Backups and Restore

Backups in Secryn allow you to export the entire instance state and restore it when needed. Backup data is protected using application-level encryption with secure key handling and is designed for disaster recovery and compliance use cases.

Backups are available under Admin -> Backups.

What Is Included in a Backup

Each backup is a full instance snapshot and includes:

• All projects
• All vaults (including restricted vaults)
• All secrets (including version history)
• All keys
• All certificates
• All users and roles
• RBAC configuration
• App settings and configuration

Backups are not partial and cannot be scoped to individual projects.

Backup Protection

Secryn uses application-level encryption with secure key handling to protect backup data at rest.

Important

• Backup creation and restore rely on backup key material handled through the workflow.
• When key material is shown during backup creation or from Recent Operations, record it before leaving the page.
• Store backup key material in a secure external system such as a hardware vault or secure password manager.
• Verify your recovery process can access the required backup material before relying on a backup for disaster recovery.

This approach fits Secryn's broader security model alongside RBAC, audit logs, HTTPS in transit, and self-hosted deployment control.

Creating a Manual Backup

To create a backup manually:

• Go to Admin -> Backups
• Click Create Backup
• Wait for the process to complete
• Download the backup file
• Record and securely store any backup key material shown by the workflow

After completion, the backup will appear in the backup history table.

Scheduled Backups

Secryn supports automated scheduled backups.

You can configure:

• Enable schedule
• Frequency (e.g., daily)
• Run time
• Keep last N backups
• Purge backups older than X days

Retention Policy

Retention rules are evaluated after each scheduled run.

Backups exceeding:

• The maximum number of retained backups, or
• The maximum age threshold

are automatically purged.

Backup Keys for Scheduled Backups

Scheduled backups also require backup key material during restore.

After a scheduled backup completes:

• Open Recent Operations
• Locate the backup entry
• Click View Key
• Store the key securely

Verify the key is stored in your recovery system before treating that backup as restorable.

Downloading Backups

Backups can be downloaded directly from the Backups page.

The downloaded file:

• Is protected using application-level encryption with secure key handling
• Requires the corresponding backup key material during restore
• Contains the entire instance state

Restoring from Backup

Restoring a backup replaces the entire instance.

Restore Requirements

You must provide:

• The backup file
• The corresponding backup key material

Restore Behavior

• The current instance data is fully replaced
• All existing projects, vaults, secrets, keys, certificates, users, and settings are overwritten
• The system state will match exactly what existed at the time of backup

Restore is not a merge operation.

Security Considerations

Because restore replaces the entire instance:

• Ensure you are restoring into the correct environment
• Verify the backup source
• Confirm the backup key material before proceeding

If possible:

• Perform restore operations during maintenance windows
• Notify users before initiating restore

Disaster Recovery Best Practices

For production environments:

• Enable scheduled backups
• Store backup key material in a secure external system
• Test restore procedures in a staging environment
• Periodically verify backup integrity

Avoid storing backup files and backup key material together.

Compliance & Audit

Backups support:

• Business continuity planning
• Disaster recovery strategy
• Regulatory compliance requirements
• Long-term archival retention

Backup creation and restore actions are recorded in Audit Logs.