Teil 3: Backup, Updates und Restore

In addition to the snapshot of the Jails dataset, a complete backup can also be created as a TAR archive. In the first part of the article series, we set up that everything needed for the installation is collected in a directory /usr/local/www/vaultwarden/data. The TAR archive therefore contains

  • the configuration files,
  • certificates
  • the SQLite database and the
  • data of the sends and attachments.

This is ideal for external backup (preferably encrypted). Now we have to decide where the archive should be saved. In this example, we use the directory /mnt/backup, which can be mounted from outside the jail. This means that the backups are immediately stored independently and can then be backed up and processed separately using snapshots.

Last update:

  • 01.01.2024: Customize ports and details
  • 20.08.2023: Automation for HAProxy extended
  • 19.11.2022: Diagram and minor adjustments added.
  • 30.10.2022: Initial document.



A manual backup is carried out with a command, especially before an update:

tar -cpzf /mnt/backup/`date +%Y%m%d`.tar.gz /usr/local/www/vaultwarden/data


Regular backups are the be-all and end-all of a strategy, especially when it comes to such important data.

Cron in Jail

A cron job can be defined directly in the jail in the file /etc/crontab, e.g. for every day at 22:00. This should also directly contain a job that deletes old backup files (e.g. after 30 days):

0       22       *       *       *      root    tar -cpzf /mnt/backup/`date +%Y%m%d`.tar.gz /usr/local/www/vaultwarden/data
5       22       *       *       *      root    find /mnt/backup/ -type f -mtime +30d -delete

Cron im TrueNAS

Alternatively, a cron job for the jail can also be set up directly via the TrueNAS web interface under "Tasks / Cron Jobs" with iocage exec JAILNAME, e.g. for every day at 22:00 with cleanup 5 minutes later. The cleanup should also take place in the jail itself so that it is only executed when the jail is actually running. Otherwise the backups will run empty.

iocage exec vault "tar -cpzf /mnt/backup/`date +%Y%m%d`.tar.gz /usr/local/www/vaultwarden/data"
iocage exec vault "find /mnt/backup/ -type f -mtime +30d -delete"


Jail update

So, after all the work with the backups, here comes the update. This is comparatively harmless:

service vaultwarden stop
pkg upgrade
service vaultwarden start


Every backup is only as good as a restore that has been performed and provides a working system again. This is the quick process:

  • Create a new jail
  • Adapt package sources to the latest.
  • If necessary, include the mountings (/mnt/backup and /usr/local/www/vaultwarden/data)
  • Unpack TAR archive (cd / and tar -xf 20240101.tar.gz)
  • Set symbolic link (ln -sf /usr/local/www/vaultwarden/data/rc.conf.d /usr/local/etc/rc.conf.d)
  • Install packages (pkg install vaultwarden)
  • Start the service (service vaultwarden enable and service vaultwarden start)
  • Do not forget the cron jobs
  • Voilá