diff --git a/docs/backups.md b/docs/backups.md
new file mode 100644
index 0000000000000000000000000000000000000000..71738eb270169d2e345c5dea339f3535be1c3624
--- /dev/null
+++ b/docs/backups.md
@@ -0,0 +1,77 @@
+# Backups
+
+## Password Manager
+
+I have to do regular manual exports of my password manager database, additionally from the regular backups I'm doing of my server, which includes the Vaultwarden data. This has multiple purposes.
+
+Firstly, it's part of my disaster recovery strategy. Were I to lose my entire server, I still want to be able to quickly regain access to my passwords. Having to spin a new Vaultwarden instance up from a backup or something to be able to regain access to things like
+
+- I self-host my password manager
+- in case I lose my server I still want to be able to recover access to my passwords
+- espcially because my backups are potentially encrypted with keys I
+
+TODO create recurring todo task (can be simultaneous check that I remember the password)
+
+### Guide
+
+1.
+
+
+## Encryption Hierarchy
+
+Encrypted stuff and what they're encrypted with / where their keys are stored.
+
+- **password manager:** only in my memory
+- **agenix secrets:** SSH private keys
+  - **SSH private keys:** on devices + TODO password manager
+- **backups:** backup keys
+  - **backup keys:** agenix secret + TODO password manager
+- **full disk encryption:** my memory, password manager
+
+TODO backup strategy
+
+```mermaid
+graph TD
+  memory((my\nmemory))
+  pw[password manager]
+  devices[devices]
+  ssh[SSH private keys]
+  agenix[agenix secrets]
+  backups[backups]
+
+  memory -.-> devices
+  memory --> pw
+  pw --> devices
+  devices --> ssh
+  ssh --> agenix
+  agenix --> backups
+  pw -.-> backups
+  pw -.-> ssh
+```
+
+The default dependencies are as follows: TODO
+
+
+## Disaster Recovery
+
+### Targeted Worst-Case Scenario
+
+My defined worst-case scenario I want to be prepared for is: my house burns down. I lose all my devices from PC over laptop to my phone at once. I still want to be able to fully recover my data from my off-site backup in this case.
+
+### Guide
+
+This is a guide of what I would need to do in case of the worst-case scenario. The purpose of this is so I can verify the feasibility of the procedure, and of course also as help if it were to actually become necessary to follow it.
+
+1. Get a loaner notebook.
+
+2. Travel to my off-site backup location.
+
+3. Hook up the backup drive to the notebook. It's unencrypted, so this doesn't need any extra steps.
+
+4. Decrypt the password manager export using age: `age --decrypt -o pw pw.age`
+
+5. Access the backups using the encryption key from the password manager.
+
+6. Access the agenix secrets using the SSH private keys from the password manager.
+
+7. Rebuild my systems using the now accessible data.