docker-volume-backup/docs/how-tos/encrypt-backups.md

---
title: Encrypting backups
layout: default
parent: How Tos
nav_order: 7
---

# Encrypting backups

The image supports encrypting backups using one of two available methods: **GPG** or **[age](https://age-encryption.org/)**

## Using GPG encryption

In case a `GPG_PASSPHRASE` or `GPG_PUBLIC_KEY_RING` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.

Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):

```console
gpg -o backup.tar.gz -d backup.tar.gz.gpg
```

## Using age encryption

{: .note }
Even though the `age` CLI tools supports encryption using SSH keys, this is not supported by this tool.
`AGE_PUBLIC_KEYS` currently expects `age` keys to be given.

age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.

Given `AGE_PASSPHRASE` being provided, the backup archive will be encrypted with the passphrase and saved as a `.age` file instead. Refer to age documentation for how to properly decrypt.

Given `AGE_PUBLIC_KEYS` being provided (allowing multiple by separating each public key with `,`), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a `.age` file.
feat: allow backups to be encrypted with age (#432) GPG is known to have usability issues and is generally cumbersome to use. age [0] is a modern alternative to GPG that is designed by a cryptographer that has worked and continues to work on Golang's crypto packages for years. Allowing age to be used to encrypt backups dramatically simplifies the backup process. [0]: https://age-encryption.org/ 2024-08-19 22:49:49 +02:00			`---`
			`title: Encrypting backups`
			`layout: default`
			`parent: How Tos`
			`nav_order: 7`
			`---`

			`# Encrypting backups`

			`The image supports encrypting backups using one of two available methods: GPG or [age](https://age-encryption.org/)`

			`## Using GPG encryption`

			In case a `GPG_PASSPHRASE` or `GPG_PUBLIC_KEY_RING` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.

			Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):

			```console
			`gpg -o backup.tar.gz -d backup.tar.gz.gpg`
			```

			`## Using age encryption`

Configuration reference on age encryption is lacking 2025-02-04 16:34:10 +01:00			`{: .note }`
			Even though the `age` CLI tools supports encryption using SSH keys, this is not supported by this tool.
			`AGE_PUBLIC_KEYS` currently expects `age` keys to be given.

feat: allow backups to be encrypted with age (#432) GPG is known to have usability issues and is generally cumbersome to use. age [0] is a modern alternative to GPG that is designed by a cryptographer that has worked and continues to work on Golang's crypto packages for years. Allowing age to be used to encrypt backups dramatically simplifies the backup process. [0]: https://age-encryption.org/ 2024-08-19 22:49:49 +02:00			`age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.`

			Given `AGE_PASSPHRASE` being provided, the backup archive will be encrypted with the passphrase and saved as a `.age` file instead. Refer to age documentation for how to properly decrypt.

			Given `AGE_PUBLIC_KEYS` being provided (allowing multiple by separating each public key with `,`), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a `.age` file.