## Current State - FHE keys (SecKey, EncKey, EvalKey, MetadataKey) in the Vault container exist only in a Docker named volume (`vault-keys`) - `docker-compose.yml` mounts `./backups:/secure/backups:rw`, but no backup logic is implemented (directory is empty) - `vault_core.py`'s `ensure_vault()` handles key generation but never copies generated keys to the host ## Risk - Running `docker compose down -v` or `docker volume rm` permanently destroys all keys including SecKey - Loss of SecKey makes all previously encrypted data unrecoverable ## Proposal - [ ] Add automatic key backup to `/secure/backups/` on container startup (via entrypoint or dedicated script) - [ ] Implement periodic backup to host `./backups/` directory (cron or healthcheck integration) - [ ] Encrypt backup files and restrict permissions (600)
Current State
vault-keys)docker-compose.ymlmounts./backups:/secure/backups:rw, but no backup logic is implemented (directory is empty)vault_core.py'sensure_vault()handles key generation but never copies generated keys to the hostRisk
docker compose down -vordocker volume rmpermanently destroys all keys including SecKeyProposal
/secure/backups/on container startup (via entrypoint or dedicated script)./backups/directory (cron or healthcheck integration)