# Ticket: Vaultwarden backup plan

## Metadata
- Type: Ticket
- Status: Done / MVP backup verified
- Project: Homelab secrets management
- Created: 2026-06-06
- Updated: 2026-06-06
- Priority: High

## Goal

Define and implement a basic backup plan for the planned Vaultwarden VM before critical secrets are migrated into it.

## Why

Vaultwarden will become a high-value secrets store. The vault should not become a single point of failure or lockout risk.

## Scope

Included:
- Choose backup destination.
- Choose backup encryption method.
- Choose retention policy.
- Define off-host/offline copy expectations.
- Implement backup job or documented manual backup procedure after Vaultwarden deployment.
- Verify backup artifacts are created and non-empty.
- Log backup setup and verification without secret values.

Not included:
- Storing backup encryption keys in git.
- Treating Vaultwarden as authoritative before backup exists.
- Restore testing; tracked separately in the recovery/restore-test ticket.

## Acceptance Criteria

This ticket is done when:
- [x] Backup destination, encryption, retention, and operator ownership are approved for MVP.
- [x] Vaultwarden backup scope is documented and implemented.
- [x] At least one backup artifact is created and verified non-empty.
- [x] Backup recovery material location is documented by reference only — user confirmed the dedicated age private key is safely stored outside Vaultwarden.
- [x] `docs/server-change-log.md` records the backup setup without secret values.

## Questions

- Where should Vaultwarden backups be stored initially?
- Should backups be encrypted with age, GPG, restic, Proxmox Backup Server, or another method?
- What retention policy is acceptable for the homelab MVP?
- Who owns backup decryption/recovery material?

## Plan / Next Actions

- [x] Wait for Vaultwarden deployment details.
- [x] Decide backup destination and encryption method with user.
- [x] Update `runbooks/vaultwarden-backup.md` with approved details.
- [x] Implement backup procedure/job.
- [x] Verify first backup.
- [x] Log change.
- [x] User confirms where the dedicated age private recovery key and offline backup copy live outside Vaultwarden.

## Notes

- User stated on 2026-06-06 that there is currently no backup plan and requested a ticket to create one.
- 2026-06-06: MVP initially implemented with `age` encryption to the user's `deeso` SSH public key recipient. Latest verified encrypted artifact was copied off-VM to LXC 104 `nimrod` under `/home/piagent/backups/vaultwarden/`. This is not a substitute for user-owned offline storage or restore testing.
- 2026-06-06: User generated a dedicated Vaultwarden-backup age recipient on their Linux workstation. Future backups now encrypt to that dedicated `age1...` recipient instead of the workstation SSH key.
- 2026-06-06: User confirmed the private `AGE-SECRET-KEY-...` recovery material is now safe outside Vaultwarden.