← All guides

The Postgres backup security checklist

12 checks: credential scope, encryption at rest and in flight, key custody, access logging, deletion protection, and the plaintext audit.

Credentials & transport

☐ Backup role is read-only (probe it — try an INSERT).
☐ Connection uses TLS (sslmode=require minimum).
☐ Credential lives in a secret manager, not crontab.
☐ Connection string never appears in argv (ps shows it) — use PGPASSWORD/pgpass or libpq env vars.
☐ Credential rotates, and rotation doesn't silently break backups (dead-man switch catches it).

Storage & keys

☐ Encrypted client-side BEFORE upload (SSE alone ≠ enough).
☐ Authenticated encryption (GCM/age) so tampering fails loudly.
☐ Encryption keys stored separately from the data they protect.
☐ Key rotation possible without re-encrypting archives (envelope encryption).
☐ Bucket denies public access; deletion needs MFA/object-lock or versioning.

Process

☐ Backups restore-tested on schedule, results recorded.
☐ No plaintext dumps lingering in /tmp, CI artifacts, or laptops — audit for *.sql/*.dump quarterly.

Twelve boxes. Firedrill was built to make the hard eight of them someone else's uptime problem.

A backup you've never restored is a hope, not a backup.

Firedrill restore-tests every backup it takes — on real infrastructure, with the report to prove it.