Skip to content

Add age encryption support for database backups #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
namolnad wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add age encryption support for database backups #70

namolnad wants to merge 1 commit into from

Conversation

@namolnad
Copy link

@namolnad namolnad commented Jan 22, 2026

Summary

Adds support for age encryption to encrypt Litestream database backups at rest. This introduces two new configuration options:
age_recipient (public key) and age_secret_key (identity/private key).

Changes

Core Configuration

  • Added age_recipient and age_secret_key to Litestream::Configuration
  • Added module-level accessors matching the pattern of other replica configuration options
  • Environment variables LITESTREAM_AGE_RECIPIENT and LITESTREAM_AGE_SECRET_KEY are now set in the prepare method for all commands

Rake Tasks

  • Updated litestream:env task to output the new age encryption variables

Generator Templates

  • Config template: Added commented age: section with recipients: and identities: fields following the Litestream age encryption format
  • Initializer template: Added documentation for configuring age encryption credentials via Rails encrypted credentials

Testing

  • Updated teardown to clear age environment variables
  • Added individual tests for age_recipient and age_secret_key for all commands (replicate, restore, databases, generations, snapshots, wal)
  • Updated comprehensive tests to verify age variables are set alongside other replica configuration
  • Updated litestream:env task test expectations

Usage

Users can configure age encryption in their config/initializers/litestream.rb:

Rails.application.configure do
  config.litestream.age_recipient = Rails.application.credentials.litestream&.age_recipient
  config.litestream.age_secret_key = Rails.application.credentials.litestream&.age_secret_key
end

Then uncomment the age: section in config/litestream.yml:

age:
  recipients:
    - $LITESTREAM_AGE_RECIPIENT
  identities:
    - $LITESTREAM_AGE_SECRET_KEY

The environment variables will be automatically set when running Litestream commands through the gem.

@namolnad
Add age encryption support with age_recipient and age_secret_key
e930e91 
- Add age_recipient and age_secret_key to Litestream configuration
  - Set LITESTREAM_AGE_RECIPIENT and LITESTREAM_AGE_SECRET_KEY
environment variables in all commands
  - Update litestream:env rake task to print age encryption variables
  - Add age: section with recipients and identities to generated
litestream.yml config
  - Update initializer template with age encryption documentation
  - Add comprehensive test coverage for age variables across all
commands
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@namolnad