Configuration reference on age encryption is lacking

offen · Feb 4, 2025 · 40b12b9 · 40b12b9
1 parent e628f09
commit 40b12b9
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/docs/how-tos/encrypt-backups.md b/docs/how-tos/encrypt-backups.md
@@ -21,6 +21,10 @@ gpg -o backup.tar.gz -d backup.tar.gz.gpg
 
 ## Using age encryption
 
+{: .note }
+Even though the `age` CLI tools supports encryption using SSH keys, this is not supported by this tool.
+`AGE_PUBLIC_KEYS` currently expects `age` keys to be given.
+
 age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.
 
 Given `AGE_PASSPHRASE` being provided, the backup archive will be encrypted with the passphrase and saved as a `.age` file instead. Refer to age documentation for how to properly decrypt.

diff --git a/docs/reference/index.md b/docs/reference/index.md
@@ -337,6 +337,9 @@ You can populate below template according to your requirements and use it as you
 
 ########### BACKUP ENCRYPTION
 
+# All of the encryption options are mutually exclusive. Provide a single option
+# for the encryption scheme of your choice.
+
 # Backups can be encrypted symmetrically using gpg in case a passphrase is given.
 
 # GPG_PASSPHRASE="<xxx>"
@@ -350,6 +353,16 @@ You can populate below template according to your requirements and use it as you
 #...
 #-----END PGP PUBLIC KEY BLOCK-----
 
+# Backups can be encrypted symmetrically using age in case a passphrase is given.
+
+# AGE_PASSPHRASE="<xxx>"
+
+# Backups can be encrypted asymmetrically using age in case publickeys are given.
+# Multiple keys need to be provided as a comma separated list. Right now, this only
+# support passing age keys, with no support for ssh keys.
+
+# AGE_PUBLIC_KEYS="<xxx>"
+
 ########### STOPPING CONTAINERS AND SERVICES DURING BACKUP
 
 # Containers or services can be stopped by applying a