Secryn provides encrypted backups to ensure full recoverability of your self-hosted environment. Backups capture the complete system state and are available only to administrators.

What Gets Backed Up

Each backup includes projects, vaults (restricted and standard), secrets with full history, keys, certificates, access keys, permissions, users, roles, RBAC configuration, system settings, and all log types (audit, request, user, MCP). Snapshots are atomic and consistent.

Encryption by Default

For every backup:

• Secryn generates a unique encryption key
• the key is shown once and never stored
• losing the key makes the backup unrecoverable

Manual Backups

Admins can create backups on demand. Each backup is immutable, timestamped, and validated with integrity checks. Multiple backups can coexist for point-in-time recovery.

Scheduled Backups

Automated backups support configurable frequency, execution time, and retention (keep last N backups or purge after N days). Each run generates its own key that must be retrieved and stored. Retention rules run after each backup to prune older copies.

Restore Behavior

Restoring a backup fully replaces the current database, restoring all projects, vaults, resources, users, and configuration as captured. Restores are destructive and require the correct encryption key.

Access Control & Auditing

• only admins can create, schedule, or restore backups
• all backup/restore actions are logged
• encryption keys are never logged or persisted

Best Practices

• store encryption keys securely outside Secryn
• maintain multiple restore points
• test restores in non-production environments
• treat backup files and keys as highly sensitive assets

Backups in Secryn support long-term reliability, disaster recovery, and complete data ownership without relying on external services.