Backups and Restore

Backups in Secryn allow you to securely export the entire instance state and restore it when needed. All backups are full-instance, encrypted, and designed for disaster recovery and compliance use cases.

Backups are available under Admin -> Backups.

What Is Included in a Backup

Each backup is a full instance snapshot and includes:

• All projects
• All vaults (including restricted vaults)
• All secrets (including version history)
• All keys
• All certificates
• All users and roles
• RBAC configuration
• App settings and configuration

Backups are not partial and cannot be scoped to individual projects.

Encryption Model

Every backup is encrypted using a one-time encryption key.

Important

• A unique encryption key is generated for each backup.
• The encryption key is shown once after the backup completes.
• Secryn does not store this encryption key.
• If the key is lost, the backup cannot be decrypted.
• You are responsible for storing the encryption key securely (e.g., in a hardware vault or secure password manager).

This design ensures that Secryn cannot decrypt backups without your key.

Creating a Manual Backup

To create a backup manually:

• Go to Admin -> Backups
• Click Create Backup
• Wait for the process to complete
• Download the backup file
• Copy and securely store the encryption key

After completion, the backup will appear in the backup history table.

Scheduled Backups

Secryn supports automated scheduled backups.

You can configure:

• Enable schedule
• Frequency (e.g., daily)
• Run time
• Keep last N backups
• Purge backups older than X days

Retention Policy

Retention rules are evaluated after each scheduled run.

Backups exceeding:

• The maximum number of retained backups, or
• The maximum age threshold

are automatically purged.

One-Time Encryption Keys (Scheduled Backups)

Each scheduled backup also generates a unique encryption key.

After a scheduled backup completes:

• Open Recent Operations
• Locate the backup entry
• Click View Key
• Store the key securely

If you fail to store the key, that specific backup cannot be restored.

Downloading Backups

Backups can be downloaded directly from the Backups page.

The downloaded file:

• Is fully encrypted
• Cannot be inspected without the correct encryption key
• Contains the entire instance state

Restoring from Backup

Restoring a backup replaces the entire instance.

Restore Requirements

You must provide:

• The backup file
• The corresponding encryption key

Restore Behavior

• The current instance data is fully replaced
• All existing projects, vaults, secrets, keys, certificates, users, and settings are overwritten
• The system state will match exactly what existed at the time of backup

Restore is not a merge operation.

Security Considerations

Because restore replaces the entire instance:

• Ensure you are restoring into the correct environment
• Verify the backup source
• Confirm the encryption key before proceeding

If possible:

• Perform restore operations during maintenance windows
• Notify users before initiating restore

Disaster Recovery Best Practices

For production environments:

• Enable scheduled backups
• Store encryption keys in a secure external system
• Test restore procedures in a staging environment
• Periodically verify backup integrity

Never store backup files and encryption keys together.

Compliance & Audit

Backups support:

• Business continuity planning
• Disaster recovery strategy
• Regulatory compliance requirements
• Long-term archival retention

Backup creation and restore actions are recorded in Audit Logs.