## Secrets `kamal-backup` redacts secrets in evidence and command failure output. It treats values from keys containing words such as `password`, `secret`, `token`, `key`, and `credential` as sensitive. Do not put cloud credentials in clear Kamal environment. Use Kamal secrets for: - `RESTIC_PASSWORD`; - `AWS_ACCESS_KEY_ID`; - `AWS_SECRET_ACCESS_KEY`; - database passwords such as `PGPASSWORD` and `MYSQL_PWD`. ## Subprocess execution External tools are executed with argument arrays, not shell interpolation. The backup container does not need application source code. ## Database backups Database backups use logical dump tools: - PostgreSQL: `pg_dump --format=custom --no-owner --no-privileges` - MySQL/MariaDB: `mariadb-dump` or `mysqldump` with transaction-safe defaults - SQLite: `sqlite3 <db> ".backup ..."` Raw database data directories are not used as the primary database backup. ## Restore gates All restore commands require `KAMAL_BACKUP_ALLOW_RESTORE=true`. Database restores use restore-specific targets: - PostgreSQL/MySQL/MariaDB: `RESTORE_DATABASE_URL` - SQLite: `RESTORE_SQLITE_DATABASE_PATH` Production-looking targets are refused unless `KAMAL_BACKUP_ALLOW_PRODUCTION_RESTORE=true`. File restores into configured backup paths are refused unless `KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE=true`.

Secrets

kamal-backup redacts secrets in evidence and command failure output. It treats values from keys containing words such as password, secret, token, key, and credential as sensitive.

Do not put cloud credentials in clear Kamal environment. Use Kamal secrets for:

• RESTIC_PASSWORD;
• AWS_ACCESS_KEY_ID;
• AWS_SECRET_ACCESS_KEY;
• database passwords such as PGPASSWORD and MYSQL_PWD.

Subprocess execution

External tools are executed with argument arrays, not shell interpolation. The backup container does not need application source code.

Database backups

Database backups use logical dump tools:

• PostgreSQL: pg_dump --format=custom --no-owner --no-privileges
• MySQL/MariaDB: mariadb-dump or mysqldump with transaction-safe defaults
• SQLite: sqlite3 <db> ".backup ..."

Raw database data directories are not used as the primary database backup.

Restore gates

All restore commands require KAMAL_BACKUP_ALLOW_RESTORE=true.

Database restores use restore-specific targets:

• PostgreSQL/MySQL/MariaDB: RESTORE_DATABASE_URL
• SQLite: RESTORE_SQLITE_DATABASE_PATH

Production-looking targets are refused unless KAMAL_BACKUP_ALLOW_PRODUCTION_RESTORE=true.

File restores into configured backup paths are refused unless KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE=true.