Secure Backups and Archives

Overview

This guide shows how to secure backups, database exports, and archive files by encrypting them into immutable containers with cryptographically enforced access control.

Backups often contain highly sensitive data, including databases, documents, media files, application data, and system archives. Locktera protects these files by encrypting them into immutable containers at creation time. Access is enforced cryptographically and remains independent of storage location.

Encrypted containers remain secure wherever they are stored, including cloud storage, backup infrastructure, and archive systems.

Containers remain immediately accessible for authorized users and systems without requiring rehydration, restoration, or reconstruction.

Backup files are encrypted client-side before being stored or transferred, ensuring plaintext data is never exposed to storage systems or infrastructure. This ensures backup security does not depend on the security of storage systems, cloud providers, or infrastructure.

What You Will Build

In this guide, you will:

  1. Prepare backup, archive, or database export files

  2. Encrypt the backup files into an immutable, encrypted container

  3. Store the encrypted container securely in your backup infrastructure

  4. Retrieve and decrypt the container using cryptographically enforced access control

  5. Verify backup access history using immutable audit records

Key Concepts

Secure Backup Containers

Backup files are protected by adding them to an encrypted container. The container becomes an immutable cryptographic object that enforces access control and audit logging.

Backup containers:

  • Encrypt backup files at container creation

  • Prevent unauthorized decryption

  • Remain secure regardless of storage location

  • Generate audit records for access attempts

  • Do not require rehydration before access

Container contents cannot be modified after creation.

Supported Backup File Types

Locktera protects all backup and archive file types, including:

  • Database exports (.sql, .dump, .bak)

  • Archive files (.zip, .tar, .tar.gz)

  • File system backups

  • Documents and content files

  • Images and media files

  • Video and audio archives

  • Application and infrastructure backups

Multiple files may be included in a single container.

Storage Independence

Encrypted containers can be stored in any backup or archive infrastructure, including:

• Amazon S3
• Azure Blob Storage
• Google Cloud Storage
• Backup systems and appliances
• Archive storage systems
• On-premises storage
• Cold storage and offline storage
• Air-gapped environments

Storage providers cannot decrypt or modify container contents.

Immediate Access Without Rehydration

Locktera containers do not require rehydration or restoration before access.

Traditional backup systems require restoration or reconstruction before data can be accessed. Locktera containers remain encrypted and immediately accessible to authorized systems without restoration.

Authorized users and systems can decrypt containers directly without requiring backup restoration workflows.

This ensures:

  • Immediate access for authorized users

  • No temporary plaintext exposure during restore operations

  • Faster backup recovery and restoration

  • Reduced infrastructure and operational overhead

  • Consistent protection across all storage tiers

Cryptographic Access Control

Access to backup containers is enforced cryptographically.

Access may be:

  • Granted to authorized users or systems

  • Revoked at any time

  • Restricted using time-bound policies

Access enforcement is evaluated at the time of container decryption.

All access attempts are audit logged.

Architecture Flow

Backup System or Application

        │ Backup files generated

Encrypted Container (.tera)

        │ Stored in backup or archive storage

Backup Storage Infrastructure

Authorized User or System

        │ Decrypt container (if authorized)

Backup restored securely

Prerequisites

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Prepare Backup Files

Backup files may include any data type:

database_backup.sql
application_backup.tar.gz
documents_archive.zip
media_backup.tar
video_archive.tar

Step 2 — Encrypt Backup Files into a Container

Create an encrypted container containing the backup files.

Request

manifest.json

{
  "container": {
    "downloadable": true,
    "drm": {
      "dynamic": true
    }
  }
}

curl -X POST $BASE_URL/users/YOUR_USER_ID/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "manifest.json=@manifest.json;type=application/json" \
  -F "name=Production Backup Container" \
  -F "file=@database_backup.sql" \
  -F "file=@application_backup.tar.gz" \
  -F "file=@media_backup.tar"

Response

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "name": "Production Backup Container",
    "downloadable": true,
    "drm": {
      "dynamic": true
    },
    "files": [
      { "name": "database_backup.sql" },
      { "name": "application_backup.tar.gz" },
      { "name": "media_backup.tar" }
    ],
    "created_at": "2026-02-21T18:35:17Z"
  }
}

The backup container is now:

  • Encrypted

  • Immutable

  • Protected by cryptographic access control

Step 3 — Store the Encrypted Container

Store the encrypted container in your backup or archive storage.

Example storage locations:

  • Cloud storage platforms

  • Backup appliances

  • Archive systems

  • Cold storage

The container remains encrypted and protected.

Step 4 — Retrieve and Decrypt Backup Container

Authorized users or systems may decrypt the container.

Request

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/decode \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "files": [
      { "name": "database_backup.sql" },
      { "name": "application_backup.tar.gz" },
      { "name": "media_backup.tar" }
    ]
  }
}

Backup files can now be restored securely.

Step 5 — Audit Backup Access

Retrieve audit records for the backup container.

Request

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit records provide visibility into backup access activity.

Security Properties

This workflow ensures:

  • Backup files are encrypted before storage

  • Container authenticity and integrity are cryptographically verified before decryption

  • Containers remain immutable and tamper-resistant

  • Access is enforced cryptographically

  • Unauthorized users and compromised infrastructure cannot decrypt backup data

  • Containers do not require rehydration before access

  • Protection persists regardless of storage location

  • All access attempts are audit logged

  • Backup storage providers, cloud platforms, and infrastructure cannot access plaintext data

Compliance and Enterprise Benefits

Supports enterprise security and regulatory requirements, including:

  • HIPAA

  • CJIS

  • SOC 2

  • GDPR

  • Enterprise backup security policies

Enables secure backup storage, controlled recovery, and verifiable access history.

Common Use Cases

This workflow is commonly used for:

  • Database backup protection

  • File system backup security

  • Archive and cold storage protection

  • Media and content archive security

  • Application backup protection

  • Long-term secure data retention

Summary

Locktera protects backups, database exports, media files, and archive data by encrypting them into immutable containers with cryptographically enforced access control. Containers remain secure, immediately accessible for authorized users, and do not require rehydration or restoration. This ensures backup data remains protected and operationally accessible throughout its lifecycle.