Encrypt (encrypt)
The encrypt backend wraps another backend to provide client-side encryption. All data is
encrypted before being sent to the underlying storage backend, ensuring your data remains
private even if the storage is compromised.
Configuration
# Example aegis.toml configuration:
[backends.my-encrypt-backend]
type = "encrypt"
key = "YyqkOieV7pJrbT5HIh4HJg+fj1ZAGMZEulcXvJr9WLI" # Generated with `aegis gen-key`
sub_backend = "cloud" # The name of another backend in aegis.toml
Options
| Option | Type | Required | Description |
|---|---|---|---|
type | String | Yes | Must be "encrypt" |
key | String | Yes | Base64-encoded 256-bit encryption key |
sub_backend | BackendName | Yes | Name of the backend to store encrypted data |
Generating a Key
Use the gen-key command to generate a secure encryption key:
aegis gen-key
This outputs a base64-encoded 256-bit random key. Copy this key into your aegis.toml.
Important: Store this key securely. Without it, your encrypted data cannot be recovered.
Encryption details
- Blob encryption: Each blob is encrypted with ChaCha20-Poly1305
- Checksum transformation: Each original SHA-256 Merkle DAG checksum is transformed using HMAC-SHA256 with your key, so the storage backend never sees the original checksums
- Namespace: Encrypted blobs are stored in a namespace derived from the backend name and key.
Note: This backend uses the name of your backend to derive the blob namespace. This means that unlike other backends, changing the name of an encrypted backend will cause snapshots to disappear until you restore the original name of your backend.
In general, I recommend having at least one non-encrypted backup of your data, and use the encrypt backend only for off-site backups for recovery in case local backups fail.