Credentials & transport
☐ Backup role is read-only (probe it — try an INSERT).
☐ Connection uses TLS (sslmode=require minimum).
☐ Credential lives in a secret manager, not crontab.
☐ Connection string never appears in argv (ps shows it) — use PGPASSWORD/pgpass or libpq env vars.
☐ Credential rotates, and rotation doesn't silently break backups (dead-man switch catches it).
Storage & keys
☐ Encrypted client-side BEFORE upload (SSE alone ≠ enough).
☐ Authenticated encryption (GCM/age) so tampering fails loudly.
☐ Encryption keys stored separately from the data they protect.
☐ Key rotation possible without re-encrypting archives (envelope encryption).
☐ Bucket denies public access; deletion needs MFA/object-lock or versioning.
Process
☐ Backups restore-tested on schedule, results recorded.
☐ No plaintext dumps lingering in /tmp, CI artifacts, or laptops — audit for *.sql/*.dump quarterly.
Twelve boxes. Firedrill was built to make the hard eight of them someone else's uptime problem.