List of Articles Icon

Knowledge Base

Guides and answers for your VPS, the client area, and billing

How can I encrypt and decrypt files on my VPS?

What this is

Encrypting individual files and archives, a database dump before it leaves the server, a credentials file at rest, an archive only you should ever open. Two tools cover it: age, the modern one designed to be un-misusable, and GPG, the classic that's already installed everywhere. (Whole-disk encryption is a different topic with different trade-offs on a VPS; this page is about files.)

First, the honest threat model: file encryption protects data at rest and in transit, the copy in your off-site bucket, the archive on a stolen backup drive. It does not protect a file from someone who has root on the box while you decrypt and use it, keeping the server unowned remains job one.

age: the modern answer

age (apt install age) does one thing with no footguns:

Passphrase mode, one file, one secret:

age -p secrets.tar > secrets.tar.age        # prompts for a passphrase
age -d secrets.tar.age > secrets.tar        # prompts to decrypt

Keypair mode, encrypt to a recipient (yourself, elsewhere):

age-keygen -o key.txt                        # once; keep key.txt safe, off-box
age -r age1xyz... backup.tar > backup.tar.age    # encrypt to the public key
age -d -i key.txt backup.tar.age > backup.tar    # decrypt with the private key

The keypair pattern is the good one for backups: the public key lives on the VPS and encrypts nightly dumps; the private key lives only on your machine, so a fully compromised server still can't read its own backup archive.

GPG: the everywhere classic

Already on every distro, and the format the wider world speaks:

gpg -c backup.tar                    # symmetric: passphrase, makes backup.tar.gpg
gpg backup.tar.gpg                   # decrypt (prompts)

Public-key mode mirrors age's (generate with gpg --gen-key, encrypt with -e -r [email protected]), with more machinery (keyrings, trust) than a single-server workflow strictly needs, which is exactly why age exists. Use GPG when interoperability matters (the other side already uses it); use age when you're choosing fresh.

Where this fits your backups

If you followed the backup guide, note that restic already encrypts everything it stores, that's built in, no extra layer needed. Manual patterns, a dump uploaded with rclone, an archive parked in object storage, are where age -r before upload earns its place:

mysqldump --single-transaction mydb | gzip | age -r age1xyz... > mydb-$(date +%F).sql.gz.age

The warning with no fine print

A lost passphrase or private key is the data, gone. There is no reset flow, no support ticket (ours included) that recovers properly encrypted data. Store the passphrase in a password manager and keep a copy of the key file somewhere that isn't the VPS, before the first real file is encrypted, not after.

Still need help?

You can open a support ticket. So we can help on the first reply, it's worth mentioning:

  • the VPS hostname or IP,
  • the tool (age or GPG), the exact command, and the error. (Never include the passphrase itself.)
  • "How do I encrypt a file with a password on Linux?"
  • "Should I use GPG or age?"
  • "How do I encrypt backups before uploading them?"
  • "Can encrypted files be recovered if I lose the passphrase?"
Last reviewed: 2026-07-02