2024-08-03 00:49:14 +02:00
---
title: Encrypt backups using GPG
layout: default
parent: How Tos
2024-09-30 00:00:21 +02:00
nav_order: 8
2024-08-03 00:49:14 +02:00
---
# Encrypt backup
2024-10-09 12:45:29 +02:00
The image supports encrypting backups using one of two available methods: GPG with passphrase or GPG with a public key.
2024-10-08 20:06:21 +02:00
2024-10-08 22:12:54 +02:00
The image supports encrypting backups using GPG out of the box. In case a `GPG_PASSPHRASE` or `GPG_PUBLIC_KEY` environment variable is set, the backup archive will be encrypted using the given key and saved as a sql.gpg file instead or sql.gz.gpg.
2024-10-09 12:45:29 +02:00
Suppose you used a GPG public key during the backup process. In that case, you need to decrypt your backup before restoration because decryption using a `GPG private` key is not fully supported.
2024-08-03 00:49:14 +02:00
{: .warning }
To restore an encrypted backup, you need to provide the same GPG passphrase used during backup process.
2024-09-28 09:48:37 +02:00
- GPG home directory `/config/gnupg`
- Cipher algorithm `aes256`
2024-10-08 20:06:21 +02:00
2024-10-08 22:12:54 +02:00
{: .note }
The backup encrypted using `GPG passphrase` method can be restored automatically, no need to decrypt it before restoration.
2024-10-08 20:06:21 +02:00
2024-08-11 09:39:44 +02:00
To decrypt manually, you need to install `gnupg`
2024-08-03 02:04:58 +02:00
```shell
gpg --batch --passphrase "my-passphrase" \
--output database_20240730_044201.sql.gz \
--decrypt database_20240730_044201.sql.gz.gpg
```
2024-10-08 22:12:54 +02:00
Using your private key
```shell
gpg --output database_20240730_044201.sql.gz --decrypt database_20240730_044201.sql.gz.gpg
```
2024-10-09 12:45:29 +02:00
## Using GPG passphrase
2024-08-03 00:49:14 +02:00
```yml
services:
pg-bkup:
# In production, it is advised to lock your image tag to a proper
# release version instead of using `latest` .
# Check https://github.com/jkaninda/pg-bkup/releases
# for a list of available releases.
image: jkaninda/pg-bkup
container_name: pg-bkup
2024-08-10 09:39:50 +02:00
command: backup -d database
2024-08-03 00:49:14 +02:00
volumes:
- ./backup:/backup
environment:
- DB_PORT=5432
- DB_HOST=postgres
- DB_NAME=database
- DB_USERNAME=username
- DB_PASSWORD=password
## Required to encrypt backup
- GPG_PASSPHRASE=my-secure-passphrase
# pg-bkup container must be connected to the same network with your database
networks:
- web
networks:
web:
2024-10-08 20:06:21 +02:00
```
2024-10-09 12:45:29 +02:00
## Using GPG Public Key
```yml
services:
pg-bkup:
# In production, it is advised to lock your image tag to a proper
# release version instead of using `latest` .
# Check https://github.com/jkaninda/pg-bkup/releases
# for a list of available releases.
image: jkaninda/pg-bkup
container_name: pg-bkup
command: backup -d database
volumes:
- ./backup:/backup
environment:
- DB_PORT=5432
- DB_HOST=postgres
- DB_NAME=database
- DB_USERNAME=username
- DB_PASSWORD=password
## Required to encrypt backup
- GPG_PUBLIC_KEY=/config/public_key.asc
# pg-bkup container must be connected to the same network with your database
networks:
- web
networks:
web:
```
