# Vaultwarden Backup and Restore ## What Gets Backed Up ### Critical (Required for restore): - **PostgreSQL Database** - All vault data (passwords, notes, attachments metadata, etc.) - **rsa_key.pem** - RSA private key (required to decrypt existing vault data) - **.env file** - Database credentials and SMTP configuration ### Important: - **config.json** - Vaultwarden admin settings ### Excluded (regenerated automatically): - icon_cache/ - Website favicons - tmp/ - Temporary files ## Backup Location All backups are stored in: `/srv/backups/vaultwarden/` Each backup includes: - `vaultwarden_db_YYYYMMDD_HHMMSS.dump` - PostgreSQL database (compressed) - `vaultwarden_data_YYYYMMDD_HHMMSS.tar.gz` - Data directory (config + RSA key) - `vaultwarden_env_YYYYMMDD_HHMMSS.env` - Environment variables ## Manual Backup Run the backup script manually: ```bash /srv/backups/scripts/backup-vaultwarden.sh ``` ## Automated Backups Set up daily automated backups using cron: ```bash # Create log directory sudo mkdir -p /var/log/vaultwarden sudo chown pkartch:pkartch /var/log/vaultwarden # Edit crontab crontab -e # Add this line for daily backups at 2:00 AM 0 2 * * * /srv/backups/scripts/backup-vaultwarden.sh >> /var/log/vaultwarden/backup.log 2>&1 ``` Alternative schedules: ```bash # Every 6 hours 0 */6 * * * /srv/backups/scripts/backup-vaultwarden.sh >> /var/log/vaultwarden/backup.log 2>&1 # Twice daily (2 AM and 2 PM) 0 2,14 * * * /srv/backups/scripts/backup-vaultwarden.sh >> /var/log/vaultwarden/backup.log 2>&1 # Weekly on Sunday at 3 AM 0 3 * * 0 /srv/backups/scripts/backup-vaultwarden.sh >> /var/log/vaultwarden/backup.log 2>&1 ``` ## Restore from Backup 1. List available backups: ```bash /srv/backups/scripts/restore-vaultwarden.sh ``` 2. Restore a specific backup: ```bash /srv/backups/scripts/restore-vaultwarden.sh 20251210_050042 ``` **Warning**: Restore will: - Stop the Vaultwarden container - Replace the PostgreSQL database - Replace data directory files - Restart the container ## Retention Policy - Backups older than 30 days are automatically deleted - To change retention, edit `RETENTION_DAYS` in `backup-vaultwarden.sh` ## Off-Site Backup Recommendations The backup directory is stored locally. For disaster recovery, consider: 1. **Sync to another server**: ```bash # Using rsync rsync -avz /srv/backups/vaultwarden/ user@backup-server:/backups/vaultwarden/ ``` 2. **Upload to cloud storage** (S3, Backblaze B2, etc.): ```bash # Using rclone (example) rclone sync /srv/backups/vaultwarden/ remote:vaultwarden-backups/ ``` 3. **Add to existing backup solution** (e.g., Restic, Borg, Duplicati) ## Testing Restores Test your backups regularly: ```bash # Test restore on a different machine or use a test database PGDATABASE="vaultwarden_test" ./restore-vaultwarden.sh 20251210_050042 ``` ## Backup Verification Check backup integrity: ```bash # List backup contents docker run --rm -v /srv/backups/vaultwarden:/backup postgres:18-alpine \ pg_restore --list /backup/vaultwarden_db_20251210_050042.dump | head -20 # Verify data archive tar -tzf /srv/backups/vaultwarden/vaultwarden_data_20251210_050042.tar.gz ``` ## Troubleshooting ### Backup fails with "Permission denied" - Ensure the backup directory is writable by your user - Check Docker has access to mount the backup directory ### Restore fails with version mismatch - Update the PostgreSQL Docker image version in restore script to match your database ### Large backup sizes - Database size grows with number of users and vault items - Consider increasing retention period if backups are large - Attachments are stored in the database (not as files) ## Security Notes - Backup files contain sensitive data (encrypted vault data + encryption keys) - Protect backup directory with appropriate file permissions - Encrypt backups before uploading to cloud storage - Store .env file separately as it contains database credentials - Backups are stored outside the git repository in `/srv/backups/vaultwarden/`