Environment Variables
Complete reference for all environment variables in DBackup.
→ Installation Guide for Docker setup and quick start.
Required Variables
| Variable | Description | Example |
|---|---|---|
ENCRYPTION_KEY | 32-byte hex key for encrypting sensitive data (passwords, API keys) | openssl rand -hex 32 |
BETTER_AUTH_SECRET | Session encryption secret for authentication | openssl rand -base64 32 |
BETTER_AUTH_URL | Primary URL where users access DBackup (for auth redirects) | https://backup.example.com |
Optional Variables
| Variable | Description | Default |
|---|---|---|
TRUSTED_ORIGINS | Additional URLs for accessing DBackup (comma-separated) | - |
DATABASE_URL | SQLite database file path | file:/data/db/dbackup.db |
PORT | Internal port the server listens on | 3000 |
TZ | Server timezone (for logs and cron scheduling) | UTC |
TMPDIR | Temporary directory for backup processing | /tmp |
LOG_LEVEL | Logging verbosity level | info |
DISABLE_HTTPS | Set to true to use plain HTTP instead of HTTPS | false |
CERTS_DIR | Directory for TLS certificate and key files | /data/certs |
DATA_DIR | Base directory for all persistent data | /data |
PUID | User ID the container runs as (for volume permissions) | 1001 |
PGID | Group ID the container runs as (for volume permissions) | 1001 |
Notes
- BETTER_AUTH_URL is the primary URL used for authentication redirects (e.g., after login)
- TRUSTED_ORIGINS allows access from multiple URLs. Useful when DBackup is accessible via both IP and domain:bash
TRUSTED_ORIGINS="https://192.168.1.10:3000,http://localhost:3000" - PORT changes the internal port. When using custom ports, set both
PORTand update your port mapping accordingly - DATABASE_URL has a sensible default and typically doesn't need to be set
- TMPDIR is useful for mounting larger storage for temporary backup files (e.g., NFS)
- TZ only affects server-side logs. User-facing dates use the timezone from user profile settings
- PUID/PGID control which UID/GID the application process runs as. Set these to match your host user (e.g.,
PUID=1000 PGID=1000) to avoid volume permission issues. The entrypoint adjusts the internal user at startup - LOG_LEVEL controls logging verbosity:
debug- All logs including detailed debugging informationinfo- Normal operation logs (default, recommended for production)warn- Only warnings and errorserror- Only errors
Generating Secrets
Encryption Key
bash
openssl rand -hex 32WARNING
Store this key securely. Losing it means losing access to all encrypted data (database passwords, API keys stored in DBackup).
Auth Secret
bash
openssl rand -base64 32Startup Validation
DBackup validates all environment variables at startup using Zod schemas (src/lib/env-validation.ts).
- Required variables (
ENCRYPTION_KEY,BETTER_AUTH_SECRET): Missing or invalid values produce a clear error box in the logs and abort startup. - Optional variables: Invalid values (e.g., non-URL in
BETTER_AUTH_URL, non-numericPORT) are logged as warnings but don't prevent startup. - Defaults: Optional variables have sensible defaults applied automatically if not set.
Security Best Practices
- Never commit secrets - Use
.envfiles excluded from git - Rotate secrets periodically - Especially in production
- Use strong random values - Always use
openssl rand - Restrict file permissions -
.envshould bechmod 600 - Backup your ENCRYPTION_KEY - Without it, encrypted data cannot be recovered