diff --git a/docs/backups.md b/docs/backups.md new file mode 100644 index 0000000000000000000000000000000000000000..71738eb270169d2e345c5dea339f3535be1c3624 --- /dev/null +++ b/docs/backups.md @@ -0,0 +1,77 @@ +# Backups + +## Password Manager + +I have to do regular manual exports of my password manager database, additionally from the regular backups I'm doing of my server, which includes the Vaultwarden data. This has multiple purposes. + +Firstly, it's part of my disaster recovery strategy. Were I to lose my entire server, I still want to be able to quickly regain access to my passwords. Having to spin a new Vaultwarden instance up from a backup or something to be able to regain access to things like + +- I self-host my password manager +- in case I lose my server I still want to be able to recover access to my passwords +- espcially because my backups are potentially encrypted with keys I + +TODO create recurring todo task (can be simultaneous check that I remember the password) + +### Guide + +1. + + +## Encryption Hierarchy + +Encrypted stuff and what they're encrypted with / where their keys are stored. + +- **password manager:** only in my memory +- **agenix secrets:** SSH private keys + - **SSH private keys:** on devices + TODO password manager +- **backups:** backup keys + - **backup keys:** agenix secret + TODO password manager +- **full disk encryption:** my memory, password manager + +TODO backup strategy + +```mermaid +graph TD + memory((my\nmemory)) + pw[password manager] + devices[devices] + ssh[SSH private keys] + agenix[agenix secrets] + backups[backups] + + memory -.-> devices + memory --> pw + pw --> devices + devices --> ssh + ssh --> agenix + agenix --> backups + pw -.-> backups + pw -.-> ssh +``` + +The default dependencies are as follows: TODO + + +## Disaster Recovery + +### Targeted Worst-Case Scenario + +My defined worst-case scenario I want to be prepared for is: my house burns down. I lose all my devices from PC over laptop to my phone at once. I still want to be able to fully recover my data from my off-site backup in this case. + +### Guide + +This is a guide of what I would need to do in case of the worst-case scenario. The purpose of this is so I can verify the feasibility of the procedure, and of course also as help if it were to actually become necessary to follow it. + +1. Get a loaner notebook. + +2. Travel to my off-site backup location. + +3. Hook up the backup drive to the notebook. It's unencrypted, so this doesn't need any extra steps. + +4. Decrypt the password manager export using age: `age --decrypt -o pw pw.age` + +5. Access the backups using the encryption key from the password manager. + +6. Access the agenix secrets using the SSH private keys from the password manager. + +7. Rebuild my systems using the now accessible data.