docker-volume-backup/docs/how-tos/encrypt-backups.md
nick comer 44ad3bbda2
feat: allow backups to be encrypted with age (#432)
GPG is known to have usability issues and is generally cumbersome to
use. age [0] is a modern alternative to GPG that is designed by a
cryptographer that has worked and continues to work on Golang's crypto
packages for years.

Allowing age to be used to encrypt backups dramatically simplifies the
backup process.

[0]: https://age-encryption.org/
2024-08-19 22:49:49 +02:00

1.2 KiB

title layout parent nav_order
Encrypting backups default How Tos 7

Encrypting backups

The image supports encrypting backups using one of two available methods: GPG or age

Using GPG encryption

In case a GPG_PASSPHRASE or GPG_PUBLIC_KEY_RING environment variable is set, the backup archive will be encrypted using the given key and saved as a .gpg file instead.

Assuming you have gpg installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):

gpg -o backup.tar.gz -d backup.tar.gz.gpg

Using age encryption

age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.

Given AGE_PASSPHRASE being provided, the backup archive will be encrypted with the passphrase and saved as a .age file instead. Refer to age documentation for how to properly decrypt.

Given AGE_PUBLIC_KEYS being provided (allowing multiple by separating each public key with ,), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a .age file.