Security

Security you can verify

Dockstash is built to hold your most sensitive credentials safely. Secrets are encrypted at rest with AES-256-GCM, the SSH backup channel pins the storage host key, and every Restic repository is encrypted with your own key. Destructive restores require a typed confirmation, and restore drills prove your data recovers.

How your data stays safe

AES-256-GCM secrets at rest

Your Restic password and SSH keys are never stored in plaintext. They are encrypted at rest with an AES-256-GCM master key, with recovery-code escrow for key rotation.

SSH host-key pinning

The backup channel to your storage VPS pins the host key, so a man-in-the-middle cannot silently intercept or redirect your encrypted snapshots.

Encrypted Restic repositories

Every repository is a standard Restic repo encrypted with your key. Data is encrypted and deduplicated before it ever leaves your production VPS.

Typed-confirm destructive restore

A restore that overwrites live data requires you to type the project name to confirm. The default is restore-to-new-location, with database staging before any overwrite.

Restore-drill verification

Dockstash restores the latest snapshot to a scratch location and diffs it against the source on a schedule, so you find out a backup is broken before you need it.

Your storage, no lock-in

Backups live on your own storage VPS as standard Restic repos. If you ever leave, restore with the restic CLI alone — Dockstash adds no proprietary layer.

Start free Read the FAQ

Frequently asked questions

Where are my SSH key and Restic password stored?

Encrypted at rest with AES-256-GCM using a master key, never in plaintext. On the self-hosted tier they live on your own server. Recovery-code escrow lets you rotate the master key without losing access.

Does Dockstash ever hold my backup data?

No. On the Free/self-host tier the entire pipeline runs on your infrastructure and backups land on your storage VPS. Dockstash orchestrates the backup; it never stores your data on our servers.

How does Dockstash prevent an accidental destructive restore?

Restores default to a new location, databases are staged before any overwrite, and a restore that would overwrite live data requires you to type the project name to confirm. There is no one-click way to clobber production.

What happens to my encrypted backups if Dockstash disappears?

They stay on your storage VPS as standard, encrypted Restic repositories. Point the restic CLI at the repo with your key and restore with no vendor involved. There is zero lock-in.