PRD-14: Disaster Recovery Plan

[PancheI]

Implement automated hourly encrypted backups of Vault and PostgreSQL to S3-compatible storage with scripted restore and defined RTO/RPO targets.

Acceptance Criteria

• scripts/backup.sh creates encrypted backups of Vault and PostgreSQL
• scripts/restore.sh restores from encrypted backups
• Backups are encrypted with AES-256-CBC before upload
• Backup container runs hourly via cron in Docker Compose
• Retention cleanup removes backups older than 7 days (configurable)
• Vault loss recoverable within 30 minutes
• PostgreSQL loss recoverable within 20 minutes
• restore.sh list shows available backups
• restore.sh latest restores from the most recent backup
• Restore script prompts for confirmation before overwriting data
• All backup/restore env vars documented
• RPO of 1 hour achieved (hourly cron)
• RTO of 30 minutes achievable (verified via restore test)

Tasks

• Create scripts/backup.sh with Vault + PostgreSQL backup logic
• Create scripts/restore.sh with restore + verification logic
• Add backup service to docker-compose.yml
• Add backup-related env vars to .env.example
• Test: manual backup, S3 upload, Vault restore, DB restore
• Test: cron execution, retention cleanup
• Document recovery procedures