Skip to main content
All Breadbox data — accounts, transactions, bank connections, categories, rules, and users — lives in PostgreSQL. To protect your data, you need two things: a regular database backup and a secure copy of your ENCRYPTION_KEY.

What to back up

ItemWhere it livesWhat you lose without it
PostgreSQL databasepostgres_data volume or your database serverAll financial data — accounts, transactions, connections
ENCRYPTION_KEYYour .env / .docker.env file or secrets storeAccess to bank connections (transactions stay, but connections can’t sync)
Back up both. A database backup without the matching encryption key leaves your transaction history readable but all bank connections broken — you’d need to re-link every account.
Never lose your ENCRYPTION_KEY. Breadbox uses AES-256-GCM to encrypt Plaid and Teller access tokens at rest. If the key is lost, there is no way to decrypt the stored credentials. Store the key in a password manager or secrets vault, separately from your database backup.

Backup with pg_dump

pg_dump is the most reliable way to back up a running PostgreSQL database. The custom format (-Fc) produces a compressed archive you can restore selectively.
Store the resulting .dump file offsite — a different machine, a cloud bucket, or an encrypted external drive.

Restore from a pg_dump backup

1

Stop or pause Breadbox

Bring down the Breadbox service to avoid writes during restore:
2

Restore the dump

--clean --if-exists drops existing objects before recreating them, making the restore idempotent.
3

Restart Breadbox

4

Verify the restore

Check that data came back by querying key tables:
Then sign in to the admin dashboard and confirm that connections show their last sync time and status.

Backup the Docker volume

If you run Breadbox with Docker Compose, PostgreSQL data lives in the breadbox_postgres_data named volume. You can snapshot it directly without connecting to the database.

Restore a volume backup

Automate backups with cron

Save the following script as /usr/local/bin/breadbox-backup.sh to run daily backups and keep a rolling window of recent dumps:
Make it executable and schedule it:
This keeps seven daily backups and four weekly backups before pruning.

Back up your ENCRYPTION_KEY

Your ENCRYPTION_KEY is an environment variable (see the environment variables reference for generation and precedence rules). It’s not in the database, so database backups do not include it. Store it separately:
  • In a password manager (1Password, Bitwarden, etc.)
  • In a secrets vault (HashiCorp Vault, AWS Secrets Manager, etc.)
  • In encrypted offline storage
Do not commit it to version control. If you lose the key and need to recover, your transaction history remains intact but every bank connection must be re-linked by hand.
Key rotation is a manual process. To change your encryption key, you must decrypt all stored credentials with the old key, re-encrypt them with the new key, and update ENCRYPTION_KEY before restarting. Breadbox does not automate this. Plan rotations carefully.

Export transactions via the REST API

As an alternative or supplement to database backups, you can export your transaction history through the REST API. This is useful for archiving data in a format that is independent of the database schema:
Use the cursor-based pagination in the API response to page through all records. Exported JSON does not include bank credentials, so it is safe to store without the encryption key.
Last modified on June 25, 2026