Encrypting backups
The image supports encrypting backups using one of two available methods: GPG or age
Using GPG encryption
In case a GPG_PASSPHRASE
or GPG_PUBLIC_KEY_RING
environment variable is set, the backup archive will be encrypted using the given key and saved as a .gpg
file instead.
Assuming you have gpg
installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
gpg -o backup.tar.gz -d backup.tar.gz.gpg
Using age encryption
age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.
Given AGE_PASSPHRASE
being provided, the backup archive will be encrypted with the passphrase and saved as a .age
file instead. Refer to age documentation for how to properly decrypt.
Given AGE_PUBLIC_KEYS
being provided (allowing multiple by separating each public key with ,
), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a .age
file.