44ad3bbda2
GPG is known to have usability issues and is generally cumbersome to use. age [0] is a modern alternative to GPG that is designed by a cryptographer that has worked and continues to work on Golang's crypto packages for years. Allowing age to be used to encrypt backups dramatically simplifies the backup process. [0]: https://age-encryption.org/
1.2 KiB
title, layout, parent, nav_order
| title | layout | parent | nav_order |
|---|---|---|---|
| Encrypting backups | default | How Tos | 7 |
Encrypting backups
The image supports encrypting backups using one of two available methods: GPG or age
Using GPG encryption
In case a GPG_PASSPHRASE or GPG_PUBLIC_KEY_RING environment variable is set, the backup archive will be encrypted using the given key and saved as a .gpg file instead.
Assuming you have gpg installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
gpg -o backup.tar.gz -d backup.tar.gz.gpg
Using age encryption
age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.
Given AGE_PASSPHRASE being provided, the backup archive will be encrypted with the passphrase and saved as a .age file instead. Refer to age documentation for how to properly decrypt.
Given AGE_PUBLIC_KEYS being provided (allowing multiple by separating each public key with ,), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a .age file.