService struct {
 	logger               *slog.Logger
 	workspaceService     *workspaces_services.WorkspaceService
 	auditLogService      *audit_logs.AuditLogService
+	fieldEncryptor       encryption.FieldEncryptor
 }
 
 func (s *RestoreService) OnBeforeBackupRemove(backup *backups.Backup) error {
@@ -120,19 +122,8 @@ func (s *RestoreService) RestoreBackupWithAuth(
 		return err
 	}
 
-	fmt.Printf(
-		"restore from %s to %s\n",
-		backupDatabase.Postgresql.Version,
-		requestDTO.PostgresqlDatabase.Version,
-	)
-
-	if tools.IsBackupDbVersionHigherThanRestoreDbVersion(
-		backupDatabase.Postgresql.Version,
-		requestDTO.PostgresqlDatabase.Version,
-	) {
-		return errors.New(`backup database version is higher than restore database version. ` +
-			`Should be restored to the same version as the backup database or higher. ` +
-			`For example, you can restore PG 15 backup to PG 15, 16 or higher. But cannot restore to 14 and lower`)
+	if err := s.validateVersionCompatibility(backupDatabase, requestDTO); err != nil {
+		return err
 	}
 
 	go func() {
@@ -167,10 +158,19 @@ func (s *RestoreService) RestoreBackup(
 		return err
 	}
 
-	if database.Type == databases.DatabaseTypePostgres {
+	switch database.Type {
+	case databases.DatabaseTypePostgres:
 		if requestDTO.PostgresqlDatabase == nil {
 			return errors.New("postgresql database is required")
 		}
+	case databases.DatabaseTypeMysql:
+		if requestDTO.MysqlDatabase == nil {
+			return errors.New("mysql database is required")
+		}
+	case databases.DatabaseTypeMariadb:
+		if requestDTO.MariadbDatabase == nil {
+			return errors.New("mariadb database is required")
+		}
 	}
 
 	restore := models.Restore{
@@ -191,15 +191,9 @@ func (s *RestoreService) RestoreBackup(
 		return err
 	}
 
-	// Set the RestoreID on the PostgreSQL database and save it
-	if requestDTO.PostgresqlDatabase != nil {
-		requestDTO.PostgresqlDatabase.RestoreID = &restore.ID
-		restore.Postgresql = requestDTO.PostgresqlDatabase
-
-		// Save the restore again to include the postgresql database
-		if err := s.restoreRepository.Save(&restore); err != nil {
-			return err
-		}
+	// Save the restore again to include the postgresql database
+	if err := s.restoreRepository.Save(&restore); err != nil {
+		return err
 	}
 
 	storage, err := s.storageService.GetStorageByID(backup.StorageID)
@@ -216,12 +210,30 @@ func (s *RestoreService) RestoreBackup(
 
 	start := time.Now().UTC()
 
+	restoringToDB := &databases.Database{
+		Type:       database.Type,
+		Postgresql: requestDTO.PostgresqlDatabase,
+		Mysql:      requestDTO.MysqlDatabase,
+		Mariadb:    requestDTO.MariadbDatabase,
+	}
+
+	if err := restoringToDB.PopulateVersionIfEmpty(s.logger, s.fieldEncryptor); err != nil {
+		return fmt.Errorf("failed to auto-detect database version: %w", err)
+	}
+
+	isExcludeExtensions := false
+	if requestDTO.PostgresqlDatabase != nil {
+		isExcludeExtensions = requestDTO.PostgresqlDatabase.IsExcludeExtensions
+	}
+
 	err = s.restoreBackupUsecase.Execute(
 		backupConfig,
 		restore,
 		database,
+		restoringToDB,
 		backup,
 		storage,
+		isExcludeExtensions,
 	)
 	if err != nil {
 		errMsg := err.Error()
@@ -245,3 +257,80 @@ func (s *RestoreService) RestoreBackup(
 
 	return nil
 }
+
+func (s *RestoreService) validateVersionCompatibility(
+	backupDatabase *databases.Database,
+	requestDTO RestoreBackupRequest,
+) error {
+	// populate version
+	if requestDTO.MariadbDatabase != nil {
+		err := requestDTO.MariadbDatabase.PopulateVersion(
+			s.logger,
+			s.fieldEncryptor,
+			backupDatabase.ID,
+		)
+		if err != nil {
+			return err
+		}
+	}
+	if requestDTO.MysqlDatabase != nil {
+		err := requestDTO.MysqlDatabase.PopulateVersion(
+			s.logger,
+			s.fieldEncryptor,
+			backupDatabase.ID,
+		)
+		if err != nil {
+			return err
+		}
+	}
+	if requestDTO.PostgresqlDatabase != nil {
+		err := requestDTO.PostgresqlDatabase.PopulateVersion(
+			s.logger,
+			s.fieldEncryptor,
+			backupDatabase.ID,
+		)
+		if err != nil {
+			return err
+		}
+	}
+
+	switch backupDatabase.Type {
+	case databases.DatabaseTypePostgres:
+		if requestDTO.PostgresqlDatabase == nil {
+			return errors.New("postgresql database configuration is required for restore")
+		}
+		if tools.IsBackupDbVersionHigherThanRestoreDbVersion(
+			backupDatabase.Postgresql.Version,
+			requestDTO.PostgresqlDatabase.Version,
+		) {
+			return errors.New(`backup database version is higher than restore database version. ` +
+				`Should be restored to the same version as the backup database or higher. ` +
+				`For example, you can restore PG 15 backup to PG 15, 16 or higher. But cannot restore to 14 and lower`)
+		}
+	case databases.DatabaseTypeMysql:
+		if requestDTO.MysqlDatabase == nil {
+			return errors.New("mysql database configuration is required for restore")
+		}
+		if tools.IsMysqlBackupVersionHigherThanRestoreVersion(
+			backupDatabase.Mysql.Version,
+			requestDTO.MysqlDatabase.Version,
+		) {
+			return errors.New(`backup database version is higher than restore database version. ` +
+				`Should be restored to the same version as the backup database or higher. ` +
+				`For example, you can restore MySQL 8.0 backup to MySQL 8.0, 8.4 or higher. But cannot restore to 5.7`)
+		}
+	case databases.DatabaseTypeMariadb:
+		if requestDTO.MariadbDatabase == nil {
+			return errors.New("mariadb database configuration is required for restore")
+		}
+		if tools.IsMariadbBackupVersionHigherThanRestoreVersion(
+			backupDatabase.Mariadb.Version,
+			requestDTO.MariadbDatabase.Version,
+		) {
+			return errors.New(`backup database version is higher than restore database version. ` +
+				`Should be restored to the same version as the backup database or higher. ` +
+				`For example, you can restore MariaDB 10.11 backup to MariaDB 10.11, 11.4 or higher. But cannot restore to 10.6`)
+		}
+	}
+	return nil
+}

backend/internal/features/restores/usecases/di.go

@@ -1,11 +1,15 @@
 package usecases
 
 import (
+	usecases_mariadb "postgresus-backend/internal/features/restores/usecases/mariadb"
+	usecases_mysql "postgresus-backend/internal/features/restores/usecases/mysql"
 	usecases_postgresql "postgresus-backend/internal/features/restores/usecases/postgresql"
 )
 
 var restoreBackupUsecase = &RestoreBackupUsecase{
 	usecases_postgresql.GetRestorePostgresqlBackupUsecase(),
+	usecases_mysql.GetRestoreMysqlBackupUsecase(),
+	usecases_mariadb.GetRestoreMariadbBackupUsecase(),
 }
 
 func GetRestoreBackupUsecase() *RestoreBackupUsecase {

backend/internal/features/restores/usecases/mariadb/di.go

@@ -0,0 +1,15 @@
+package usecases_mariadb
+
+import (
+	"postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/util/logger"
+)
+
+var restoreMariadbBackupUsecase = &RestoreMariadbBackupUsecase{
+	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
+}
+
+func GetRestoreMariadbBackupUsecase() *RestoreMariadbBackupUsecase {
+	return restoreMariadbBackupUsecase
+}

backend/internal/features/restores/usecases/mariadb/restore_backup_uc.go

@@ -0,0 +1,473 @@
+package usecases_mariadb
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/klauspost/compress/zstd"
+
+	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/features/backups/backups"
+	"postgresus-backend/internal/features/backups/backups/encryption"
+	backups_config "postgresus-backend/internal/features/backups/config"
+	"postgresus-backend/internal/features/databases"
+	mariadbtypes "postgresus-backend/internal/features/databases/databases/mariadb"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/features/restores/models"
+	"postgresus-backend/internal/features/storages"
+	util_encryption "postgresus-backend/internal/util/encryption"
+	files_utils "postgresus-backend/internal/util/files"
+	"postgresus-backend/internal/util/tools"
+)
+
+type RestoreMariadbBackupUsecase struct {
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+}
+
+func (uc *RestoreMariadbBackupUsecase) Execute(
+	originalDB *databases.Database,
+	restoringToDB *databases.Database,
+	backupConfig *backups_config.BackupConfig,
+	restore models.Restore,
+	backup *backups.Backup,
+	storage *storages.Storage,
+) error {
+	if originalDB.Type != databases.DatabaseTypeMariadb {
+		return errors.New("database type not supported")
+	}
+
+	uc.logger.Info(
+		"Restoring MariaDB backup via mariadb client",
+		"restoreId", restore.ID,
+		"backupId", backup.ID,
+	)
+
+	mdb := restoringToDB.Mariadb
+	if mdb == nil {
+		return fmt.Errorf("mariadb configuration is required for restore")
+	}
+
+	if mdb.Database == nil || *mdb.Database == "" {
+		return fmt.Errorf("target database name is required for mariadb restore")
+	}
+
+	args := []string{
+		"--host=" + mdb.Host,
+		"--port=" + strconv.Itoa(mdb.Port),
+		"--user=" + mdb.Username,
+		"--verbose",
+	}
+
+	if mdb.IsHttps {
+		args = append(args, "--ssl")
+	}
+
+	if mdb.Database != nil && *mdb.Database != "" {
+		args = append(args, *mdb.Database)
+	}
+
+	return uc.restoreFromStorage(
+		originalDB,
+		tools.GetMariadbExecutable(
+			tools.MariadbExecutableMariadb,
+			mdb.Version,
+			config.GetEnv().EnvMode,
+			config.GetEnv().MariadbInstallDir,
+		),
+		args,
+		mdb.Password,
+		backup,
+		storage,
+		mdb,
+	)
+}
+
+func (uc *RestoreMariadbBackupUsecase) restoreFromStorage(
+	database *databases.Database,
+	mariadbBin string,
+	args []string,
+	password string,
+	backup *backups.Backup,
+	storage *storages.Storage,
+	mdbConfig *mariadbtypes.MariadbDatabase,
+) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Minute)
+	defer cancel()
+
+	go func() {
+		ticker := time.NewTicker(1 * time.Second)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
+	decryptedPassword, err := fieldEncryptor.Decrypt(database.ID, password)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	myCnfFile, err := uc.createTempMyCnfFile(mdbConfig, decryptedPassword)
+	if err != nil {
+		return fmt.Errorf("failed to create .my.cnf: %w", err)
+	}
+	defer func() { _ = os.RemoveAll(filepath.Dir(myCnfFile)) }()
+
+	tempBackupFile, cleanupFunc, err := uc.downloadBackupToTempFile(ctx, backup, storage)
+	if err != nil {
+		return fmt.Errorf("failed to download backup: %w", err)
+	}
+	defer cleanupFunc()
+
+	return uc.executeMariadbRestore(
+		ctx,
+		database,
+		mariadbBin,
+		args,
+		myCnfFile,
+		tempBackupFile,
+		backup,
+	)
+}
+
+func (uc *RestoreMariadbBackupUsecase) executeMariadbRestore(
+	ctx context.Context,
+	database *databases.Database,
+	mariadbBin string,
+	args []string,
+	myCnfFile string,
+	backupFile string,
+	backup *backups.Backup,
+) error {
+	fullArgs := append([]string{"--defaults-file=" + myCnfFile}, args...)
+
+	cmd := exec.CommandContext(ctx, mariadbBin, fullArgs...)
+	uc.logger.Info("Executing MariaDB restore command", "command", cmd.String())
+
+	backupFileHandle, err := os.Open(backupFile)
+	if err != nil {
+		return fmt.Errorf("failed to open backup file: %w", err)
+	}
+	defer func() { _ = backupFileHandle.Close() }()
+
+	var inputReader io.Reader = backupFileHandle
+
+	if backup.Encryption == backups_config.BackupEncryptionEncrypted {
+		decryptReader, err := uc.setupDecryption(backupFileHandle, backup)
+		if err != nil {
+			return fmt.Errorf("failed to setup decryption: %w", err)
+		}
+		inputReader = decryptReader
+	}
+
+	zstdReader, err := zstd.NewReader(inputReader)
+	if err != nil {
+		return fmt.Errorf("failed to create zstd reader: %w", err)
+	}
+	defer zstdReader.Close()
+
+	cmd.Stdin = zstdReader
+
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env,
+		"MYSQL_PWD=",
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+	)
+
+	stderrPipe, err := cmd.StderrPipe()
+	if err != nil {
+		return fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	stderrCh := make(chan []byte, 1)
+	go func() {
+		output, _ := io.ReadAll(stderrPipe)
+		stderrCh <- output
+	}()
+
+	if err = cmd.Start(); err != nil {
+		return fmt.Errorf("start mariadb: %w", err)
+	}
+
+	waitErr := cmd.Wait()
+	stderrOutput := <-stderrCh
+
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("restore cancelled due to shutdown")
+	}
+
+	if waitErr != nil {
+		return uc.handleMariadbRestoreError(database, waitErr, stderrOutput, mariadbBin)
+	}
+
+	return nil
+}
+
+func (uc *RestoreMariadbBackupUsecase) downloadBackupToTempFile(
+	ctx context.Context,
+	backup *backups.Backup,
+	storage *storages.Storage,
+) (string, func(), error) {
+	err := files_utils.EnsureDirectories([]string{
+		config.GetEnv().TempFolder,
+	})
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to ensure directories: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(config.GetEnv().TempFolder, "restore_"+uuid.New().String())
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+
+	cleanupFunc := func() {
+		_ = os.RemoveAll(tempDir)
+	}
+
+	tempBackupFile := filepath.Join(tempDir, "backup.sql.zst")
+
+	uc.logger.Info(
+		"Downloading backup file from storage to temporary file",
+		"backupId", backup.ID,
+		"tempFile", tempBackupFile,
+		"encrypted", backup.Encryption == backups_config.BackupEncryptionEncrypted,
+	)
+
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
+	rawReader, err := storage.GetFile(fieldEncryptor, backup.ID)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to get backup file from storage: %w", err)
+	}
+	defer func() {
+		if err := rawReader.Close(); err != nil {
+			uc.logger.Error("Failed to close backup reader", "error", err)
+		}
+	}()
+
+	tempFile, err := os.Create(tempBackupFile)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to create temporary backup file: %w", err)
+	}
+	defer func() {
+		if err := tempFile.Close(); err != nil {
+			uc.logger.Error("Failed to close temporary file", "error", err)
+		}
+	}()
+
+	_, err = uc.copyWithShutdownCheck(ctx, tempFile, rawReader)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to write backup to temporary file: %w", err)
+	}
+
+	uc.logger.Info("Backup file written to temporary location", "tempFile", tempBackupFile)
+	return tempBackupFile, cleanupFunc, nil
+}
+
+func (uc *RestoreMariadbBackupUsecase) setupDecryption(
+	reader io.Reader,
+	backup *backups.Backup,
+) (io.Reader, error) {
+	if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+		return nil, fmt.Errorf("backup is encrypted but missing encryption metadata")
+	}
+
+	masterKey, err := uc.secretKeyService.GetSecretKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get master key for decryption: %w", err)
+	}
+
+	salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encryption salt: %w", err)
+	}
+
+	iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encryption IV: %w", err)
+	}
+
+	decryptReader, err := encryption.NewDecryptionReader(
+		reader,
+		masterKey,
+		backup.ID,
+		salt,
+		iv,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create decryption reader: %w", err)
+	}
+
+	uc.logger.Info("Using decryption for encrypted backup", "backupId", backup.ID)
+	return decryptReader, nil
+}
+
+func (uc *RestoreMariadbBackupUsecase) createTempMyCnfFile(
+	mdbConfig *mariadbtypes.MariadbDatabase,
+	password string,
+) (string, error) {
+	tempDir, err := os.MkdirTemp("", "mycnf")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
+
+	myCnfFile := filepath.Join(tempDir, ".my.cnf")
+
+	content := fmt.Sprintf(`[client]
+user=%s
+password="%s"
+host=%s
+port=%d
+`, mdbConfig.Username, tools.EscapeMariadbPassword(password), mdbConfig.Host, mdbConfig.Port)
+
+	if mdbConfig.IsHttps {
+		content += "ssl=true\n"
+	} else {
+		content += "ssl=false\n"
+	}
+
+	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	if err != nil {
+		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
+	}
+
+	return myCnfFile, nil
+}
+
+func (uc *RestoreMariadbBackupUsecase) copyWithShutdownCheck(
+	ctx context.Context,
+	dst io.Writer,
+	src io.Reader,
+) (int64, error) {
+	buf := make([]byte, 16*1024*1024)
+	var totalBytesWritten int64
+
+	for {
+		select {
+		case <-ctx.Done():
+			return totalBytesWritten, fmt.Errorf("copy cancelled: %w", ctx.Err())
+		default:
+		}
+
+		if config.IsShouldShutdown() {
+			return totalBytesWritten, fmt.Errorf("copy cancelled due to shutdown")
+		}
+
+		bytesRead, readErr := src.Read(buf)
+		if bytesRead > 0 {
+			bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+			if bytesWritten < 0 || bytesRead < bytesWritten {
+				bytesWritten = 0
+				if writeErr == nil {
+					writeErr = fmt.Errorf("invalid write result")
+				}
+			}
+
+			if writeErr != nil {
+				return totalBytesWritten, writeErr
+			}
+
+			if bytesRead != bytesWritten {
+				return totalBytesWritten, io.ErrShortWrite
+			}
+
+			totalBytesWritten += int64(bytesWritten)
+		}
+
+		if readErr != nil {
+			if readErr != io.EOF {
+				return totalBytesWritten, readErr
+			}
+			break
+		}
+	}
+
+	return totalBytesWritten, nil
+}
+
+func (uc *RestoreMariadbBackupUsecase) handleMariadbRestoreError(
+	database *databases.Database,
+	waitErr error,
+	stderrOutput []byte,
+	mariadbBin string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf(
+		"%s failed: %v – stderr: %s",
+		filepath.Base(mariadbBin),
+		waitErr,
+		stderrStr,
+	)
+
+	if containsIgnoreCase(stderrStr, "access denied") {
+		return fmt.Errorf(
+			"MariaDB access denied. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "can't connect") ||
+		containsIgnoreCase(stderrStr, "connection refused") {
+		return fmt.Errorf(
+			"MariaDB connection refused. Check if the server is running and accessible. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "unknown database") {
+		backupDbName := "unknown"
+		if database.Mariadb != nil && database.Mariadb.Database != nil {
+			backupDbName = *database.Mariadb.Database
+		}
+
+		return fmt.Errorf(
+			"target database does not exist (backup db %s). Create the database before restoring. stderr: %s",
+			backupDbName,
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") {
+		return fmt.Errorf(
+			"MariaDB SSL connection failed. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"MariaDB connection timeout. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/restores/usecases/mysql/di.go

@@ -0,0 +1,15 @@
+package usecases_mysql
+
+import (
+	"postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/util/logger"
+)
+
+var restoreMysqlBackupUsecase = &RestoreMysqlBackupUsecase{
+	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
+}
+
+func GetRestoreMysqlBackupUsecase() *RestoreMysqlBackupUsecase {
+	return restoreMysqlBackupUsecase
+}

backend/internal/features/restores/usecases/mysql/restore_backup_uc.go

@@ -0,0 +1,463 @@
+package usecases_mysql
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/klauspost/compress/zstd"
+
+	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/features/backups/backups"
+	"postgresus-backend/internal/features/backups/backups/encryption"
+	backups_config "postgresus-backend/internal/features/backups/config"
+	"postgresus-backend/internal/features/databases"
+	mysqltypes "postgresus-backend/internal/features/databases/databases/mysql"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
+	"postgresus-backend/internal/features/restores/models"
+	"postgresus-backend/internal/features/storages"
+	util_encryption "postgresus-backend/internal/util/encryption"
+	files_utils "postgresus-backend/internal/util/files"
+	"postgresus-backend/internal/util/tools"
+)
+
+type RestoreMysqlBackupUsecase struct {
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+}
+
+func (uc *RestoreMysqlBackupUsecase) Execute(
+	originalDB *databases.Database,
+	restoringToDB *databases.Database,
+	backupConfig *backups_config.BackupConfig,
+	restore models.Restore,
+	backup *backups.Backup,
+	storage *storages.Storage,
+) error {
+	if originalDB.Type != databases.DatabaseTypeMysql {
+		return errors.New("database type not supported")
+	}
+
+	uc.logger.Info(
+		"Restoring MySQL backup via mysql client",
+		"restoreId", restore.ID,
+		"backupId", backup.ID,
+	)
+
+	my := restoringToDB.Mysql
+	if my == nil {
+		return fmt.Errorf("mysql configuration is required for restore")
+	}
+
+	if my.Database == nil || *my.Database == "" {
+		return fmt.Errorf("target database name is required for mysql restore")
+	}
+
+	args := []string{
+		"--host=" + my.Host,
+		"--port=" + strconv.Itoa(my.Port),
+		"--user=" + my.Username,
+		"--verbose",
+	}
+
+	if my.IsHttps {
+		args = append(args, "--ssl-mode=REQUIRED")
+	}
+
+	if my.Database != nil && *my.Database != "" {
+		args = append(args, *my.Database)
+	}
+
+	return uc.restoreFromStorage(
+		originalDB,
+		tools.GetMysqlExecutable(
+			my.Version,
+			tools.MysqlExecutableMysql,
+			config.GetEnv().EnvMode,
+			config.GetEnv().MysqlInstallDir,
+		),
+		args,
+		my.Password,
+		backup,
+		storage,
+		my,
+	)
+}
+
+func (uc *RestoreMysqlBackupUsecase) restoreFromStorage(
+	database *databases.Database,
+	mysqlBin string,
+	args []string,
+	password string,
+	backup *backups.Backup,
+	storage *storages.Storage,
+	myConfig *mysqltypes.MysqlDatabase,
+) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Minute)
+	defer cancel()
+
+	go func() {
+		ticker := time.NewTicker(1 * time.Second)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
+	decryptedPassword, err := fieldEncryptor.Decrypt(database.ID, password)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	myCnfFile, err := uc.createTempMyCnfFile(myConfig, decryptedPassword)
+	if err != nil {
+		return fmt.Errorf("failed to create .my.cnf: %w", err)
+	}
+	defer func() { _ = os.RemoveAll(filepath.Dir(myCnfFile)) }()
+
+	tempBackupFile, cleanupFunc, err := uc.downloadBackupToTempFile(ctx, backup, storage)
+	if err != nil {
+		return fmt.Errorf("failed to download backup: %w", err)
+	}
+	defer cleanupFunc()
+
+	return uc.executeMysqlRestore(ctx, database, mysqlBin, args, myCnfFile, tempBackupFile, backup)
+}
+
+func (uc *RestoreMysqlBackupUsecase) executeMysqlRestore(
+	ctx context.Context,
+	database *databases.Database,
+	mysqlBin string,
+	args []string,
+	myCnfFile string,
+	backupFile string,
+	backup *backups.Backup,
+) error {
+	fullArgs := append([]string{"--defaults-file=" + myCnfFile}, args...)
+
+	cmd := exec.CommandContext(ctx, mysqlBin, fullArgs...)
+	uc.logger.Info("Executing MySQL restore command", "command", cmd.String())
+
+	backupFileHandle, err := os.Open(backupFile)
+	if err != nil {
+		return fmt.Errorf("failed to open backup file: %w", err)
+	}
+	defer func() { _ = backupFileHandle.Close() }()
+
+	var inputReader io.Reader = backupFileHandle
+
+	if backup.Encryption == backups_config.BackupEncryptionEncrypted {
+		decryptReader, err := uc.setupDecryption(backupFileHandle, backup)
+		if err != nil {
+			return fmt.Errorf("failed to setup decryption: %w", err)
+		}
+		inputReader = decryptReader
+	}
+
+	zstdReader, err := zstd.NewReader(inputReader)
+	if err != nil {
+		return fmt.Errorf("failed to create zstd reader: %w", err)
+	}
+	defer zstdReader.Close()
+
+	cmd.Stdin = zstdReader
+
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env,
+		"MYSQL_PWD=",
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+	)
+
+	stderrPipe, err := cmd.StderrPipe()
+	if err != nil {
+		return fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	stderrCh := make(chan []byte, 1)
+	go func() {
+		output, _ := io.ReadAll(stderrPipe)
+		stderrCh <- output
+	}()
+
+	if err = cmd.Start(); err != nil {
+		return fmt.Errorf("start mysql: %w", err)
+	}
+
+	waitErr := cmd.Wait()
+	stderrOutput := <-stderrCh
+
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("restore cancelled due to shutdown")
+	}
+
+	if waitErr != nil {
+		return uc.handleMysqlRestoreError(database, waitErr, stderrOutput, mysqlBin)
+	}
+
+	return nil
+}
+
+func (uc *RestoreMysqlBackupUsecase) downloadBackupToTempFile(
+	ctx context.Context,
+	backup *backups.Backup,
+	storage *storages.Storage,
+) (string, func(), error) {
+	err := files_utils.EnsureDirectories([]string{
+		config.GetEnv().TempFolder,
+	})
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to ensure directories: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(config.GetEnv().TempFolder, "restore_"+uuid.New().String())
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+
+	cleanupFunc := func() {
+		_ = os.RemoveAll(tempDir)
+	}
+
+	tempBackupFile := filepath.Join(tempDir, "backup.sql.zst")
+
+	uc.logger.Info(
+		"Downloading backup file from storage to temporary file",
+		"backupId", backup.ID,
+		"tempFile", tempBackupFile,
+		"encrypted", backup.Encryption == backups_config.BackupEncryptionEncrypted,
+	)
+
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
+	rawReader, err := storage.GetFile(fieldEncryptor, backup.ID)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to get backup file from storage: %w", err)
+	}
+	defer func() {
+		if err := rawReader.Close(); err != nil {
+			uc.logger.Error("Failed to close backup reader", "error", err)
+		}
+	}()
+
+	tempFile, err := os.Create(tempBackupFile)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to create temporary backup file: %w", err)
+	}
+	defer func() {
+		if err := tempFile.Close(); err != nil {
+			uc.logger.Error("Failed to close temporary file", "error", err)
+		}
+	}()
+
+	_, err = uc.copyWithShutdownCheck(ctx, tempFile, rawReader)
+	if err != nil {
+		cleanupFunc()
+		return "", nil, fmt.Errorf("failed to write backup to temporary file: %w", err)
+	}
+
+	uc.logger.Info("Backup file written to temporary location", "tempFile", tempBackupFile)
+	return tempBackupFile, cleanupFunc, nil
+}
+
+func (uc *RestoreMysqlBackupUsecase) setupDecryption(
+	reader io.Reader,
+	backup *backups.Backup,
+) (io.Reader, error) {
+	if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+		return nil, fmt.Errorf("backup is encrypted but missing encryption metadata")
+	}
+
+	masterKey, err := uc.secretKeyService.GetSecretKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get master key for decryption: %w", err)
+	}
+
+	salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encryption salt: %w", err)
+	}
+
+	iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encryption IV: %w", err)
+	}
+
+	decryptReader, err := encryption.NewDecryptionReader(
+		reader,
+		masterKey,
+		backup.ID,
+		salt,
+		iv,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create decryption reader: %w", err)
+	}
+
+	uc.logger.Info("Using decryption for encrypted backup", "backupId", backup.ID)
+	return decryptReader, nil
+}
+
+func (uc *RestoreMysqlBackupUsecase) createTempMyCnfFile(
+	myConfig *mysqltypes.MysqlDatabase,
+	password string,
+) (string, error) {
+	tempDir, err := os.MkdirTemp("", "mycnf")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
+
+	myCnfFile := filepath.Join(tempDir, ".my.cnf")
+
+	content := fmt.Sprintf(`[client]
+user=%s
+password="%s"
+host=%s
+port=%d
+`, myConfig.Username, tools.EscapeMysqlPassword(password), myConfig.Host, myConfig.Port)
+
+	if myConfig.IsHttps {
+		content += "ssl-mode=REQUIRED\n"
+	}
+
+	err = os.WriteFile(myCnfFile, []byte(content), 0600)
+	if err != nil {
+		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
+	}
+
+	return myCnfFile, nil
+}
+
+func (uc *RestoreMysqlBackupUsecase) copyWithShutdownCheck(
+	ctx context.Context,
+	dst io.Writer,
+	src io.Reader,
+) (int64, error) {
+	buf := make([]byte, 16*1024*1024)
+	var totalBytesWritten int64
+
+	for {
+		select {
+		case <-ctx.Done():
+			return totalBytesWritten, fmt.Errorf("copy cancelled: %w", ctx.Err())
+		default:
+		}
+
+		if config.IsShouldShutdown() {
+			return totalBytesWritten, fmt.Errorf("copy cancelled due to shutdown")
+		}
+
+		bytesRead, readErr := src.Read(buf)
+		if bytesRead > 0 {
+			bytesWritten, writeErr := dst.Write(buf[0:bytesRead])
+			if bytesWritten < 0 || bytesRead < bytesWritten {
+				bytesWritten = 0
+				if writeErr == nil {
+					writeErr = fmt.Errorf("invalid write result")
+				}
+			}
+
+			if writeErr != nil {
+				return totalBytesWritten, writeErr
+			}
+
+			if bytesRead != bytesWritten {
+				return totalBytesWritten, io.ErrShortWrite
+			}
+
+			totalBytesWritten += int64(bytesWritten)
+		}
+
+		if readErr != nil {
+			if readErr != io.EOF {
+				return totalBytesWritten, readErr
+			}
+			break
+		}
+	}
+
+	return totalBytesWritten, nil
+}
+
+func (uc *RestoreMysqlBackupUsecase) handleMysqlRestoreError(
+	database *databases.Database,
+	waitErr error,
+	stderrOutput []byte,
+	mysqlBin string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf(
+		"%s failed: %v – stderr: %s",
+		filepath.Base(mysqlBin),
+		waitErr,
+		stderrStr,
+	)
+
+	if containsIgnoreCase(stderrStr, "access denied") {
+		return fmt.Errorf(
+			"MySQL access denied. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "can't connect") ||
+		containsIgnoreCase(stderrStr, "connection refused") {
+		return fmt.Errorf(
+			"MySQL connection refused. Check if the server is running and accessible. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "unknown database") {
+		backupDbName := "unknown"
+		if database.Mysql != nil && database.Mysql.Database != nil {
+			backupDbName = *database.Mysql.Database
+		}
+
+		return fmt.Errorf(
+			"target database does not exist (backup db %s). Create the database before restoring. stderr: %s",
+			backupDbName,
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") {
+		return fmt.Errorf(
+			"MySQL SSL connection failed. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"MySQL connection timeout. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/restores/usecases/postgresql/di.go

@@ -1,11 +1,13 @@
 package usecases_postgresql
 
 import (
+	"postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/util/logger"
 )
 
 var restorePostgresqlBackupUsecase = &RestorePostgresqlBackupUsecase{
 	logger.GetLogger(),
+	secrets.GetSecretKeyService(),
 }
 
 func GetRestorePostgresqlBackupUsecase() *RestorePostgresqlBackupUsecase {

backend/internal/features/restores/usecases/postgresql/restore_backup_uc.go

@@ -2,6 +2,7 @@ package usecases_postgresql
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -15,11 +16,14 @@ import (
 
 	"postgresus-backend/internal/config"
 	"postgresus-backend/internal/features/backups/backups"
+	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/restores/models"
 	"postgresus-backend/internal/features/storages"
+	util_encryption "postgresus-backend/internal/util/encryption"
 	files_utils "postgresus-backend/internal/util/files"
 	"postgresus-backend/internal/util/tools"
 
@@ -27,17 +31,20 @@ import (
 )
 
 type RestorePostgresqlBackupUsecase struct {
-	logger *slog.Logger
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
 }
 
 func (uc *RestorePostgresqlBackupUsecase) Execute(
-	database *databases.Database,
+	originalDB *databases.Database,
+	restoringToDB *databases.Database,
 	backupConfig *backups_config.BackupConfig,
 	restore models.Restore,
 	backup *backups.Backup,
 	storage *storages.Storage,
+	isExcludeExtensions bool,
 ) error {
-	if database.Type != databases.DatabaseTypePostgres {
+	if originalDB.Type != databases.DatabaseTypePostgres {
 		return errors.New("database type not supported")
 	}
 
@@ -49,7 +56,7 @@ func (uc *RestorePostgresqlBackupUsecase) Execute(
 		backup.ID,
 	)
 
-	pg := restore.Postgresql
+	pg := restoringToDB.Postgresql
 	if pg == nil {
 		return fmt.Errorf("postgresql configuration is required for restore")
 	}
@@ -73,11 +80,12 @@ func (uc *RestorePostgresqlBackupUsecase) Execute(
 		"--verbose",   // Add verbose output to help with debugging
 		"--clean",     // Clean (drop) database objects before recreating them
 		"--if-exists", // Use IF EXISTS when dropping objects
-		"--no-owner",
+		"--no-owner",  // Skip restoring ownership
+		"--no-acl",    // Skip restoring access privileges (GRANT/REVOKE commands)
 	}
 
 	return uc.restoreFromStorage(
-		database,
+		originalDB,
 		tools.GetPostgresqlExecutable(
 			pg.Version,
 			"pg_restore",
@@ -89,6 +97,7 @@ func (uc *RestorePostgresqlBackupUsecase) Execute(
 		backup,
 		storage,
 		pg,
+		isExcludeExtensions,
 	)
 }
 
@@ -101,6 +110,7 @@ func (uc *RestorePostgresqlBackupUsecase) restoreFromStorage(
 	backup *backups.Backup,
 	storage *storages.Storage,
 	pgConfig *pgtypes.PostgresqlDatabase,
+	isExcludeExtensions bool,
 ) error {
 	uc.logger.Info(
 		"Restoring PostgreSQL backup from storage via temporary file",
@@ -108,6 +118,8 @@ func (uc *RestorePostgresqlBackupUsecase) restoreFromStorage(
 		pgBin,
 		"args",
 		args,
+		"isExcludeExtensions",
+		isExcludeExtensions,
 	)
 
 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Minute)
@@ -164,6 +176,26 @@ func (uc *RestorePostgresqlBackupUsecase) restoreFromStorage(
 	}
 	defer cleanupFunc()
 
+	// If excluding extensions, generate filtered TOC list and use it
+	if isExcludeExtensions {
+		tocListFile, err := uc.generateFilteredTocList(
+			ctx,
+			pgBin,
+			tempBackupFile,
+			pgpassFile,
+			pgConfig,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to generate filtered TOC list: %w", err)
+		}
+		defer func() {
+			_ = os.Remove(tocListFile)
+		}()
+
+		// Add -L flag to use the filtered list
+		args = append(args, "-L", tocListFile)
+	}
+
 	// Add the temporary backup file as the last argument to pg_restore
 	args = append(args, tempBackupFile)
 
@@ -202,18 +234,67 @@ func (uc *RestorePostgresqlBackupUsecase) downloadBackupToTempFile(
 		backup.ID,
 		"tempFile",
 		tempBackupFile,
+		"encrypted",
+		backup.Encryption == backups_config.BackupEncryptionEncrypted,
 	)
-	backupReader, err := storage.GetFile(backup.ID)
+	fieldEncryptor := util_encryption.GetFieldEncryptor()
+	rawReader, err := storage.GetFile(fieldEncryptor, backup.ID)
 	if err != nil {
 		cleanupFunc()
 		return "", nil, fmt.Errorf("failed to get backup file from storage: %w", err)
 	}
 	defer func() {
-		if err := backupReader.Close(); err != nil {
+		if err := rawReader.Close(); err != nil {
 			uc.logger.Error("Failed to close backup reader", "error", err)
 		}
 	}()
 
+	// Create a reader that handles decryption if needed
+	var backupReader io.Reader = rawReader
+	if backup.Encryption == backups_config.BackupEncryptionEncrypted {
+		// Validate encryption metadata
+		if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("backup is encrypted but missing encryption metadata")
+		}
+
+		// Get master key
+		masterKey, err := uc.secretKeyService.GetSecretKey()
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to get master key for decryption: %w", err)
+		}
+
+		// Decode salt and IV from base64
+		salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to decode encryption salt: %w", err)
+		}
+
+		iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to decode encryption IV: %w", err)
+		}
+
+		// Create decryption reader
+		decryptReader, err := encryption.NewDecryptionReader(
+			rawReader,
+			masterKey,
+			backup.ID,
+			salt,
+			iv,
+		)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to create decryption reader: %w", err)
+		}
+
+		backupReader = decryptReader
+		uc.logger.Info("Using decryption for encrypted backup", "backupId", backup.ID)
+	}
+
 	// Create temporary backup file
 	tempFile, err := os.Create(tempBackupFile)
 	if err != nil {
@@ -322,7 +403,6 @@ func (uc *RestorePostgresqlBackupUsecase) setupPgRestoreEnvironment(
 	// Add encoding-related environment variables
 	cmd.Env = append(cmd.Env, "LC_ALL=C.UTF-8")
 	cmd.Env = append(cmd.Env, "LANG=C.UTF-8")
-	cmd.Env = append(cmd.Env, "PGOPTIONS=--client-encoding=UTF8")
 
 	shouldRequireSSL := pgConfig.IsHttps
 
@@ -447,7 +527,7 @@ func (uc *RestorePostgresqlBackupUsecase) copyWithShutdownCheck(
 	dst io.Writer,
 	src io.Reader,
 ) (int64, error) {
-	buf := make([]byte, 32*1024) // 32KB buffer
+	buf := make([]byte, 16*1024*1024) // 16MB buffer
 	var totalBytesWritten int64
 
 	for {
@@ -499,6 +579,75 @@ func containsIgnoreCase(str, substr string) bool {
 	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
 }
 
+// generateFilteredTocList generates a pg_restore TOC list file with extensions filtered out.
+// This is used when isExcludeExtensions is true to skip CREATE EXTENSION statements.
+func (uc *RestorePostgresqlBackupUsecase) generateFilteredTocList(
+	ctx context.Context,
+	pgBin string,
+	backupFile string,
+	pgpassFile string,
+	pgConfig *pgtypes.PostgresqlDatabase,
+) (string, error) {
+	uc.logger.Info("Generating filtered TOC list to exclude extensions", "backupFile", backupFile)
+
+	// Run pg_restore -l to get the TOC list
+	listCmd := exec.CommandContext(ctx, pgBin, "-l", backupFile)
+	uc.setupPgRestoreEnvironment(listCmd, pgpassFile, pgConfig)
+
+	tocOutput, err := listCmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to generate TOC list: %w", err)
+	}
+
+	// Filter out EXTENSION-related lines (both CREATE EXTENSION and COMMENT ON EXTENSION)
+	var filteredLines []string
+	for line := range strings.SplitSeq(string(tocOutput), "\n") {
+		trimmedLine := strings.TrimSpace(line)
+		if trimmedLine == "" {
+			continue
+		}
+
+		upperLine := strings.ToUpper(trimmedLine)
+
+		// Skip lines that contain " EXTENSION " - this catches both:
+		// - CREATE EXTENSION entries: "3420; 0 0 EXTENSION - uuid-ossp"
+		// - COMMENT ON EXTENSION entries: "3462; 0 0 COMMENT - EXTENSION "uuid-ossp""
+		if strings.Contains(upperLine, " EXTENSION ") {
+			uc.logger.Info("Excluding extension-related entry from restore", "tocLine", trimmedLine)
+			continue
+		}
+
+		filteredLines = append(filteredLines, line)
+	}
+
+	// Write filtered TOC to temporary file
+	tocFile, err := os.CreateTemp("", "pg_restore_toc_*.list")
+	if err != nil {
+		return "", fmt.Errorf("failed to create TOC list file: %w", err)
+	}
+	tocFilePath := tocFile.Name()
+
+	filteredContent := strings.Join(filteredLines, "\n")
+	if _, err := tocFile.WriteString(filteredContent); err != nil {
+		_ = tocFile.Close()
+		_ = os.Remove(tocFilePath)
+		return "", fmt.Errorf("failed to write TOC list file: %w", err)
+	}
+
+	if err := tocFile.Close(); err != nil {
+		_ = os.Remove(tocFilePath)
+		return "", fmt.Errorf("failed to close TOC list file: %w", err)
+	}
+
+	uc.logger.Info("Generated filtered TOC list file",
+		"tocFile", tocFilePath,
+		"originalLines", len(strings.Split(string(tocOutput), "\n")),
+		"filteredLines", len(filteredLines),
+	)
+
+	return tocFilePath, nil
+}
+
 // createTempPgpassFile creates a temporary .pgpass file with the given password
 func (uc *RestorePostgresqlBackupUsecase) createTempPgpassFile(
 	pgConfig *pgtypes.PostgresqlDatabase,
@@ -508,11 +657,15 @@ func (uc *RestorePostgresqlBackupUsecase) createTempPgpassFile(
 		return "", nil
 	}
 
+	escapedHost := tools.EscapePgpassField(pgConfig.Host)
+	escapedUsername := tools.EscapePgpassField(pgConfig.Username)
+	escapedPassword := tools.EscapePgpassField(password)
+
 	pgpassContent := fmt.Sprintf("%s:%d:*:%s:%s",
-		pgConfig.Host,
+		escapedHost,
 		pgConfig.Port,
-		pgConfig.Username,
-		password,
+		escapedUsername,
+		escapedPassword,
 	)
 
 	tempDir, err := os.MkdirTemp("", "pgpass")

backend/internal/features/restores/usecases/restore_backup_uc.go

@@ -2,34 +2,62 @@ package usecases
 
 import (
 	"errors"
+
 	"postgresus-backend/internal/features/backups/backups"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/restores/models"
+	usecases_mariadb "postgresus-backend/internal/features/restores/usecases/mariadb"
+	usecases_mysql "postgresus-backend/internal/features/restores/usecases/mysql"
 	usecases_postgresql "postgresus-backend/internal/features/restores/usecases/postgresql"
 	"postgresus-backend/internal/features/storages"
 )
 
 type RestoreBackupUsecase struct {
 	restorePostgresqlBackupUsecase *usecases_postgresql.RestorePostgresqlBackupUsecase
+	restoreMysqlBackupUsecase      *usecases_mysql.RestoreMysqlBackupUsecase
+	restoreMariadbBackupUsecase    *usecases_mariadb.RestoreMariadbBackupUsecase
 }
 
 func (uc *RestoreBackupUsecase) Execute(
 	backupConfig *backups_config.BackupConfig,
 	restore models.Restore,
-	database *databases.Database,
+	originalDB *databases.Database,
+	restoringToDB *databases.Database,
 	backup *backups.Backup,
 	storage *storages.Storage,
+	isExcludeExtensions bool,
 ) error {
-	if database.Type == databases.DatabaseTypePostgres {
+	switch originalDB.Type {
+	case databases.DatabaseTypePostgres:
 		return uc.restorePostgresqlBackupUsecase.Execute(
-			database,
+			originalDB,
+			restoringToDB,
+			backupConfig,
+			restore,
+			backup,
+			storage,
+			isExcludeExtensions,
+		)
+	case databases.DatabaseTypeMysql:
+		return uc.restoreMysqlBackupUsecase.Execute(
+			originalDB,
+			restoringToDB,
 			backupConfig,
 			restore,
 			backup,
 			storage,
 		)
+	case databases.DatabaseTypeMariadb:
+		return uc.restoreMariadbBackupUsecase.Execute(
+			originalDB,
+			restoringToDB,
+			backupConfig,
+			restore,
+			backup,
+			storage,
+		)
+	default:
+		return errors.New("database type not supported")
 	}
-
-	return errors.New("database type not supported")
 }

backend/internal/features/storages/controller_test.go

@@ -3,17 +3,25 @@ package storages
 import (
 	"fmt"
 	"net/http"
+	"strings"
 	"testing"
 
 	audit_logs "postgresus-backend/internal/features/audit_logs"
+	azure_blob_storage "postgresus-backend/internal/features/storages/models/azure_blob"
+	ftp_storage "postgresus-backend/internal/features/storages/models/ftp"
+	google_drive_storage "postgresus-backend/internal/features/storages/models/google_drive"
 	local_storage "postgresus-backend/internal/features/storages/models/local"
+	nas_storage "postgresus-backend/internal/features/storages/models/nas"
+	rclone_storage "postgresus-backend/internal/features/storages/models/rclone"
 	s3_storage "postgresus-backend/internal/features/storages/models/s3"
+	sftp_storage "postgresus-backend/internal/features/storages/models/sftp"
 	users_enums "postgresus-backend/internal/features/users/enums"
 	users_middleware "postgresus-backend/internal/features/users/middleware"
 	users_services "postgresus-backend/internal/features/users/services"
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 
 	"github.com/gin-gonic/gin"
@@ -438,6 +446,535 @@ func Test_CrossWorkspaceSecurity_CannotAccessStorageFromAnotherWorkspace(t *test
 	workspaces_testing.RemoveTestWorkspace(workspace2, router)
 }
 
+func Test_StorageSensitiveDataLifecycle_AllTypes(t *testing.T) {
+	testCases := []struct {
+		name                string
+		storageType         StorageType
+		createStorage       func(workspaceID uuid.UUID) *Storage
+		updateStorage       func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage
+		verifySensitiveData func(t *testing.T, storage *Storage)
+		verifyHiddenData    func(t *testing.T, storage *Storage)
+	}{
+		{
+			name:        "S3 Storage",
+			storageType: StorageTypeS3,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeS3,
+					Name:        "Test S3 Storage",
+					S3Storage: &s3_storage.S3Storage{
+						S3Bucket:    "test-bucket",
+						S3Region:    "us-east-1",
+						S3AccessKey: "original-access-key",
+						S3SecretKey: "original-secret-key",
+						S3Endpoint:  "https://s3.amazonaws.com",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeS3,
+					Name:        "Updated S3 Storage",
+					S3Storage: &s3_storage.S3Storage{
+						S3Bucket:    "updated-bucket",
+						S3Region:    "us-west-2",
+						S3AccessKey: "",
+						S3SecretKey: "",
+						S3Endpoint:  "https://s3.us-west-2.amazonaws.com",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.S3Storage.S3AccessKey, "enc:"),
+					"S3AccessKey should be encrypted with 'enc:' prefix")
+				assert.True(t, strings.HasPrefix(storage.S3Storage.S3SecretKey, "enc:"),
+					"S3SecretKey should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				accessKey, err := encryptor.Decrypt(storage.ID, storage.S3Storage.S3AccessKey)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-access-key", accessKey)
+
+				secretKey, err := encryptor.Decrypt(storage.ID, storage.S3Storage.S3SecretKey)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-secret-key", secretKey)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.S3Storage.S3AccessKey)
+				assert.Equal(t, "", storage.S3Storage.S3SecretKey)
+			},
+		},
+		{
+			name:        "Local Storage",
+			storageType: StorageTypeLocal,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID:  workspaceID,
+					Type:         StorageTypeLocal,
+					Name:         "Test Local Storage",
+					LocalStorage: &local_storage.LocalStorage{},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:           storageID,
+					WorkspaceID:  workspaceID,
+					Type:         StorageTypeLocal,
+					Name:         "Updated Local Storage",
+					LocalStorage: &local_storage.LocalStorage{},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+			},
+		},
+		{
+			name:        "NAS Storage",
+			storageType: StorageTypeNAS,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeNAS,
+					Name:        "Test NAS Storage",
+					NASStorage: &nas_storage.NASStorage{
+						Host:     "nas.example.com",
+						Port:     445,
+						Share:    "backups",
+						Username: "testuser",
+						Password: "original-password",
+						UseSSL:   false,
+						Domain:   "WORKGROUP",
+						Path:     "/test",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeNAS,
+					Name:        "Updated NAS Storage",
+					NASStorage: &nas_storage.NASStorage{
+						Host:     "nas2.example.com",
+						Port:     445,
+						Share:    "backups2",
+						Username: "testuser2",
+						Password: "",
+						UseSSL:   true,
+						Domain:   "WORKGROUP2",
+						Path:     "/test2",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.NASStorage.Password, "enc:"),
+					"Password should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				password, err := encryptor.Decrypt(storage.ID, storage.NASStorage.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password", password)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.NASStorage.Password)
+			},
+		},
+		{
+			name:        "Azure Blob Storage (Connection String)",
+			storageType: StorageTypeAzureBlob,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeAzureBlob,
+					Name:        "Test Azure Blob Storage",
+					AzureBlobStorage: &azure_blob_storage.AzureBlobStorage{
+						AuthMethod:       azure_blob_storage.AuthMethodConnectionString,
+						ConnectionString: "original-connection-string",
+						ContainerName:    "test-container",
+						Endpoint:         "",
+						Prefix:           "backups/",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeAzureBlob,
+					Name:        "Updated Azure Blob Storage",
+					AzureBlobStorage: &azure_blob_storage.AzureBlobStorage{
+						AuthMethod:       azure_blob_storage.AuthMethodConnectionString,
+						ConnectionString: "",
+						ContainerName:    "updated-container",
+						Endpoint:         "https://custom.blob.core.windows.net",
+						Prefix:           "backups2/",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.AzureBlobStorage.ConnectionString, "enc:"),
+					"ConnectionString should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				connectionString, err := encryptor.Decrypt(
+					storage.ID,
+					storage.AzureBlobStorage.ConnectionString,
+				)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-connection-string", connectionString)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.AzureBlobStorage.ConnectionString)
+				assert.Equal(t, "", storage.AzureBlobStorage.AccountKey)
+			},
+		},
+		{
+			name:        "Azure Blob Storage (Account Key)",
+			storageType: StorageTypeAzureBlob,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeAzureBlob,
+					Name:        "Test Azure Blob with Account Key",
+					AzureBlobStorage: &azure_blob_storage.AzureBlobStorage{
+						AuthMethod:    azure_blob_storage.AuthMethodAccountKey,
+						AccountName:   "testaccount",
+						AccountKey:    "original-account-key",
+						ContainerName: "test-container",
+						Endpoint:      "",
+						Prefix:        "backups/",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeAzureBlob,
+					Name:        "Updated Azure Blob with Account Key",
+					AzureBlobStorage: &azure_blob_storage.AzureBlobStorage{
+						AuthMethod:    azure_blob_storage.AuthMethodAccountKey,
+						AccountName:   "updatedaccount",
+						AccountKey:    "",
+						ContainerName: "updated-container",
+						Endpoint:      "https://custom.blob.core.windows.net",
+						Prefix:        "backups2/",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.AzureBlobStorage.AccountKey, "enc:"),
+					"AccountKey should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				accountKey, err := encryptor.Decrypt(
+					storage.ID,
+					storage.AzureBlobStorage.AccountKey,
+				)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-account-key", accountKey)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.AzureBlobStorage.ConnectionString)
+				assert.Equal(t, "", storage.AzureBlobStorage.AccountKey)
+			},
+		},
+		{
+			name:        "Google Drive Storage",
+			storageType: StorageTypeGoogleDrive,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeGoogleDrive,
+					Name:        "Test Google Drive Storage",
+					GoogleDriveStorage: &google_drive_storage.GoogleDriveStorage{
+						ClientID:     "original-client-id",
+						ClientSecret: "original-client-secret",
+						TokenJSON:    `{"access_token":"ya29.test-access-token","token_type":"Bearer","expiry":"2030-12-31T23:59:59Z","refresh_token":"1//test-refresh-token"}`,
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeGoogleDrive,
+					Name:        "Updated Google Drive Storage",
+					GoogleDriveStorage: &google_drive_storage.GoogleDriveStorage{
+						ClientID:     "updated-client-id",
+						ClientSecret: "",
+						TokenJSON:    "",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.GoogleDriveStorage.ClientSecret, "enc:"),
+					"ClientSecret should be encrypted with 'enc:' prefix")
+				assert.True(t, strings.HasPrefix(storage.GoogleDriveStorage.TokenJSON, "enc:"),
+					"TokenJSON should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				clientSecret, err := encryptor.Decrypt(
+					storage.ID,
+					storage.GoogleDriveStorage.ClientSecret,
+				)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-client-secret", clientSecret)
+
+				tokenJSON, err := encryptor.Decrypt(
+					storage.ID,
+					storage.GoogleDriveStorage.TokenJSON,
+				)
+				assert.NoError(t, err)
+				assert.Equal(
+					t,
+					`{"access_token":"ya29.test-access-token","token_type":"Bearer","expiry":"2030-12-31T23:59:59Z","refresh_token":"1//test-refresh-token"}`,
+					tokenJSON,
+				)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.GoogleDriveStorage.ClientSecret)
+				assert.Equal(t, "", storage.GoogleDriveStorage.TokenJSON)
+			},
+		},
+		{
+			name:        "FTP Storage",
+			storageType: StorageTypeFTP,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeFTP,
+					Name:        "Test FTP Storage",
+					FTPStorage: &ftp_storage.FTPStorage{
+						Host:     "ftp.example.com",
+						Port:     21,
+						Username: "testuser",
+						Password: "original-password",
+						UseSSL:   false,
+						Path:     "/backups",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeFTP,
+					Name:        "Updated FTP Storage",
+					FTPStorage: &ftp_storage.FTPStorage{
+						Host:     "ftp2.example.com",
+						Port:     2121,
+						Username: "testuser2",
+						Password: "",
+						UseSSL:   true,
+						Path:     "/backups2",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.FTPStorage.Password, "enc:"),
+					"Password should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				password, err := encryptor.Decrypt(storage.ID, storage.FTPStorage.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password", password)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.FTPStorage.Password)
+			},
+		},
+		{
+			name:        "SFTP Storage",
+			storageType: StorageTypeSFTP,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeSFTP,
+					Name:        "Test SFTP Storage",
+					SFTPStorage: &sftp_storage.SFTPStorage{
+						Host:              "sftp.example.com",
+						Port:              22,
+						Username:          "testuser",
+						Password:          "original-password",
+						PrivateKey:        "original-private-key",
+						SkipHostKeyVerify: false,
+						Path:              "/backups",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeSFTP,
+					Name:        "Updated SFTP Storage",
+					SFTPStorage: &sftp_storage.SFTPStorage{
+						Host:              "sftp2.example.com",
+						Port:              2222,
+						Username:          "testuser2",
+						Password:          "",
+						PrivateKey:        "",
+						SkipHostKeyVerify: true,
+						Path:              "/backups2",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.SFTPStorage.Password, "enc:"),
+					"Password should be encrypted with 'enc:' prefix")
+				assert.True(t, strings.HasPrefix(storage.SFTPStorage.PrivateKey, "enc:"),
+					"PrivateKey should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				password, err := encryptor.Decrypt(storage.ID, storage.SFTPStorage.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password", password)
+
+				privateKey, err := encryptor.Decrypt(storage.ID, storage.SFTPStorage.PrivateKey)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-private-key", privateKey)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.SFTPStorage.Password)
+				assert.Equal(t, "", storage.SFTPStorage.PrivateKey)
+			},
+		},
+		{
+			name:        "Rclone Storage",
+			storageType: StorageTypeRclone,
+			createStorage: func(workspaceID uuid.UUID) *Storage {
+				return &Storage{
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeRclone,
+					Name:        "Test Rclone Storage",
+					RcloneStorage: &rclone_storage.RcloneStorage{
+						ConfigContent: "[myremote]\ntype = s3\nprovider = AWS\naccess_key_id = test\nsecret_access_key = secret\n",
+						RemotePath:    "/backups",
+					},
+				}
+			},
+			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
+				return &Storage{
+					ID:          storageID,
+					WorkspaceID: workspaceID,
+					Type:        StorageTypeRclone,
+					Name:        "Updated Rclone Storage",
+					RcloneStorage: &rclone_storage.RcloneStorage{
+						ConfigContent: "",
+						RemotePath:    "/backups2",
+					},
+				}
+			},
+			verifySensitiveData: func(t *testing.T, storage *Storage) {
+				assert.True(t, strings.HasPrefix(storage.RcloneStorage.ConfigContent, "enc:"),
+					"ConfigContent should be encrypted with 'enc:' prefix")
+
+				encryptor := encryption.GetFieldEncryptor()
+				configContent, err := encryptor.Decrypt(
+					storage.ID,
+					storage.RcloneStorage.ConfigContent,
+				)
+				assert.NoError(t, err)
+				assert.Equal(
+					t,
+					"[myremote]\ntype = s3\nprovider = AWS\naccess_key_id = test\nsecret_access_key = secret\n",
+					configContent,
+				)
+			},
+			verifyHiddenData: func(t *testing.T, storage *Storage) {
+				assert.Equal(t, "", storage.RcloneStorage.ConfigContent)
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			router := createRouter()
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+			// Phase 1: Create storage with sensitive data
+			initialStorage := tc.createStorage(workspace.ID)
+			var createdStorage Storage
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/storages",
+				"Bearer "+owner.Token,
+				*initialStorage,
+				http.StatusOK,
+				&createdStorage,
+			)
+
+			assert.NotEmpty(t, createdStorage.ID)
+			assert.Equal(t, initialStorage.Name, createdStorage.Name)
+
+			// Phase 2: Verify sensitive data is encrypted in repository after creation
+			repository := &StorageRepository{}
+			storageFromDBAfterCreate, err := repository.FindByID(createdStorage.ID)
+			assert.NoError(t, err)
+			tc.verifySensitiveData(t, storageFromDBAfterCreate)
+
+			// Phase 3: Read via service - sensitive data should be hidden
+			var retrievedStorage Storage
+			test_utils.MakeGetRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/storages/%s", createdStorage.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusOK,
+				&retrievedStorage,
+			)
+
+			tc.verifyHiddenData(t, &retrievedStorage)
+			assert.Equal(t, initialStorage.Name, retrievedStorage.Name)
+
+			// Phase 4: Update with non-sensitive changes only (sensitive fields empty)
+			updatedStorage := tc.updateStorage(workspace.ID, createdStorage.ID)
+			var updateResponse Storage
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/storages",
+				"Bearer "+owner.Token,
+				*updatedStorage,
+				http.StatusOK,
+				&updateResponse,
+			)
+
+			// Verify non-sensitive fields were updated
+			assert.Equal(t, updatedStorage.Name, updateResponse.Name)
+
+			// Phase 5: Retrieve directly from repository to verify sensitive data preservation
+			storageFromDB, err := repository.FindByID(createdStorage.ID)
+			assert.NoError(t, err)
+
+			// Verify original sensitive data is still present in DB
+			tc.verifySensitiveData(t, storageFromDB)
+
+			// Verify non-sensitive fields were updated in DB
+			assert.Equal(t, updatedStorage.Name, storageFromDB.Name)
+
+			// Additional verification: Check via GET that data is still hidden
+			var finalRetrieved Storage
+			test_utils.MakeGetRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/storages/%s", createdStorage.ID.String()),
+				"Bearer "+owner.Token,
+				http.StatusOK,
+				&finalRetrieved,
+			)
+			tc.verifyHiddenData(t, &finalRetrieved)
+		})
+	}
+}
+
 func createRouter() *gin.Engine {
 	gin.SetMode(gin.TestMode)
 	router := gin.New()
@@ -485,158 +1022,3 @@ func deleteStorage(
 		http.StatusOK,
 	)
 }
-
-func Test_StorageSensitiveDataLifecycle_AllTypes(t *testing.T) {
-	testCases := []struct {
-		name                string
-		storageType         StorageType
-		createStorage       func(workspaceID uuid.UUID) *Storage
-		updateStorage       func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage
-		verifySensitiveData func(t *testing.T, storage *Storage)
-		verifyHiddenData    func(t *testing.T, storage *Storage)
-	}{
-		{
-			name:        "S3 Storage",
-			storageType: StorageTypeS3,
-			createStorage: func(workspaceID uuid.UUID) *Storage {
-				return &Storage{
-					WorkspaceID: workspaceID,
-					Type:        StorageTypeS3,
-					Name:        "Test S3 Storage",
-					S3Storage: &s3_storage.S3Storage{
-						S3Bucket:    "test-bucket",
-						S3Region:    "us-east-1",
-						S3AccessKey: "original-access-key",
-						S3SecretKey: "original-secret-key",
-						S3Endpoint:  "https://s3.amazonaws.com",
-					},
-				}
-			},
-			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
-				return &Storage{
-					ID:          storageID,
-					WorkspaceID: workspaceID,
-					Type:        StorageTypeS3,
-					Name:        "Updated S3 Storage",
-					S3Storage: &s3_storage.S3Storage{
-						S3Bucket:    "updated-bucket",
-						S3Region:    "us-west-2",
-						S3AccessKey: "",
-						S3SecretKey: "",
-						S3Endpoint:  "https://s3.us-west-2.amazonaws.com",
-					},
-				}
-			},
-			verifySensitiveData: func(t *testing.T, storage *Storage) {
-				assert.Equal(t, "original-access-key", storage.S3Storage.S3AccessKey)
-				assert.Equal(t, "original-secret-key", storage.S3Storage.S3SecretKey)
-			},
-			verifyHiddenData: func(t *testing.T, storage *Storage) {
-				assert.Equal(t, "", storage.S3Storage.S3AccessKey)
-				assert.Equal(t, "", storage.S3Storage.S3SecretKey)
-			},
-		},
-		{
-			name:        "Local Storage",
-			storageType: StorageTypeLocal,
-			createStorage: func(workspaceID uuid.UUID) *Storage {
-				return &Storage{
-					WorkspaceID:  workspaceID,
-					Type:         StorageTypeLocal,
-					Name:         "Test Local Storage",
-					LocalStorage: &local_storage.LocalStorage{},
-				}
-			},
-			updateStorage: func(workspaceID uuid.UUID, storageID uuid.UUID) *Storage {
-				return &Storage{
-					ID:           storageID,
-					WorkspaceID:  workspaceID,
-					Type:         StorageTypeLocal,
-					Name:         "Updated Local Storage",
-					LocalStorage: &local_storage.LocalStorage{},
-				}
-			},
-			verifySensitiveData: func(t *testing.T, storage *Storage) {
-			},
-			verifyHiddenData: func(t *testing.T, storage *Storage) {
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-			router := createRouter()
-			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-
-			// Phase 1: Create storage with sensitive data
-			initialStorage := tc.createStorage(workspace.ID)
-			var createdStorage Storage
-			test_utils.MakePostRequestAndUnmarshal(
-				t,
-				router,
-				"/api/v1/storages",
-				"Bearer "+owner.Token,
-				*initialStorage,
-				http.StatusOK,
-				&createdStorage,
-			)
-
-			assert.NotEmpty(t, createdStorage.ID)
-			assert.Equal(t, initialStorage.Name, createdStorage.Name)
-
-			// Phase 2: Read via service - sensitive data should be hidden
-			var retrievedStorage Storage
-			test_utils.MakeGetRequestAndUnmarshal(
-				t,
-				router,
-				fmt.Sprintf("/api/v1/storages/%s", createdStorage.ID.String()),
-				"Bearer "+owner.Token,
-				http.StatusOK,
-				&retrievedStorage,
-			)
-
-			tc.verifyHiddenData(t, &retrievedStorage)
-			assert.Equal(t, initialStorage.Name, retrievedStorage.Name)
-
-			// Phase 3: Update with non-sensitive changes only (sensitive fields empty)
-			updatedStorage := tc.updateStorage(workspace.ID, createdStorage.ID)
-			var updateResponse Storage
-			test_utils.MakePostRequestAndUnmarshal(
-				t,
-				router,
-				"/api/v1/storages",
-				"Bearer "+owner.Token,
-				*updatedStorage,
-				http.StatusOK,
-				&updateResponse,
-			)
-
-			// Verify non-sensitive fields were updated
-			assert.Equal(t, updatedStorage.Name, updateResponse.Name)
-
-			// Phase 4: Retrieve directly from repository to verify sensitive data preservation
-			repository := &StorageRepository{}
-			storageFromDB, err := repository.FindByID(createdStorage.ID)
-			assert.NoError(t, err)
-
-			// Verify original sensitive data is still present in DB
-			tc.verifySensitiveData(t, storageFromDB)
-
-			// Verify non-sensitive fields were updated in DB
-			assert.Equal(t, updatedStorage.Name, storageFromDB.Name)
-
-			// Additional verification: Check via GET that data is still hidden
-			var finalRetrieved Storage
-			test_utils.MakeGetRequestAndUnmarshal(
-				t,
-				router,
-				fmt.Sprintf("/api/v1/storages/%s", createdStorage.ID.String()),
-				"Bearer "+owner.Token,
-				http.StatusOK,
-				&finalRetrieved,
-			)
-			tc.verifyHiddenData(t, &finalRetrieved)
-		})
-	}
-}

backend/internal/features/storages/di.go

@@ -3,6 +3,7 @@ package storages
 import (
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 )
 
 var storageRepository = &StorageRepository{}
@@ -10,6 +11,7 @@ var storageService = &StorageService{
 	storageRepository,
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
+	encryption.GetFieldEncryptor(),
 }
 var storageController = &StorageController{
 	storageService,

backend/internal/features/storages/enums.go

@@ -8,4 +8,7 @@ const (
 	StorageTypeGoogleDrive StorageType = "GOOGLE_DRIVE"
 	StorageTypeNAS         StorageType = "NAS"
 	StorageTypeAzureBlob   StorageType = "AZURE_BLOB"
+	StorageTypeFTP         StorageType = "FTP"
+	StorageTypeSFTP        StorageType = "SFTP"
+	StorageTypeRclone      StorageType = "RCLONE"
 )