ENCRYPTION_KEY.
What to back up
| Item | Where it lives | What you lose without it |
|---|---|---|
| PostgreSQL database | postgres_data volume or your database server | All financial data — accounts, transactions, connections |
ENCRYPTION_KEY | Your .env / .docker.env file or secrets store | Access to bank connections (transactions stay, but connections can’t sync) |
Backup with pg_dump
pg_dump is the most reliable way to back up a running PostgreSQL database. The custom format (-Fc) produces a compressed archive you can restore selectively.
.dump file offsite — a different machine, a cloud bucket, or an encrypted external drive.
Restore from a pg_dump backup
Restore the dump
--clean --if-exists drops existing objects before recreating them, making the restore idempotent.Backup the Docker volume
If you run Breadbox with Docker Compose, PostgreSQL data lives in thebreadbox_postgres_data named volume. You can snapshot it directly without connecting to the database.
Restore a volume backup
Automate backups with cron
Save the following script as/usr/local/bin/breadbox-backup.sh to run daily backups and keep a rolling window of recent dumps:
Back up your ENCRYPTION_KEY
YourENCRYPTION_KEY is an environment variable (see the environment variables reference for generation and precedence rules). It’s not in the database, so database backups do not include it. Store it separately:
- In a password manager (1Password, Bitwarden, etc.)
- In a secrets vault (HashiCorp Vault, AWS Secrets Manager, etc.)
- In encrypted offline storage
Key rotation is a manual process. To change your encryption key, you must decrypt all stored credentials with the old key, re-encrypt them with the new key, and update
ENCRYPTION_KEY before restarting. Breadbox does not automate this. Plan rotations carefully.