GPG Encryption

Encryption is how you safely store backups in offsite locations you do not fully trust (cloud storage, remote VPS, shared buckets). GPG supports two common models: symmetric (one passphrase) and public-key (encrypt for a recipient).

Quick Summary

• Symmetric: gpg --symmetric --cipher-algo AES256 file.
• Public-key: gpg --encrypt --recipient backup@domain file.
• Always test decryption before you upload offsite.
• If you lose keys/passphrases, the backups are unusable.

Symmetric encryption (passphrase)

Encrypt a file:

gpg-symmetric-encrypt.sh

gpg --symmetric --cipher-algo AES256 --output /backups/wp-db.sql.zst.gpg /backups/wp-db.sql.zst

Decrypt to a file:

gpg-symmetric-decrypt.sh

gpg --output /tmp/wp-db.sql.zst --decrypt /backups/wp-db.sql.zst.gpg

Public-key encryption (recommended for teams)

Public-key encryption avoids sharing a single passphrase.

List keys:

gpg-list-keys.sh

gpg --list-keys

Encrypt for a recipient:

gpg-encrypt-for-recipient.sh

gpg --encrypt --recipient backup@domain --output /backups/wp-files.tar.zst.gpg /backups/wp-files.tar.zst

Decrypt (requires the private key):

gpg-decrypt-recipient-file.sh

gpg --output /tmp/wp-files.tar.zst --decrypt /backups/wp-files.tar.zst.gpg

Verification (do not skip)

Before you upload encrypted artifacts offsite:

1. Decrypt to stdout and validate the inner format.

gpg-verify-by-testing-inner-format.sh

gpg --decrypt /backups/wp-db.sql.zst.gpg | zstd -t

2. Optionally verify archive contents (example for tar.zst):

gpg-verify-tar-zst-contents.sh

gpg --decrypt /backups/wp-files.tar.zst.gpg | tar --use-compress-program=zstd -tf - | sed -n '1,25p'

Operational notes

• Store encrypted files offsite, not plaintext.
• Keep keys/passphrases out of shell history and chat logs.
• Consider a dedicated backup operator key and a documented recovery procedure.

warning

If you do not have the decryption material during an incident (passphrase/private key), your backups are effectively lost.

Next steps

• Encrypt DB backups end-to-end: opt/docker-data/apps/docusaurus/site/docs/server/linux-server/10-backup-disaster-recovery/encrypt-database-backups.mdx.