Usage
What it does
Displays the AES-256 encryption key that Capsule uses to encrypt your backups before they leave your server. The key is a 64-character lowercase hex string representing 32 bytes.
Your encryption key (keep this safe — losing it makes your backups unrecoverable):
a3f8c2d1e4b5a6f7d8e9c0b1a2f3e4d5b6c7a8f9e0d1c2b3a4f5e6d7c8b9a0f1
To restore this key on another server, run: capsule auth --restore
When to run this
Run capsule key show before any of the following:
- Migrating to a new server
- Decommissioning a server
- Rebuilding a server from scratch
If you wait until after the server is gone, the key is gone with it and your backups become permanently unrecoverable.
How to store your key
Save the 64-character hex string in one of the following:
- A password manager (1Password, Bitwarden, etc.) — recommended
- An encrypted notes app
- Your team’s secrets vault
Do not store it in a plaintext file on the same server — if the server is compromised or destroyed, the key goes with it.
This key is the only thing standing between your backups and permanent data loss. Capsule does not hold a copy. If you lose it, your existing backups cannot be decrypted by anyone.
Restoring your key on a new server
Once you have the key saved, use it on the replacement server:
See capsule auth for the full restore flow.