FEATURE (encryption): Add backups encryption

.github/workflows/ci-release.yml

@@ -137,6 +137,8 @@ jobs:
           # testing S3
           TEST_MINIO_PORT=9000
           TEST_MINIO_CONSOLE_PORT=9001
+          # testing Azure Blob
+          TEST_AZURITE_BLOB_PORT=10000
           # testing NAS
           TEST_NAS_PORT=7006
           # testing Telegram
@@ -165,6 +167,9 @@ jobs:
           # Wait for MinIO
           timeout 60 bash -c 'until nc -z localhost 9000; do sleep 2; done'
 
+          # Wait for Azurite
+          timeout 60 bash -c 'until nc -z localhost 10000; do sleep 2; done'
+
       - name: Create data and temp directories
         run: |
           # Create directories that are used for backups and restore

README.md

@@ -40,13 +40,13 @@
 - **Precise timing**: run backups at specific times (e.g., 4 AM during low traffic)
 - **Smart compression**: 4-8x space savings with balanced compression (~20% overhead)
 
-### 🗄️ **Multiple Storage Destinations** <a href="https://postgresus.com/storages">(docs)</a>
+### 🗄️ **Multiple Storage Destinations** <a href="https://postgresus.com/storages">(view supported)</a>
 
 - **Local storage**: Keep backups on your VPS/server
 - **Cloud storage**: S3, Cloudflare R2, Google Drive, NAS, Dropbox and more
 - **Secure**: All data stays under your control
 
-### 📱 **Smart Notifications** <a href="https://postgresus.com/notifiers">(docs)</a>
+### 📱 **Smart Notifications** <a href="https://postgresus.com/notifiers">(view supported)</a>
 
 - **Multiple channels**: Email, Telegram, Slack, Discord, webhooks
 - **Real-time updates**: Success and failure notifications
@@ -58,6 +58,13 @@
 - **SSL support**: Secure connections available
 - **Easy restoration**: One-click restore from any backup
 
+### 🔒 **Backup Encryption** <a href="https://postgresus.com/encryption">(docs)</a>
+
+- **AES-256-GCM encryption**: Enterprise-grade protection for backup files
+- **Zero-trust storage**: Encrypted backups are useless so you can keep in shared storages like S3, Azure Blob Storage, etc.
+- **Optionality**: Encrypted backups are optional and can be enabled or disabled if you wish
+- **Download unencrypted**: You can still download unencrypted backups via the 'Download' button to use them in `pg_restore` or other tools.
+
 ### 👥 **Suitable for Teams** <a href="https://postgresus.com/access-management">(docs)</a>
 
 - **Workspaces**: Group databases, notifiers and storages for different projects or teams

backend/.env.development.example

@@ -31,4 +31,6 @@ TEST_MINIO_CONSOLE_PORT=9001
 TEST_NAS_PORT=7006
 # testing Telegram
 TEST_TELEGRAM_BOT_TOKEN=
-TEST_TELEGRAM_CHAT_ID=
+TEST_TELEGRAM_CHAT_ID=
+# testing Azure Blob Storage
+TEST_AZURITE_BLOB_PORT=10000

backend/docker-compose.yml.example

@@ -31,6 +31,14 @@ services:
     container_name: test-minio
     command: server /data --console-address ":9001"
 
+  # Test Azurite container
+  test-azurite:
+    image: mcr.microsoft.com/azure-storage/azurite
+    ports:
+      - "${TEST_AZURITE_BLOB_PORT:-10000}:10000"
+    container_name: test-azurite
+    command: azurite-blob --blobHost 0.0.0.0
+
   # Test PostgreSQL containers
   test-postgres-12:
     image: postgres:12

backend/go.mod

@@ -3,6 +3,8 @@ module postgresus-backend
 go 1.23.3
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
 	github.com/gin-contrib/cors v1.7.5
 	github.com/gin-contrib/gzip v1.2.3
 	github.com/gin-gonic/gin v1.10.0
@@ -15,16 +17,18 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/minio/minio-go/v7 v7.0.92
 	github.com/shirou/gopsutil/v4 v4.25.5
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
-	golang.org/x/crypto v0.39.0
+	golang.org/x/crypto v0.41.0
 	golang.org/x/time v0.12.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.26.1
 )
 
+require github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+
 require (
 	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
@@ -99,12 +103,12 @@ require (
 	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	golang.org/x/arch v0.17.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	google.golang.org/api v0.239.0
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

backend/go.sum

@@ -6,6 +6,18 @@ cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeO
 cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 h1:ZJJNFaQ86GVKQ9ehwqyAFE6pIfyicpuJ8IkVaPBc6/4=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3/go.mod h1:URuDvhmATVKqHBH9/0nOiNKk0+YcwfQ3WkK5PqHKxc8=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
@@ -80,6 +92,8 @@ github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -131,6 +145,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
@@ -159,6 +175,8 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
 github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
@@ -180,8 +198,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/swaggo/files v1.0.1 h1:J1bVJ4XHZNq0I46UU90611i9/YzdrF7x92oX1ig5IdE=
 github.com/swaggo/files v1.0.1/go.mod h1:0qXmMNH6sXNf+73t65aKeB+ApmgxdnkQzVTAj2uaMUg=
 github.com/swaggo/gin-swagger v1.6.0 h1:y8sxvQ3E20/RCyrXeFfg60r6H0Z+SwpTjMYsMm+zy8M=
@@ -216,25 +234,25 @@ golang.org/x/arch v0.17.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -247,8 +265,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -257,15 +275,15 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.239.0 h1:2hZKUnFZEy81eugPs4e2XzIJ5SOwQg0G82bpXD65Puo=
 google.golang.org/api v0.239.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=

backend/internal/config/config.go

@@ -44,6 +44,8 @@ type EnvVariables struct {
 	TestMinioPort        string `env:"TEST_MINIO_PORT"`
 	TestMinioConsolePort string `env:"TEST_MINIO_CONSOLE_PORT"`
 
+	TestAzuriteBlobPort string `env:"TEST_AZURITE_BLOB_PORT"`
+
 	TestNASPort string `env:"TEST_NAS_PORT"`
 
 	// oauth
@@ -184,6 +186,11 @@ func loadEnvVariables() {
 			os.Exit(1)
 		}
 
+		if env.TestAzuriteBlobPort == "" {
+			log.Error("TEST_AZURITE_BLOB_PORT is empty")
+			os.Exit(1)
+		}
+
 		if env.TestNASPort == "" {
 			log.Error("TEST_NAS_PORT is empty")
 			os.Exit(1)

backend/internal/features/backups/backups/controller_test.go

@@ -524,7 +524,7 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Register a cancellable context for the backup
-	GetBackupService().backupContextMgr.RegisterBackup(backup.ID, func() {})
+	GetBackupService().backupContextManager.RegisterBackup(backup.ID, func() {})
 
 	resp := test_utils.MakePostRequest(
 		t,

backend/internal/features/backups/backups/di.go

@@ -7,6 +7,7 @@ import (
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	"postgresus-backend/internal/util/logger"
 	"time"
@@ -23,6 +24,7 @@ var backupService = &BackupService{
 	notifiers.GetNotifierService(),
 	notifiers.GetNotifierService(),
 	backups_config.GetBackupConfigService(),
+	users_repositories.GetSecretKeyRepository(),
 	usecases.GetCreateBackupUsecase(),
 	logger.GetLogger(),
 	[]BackupRemoveListener{},

backend/internal/features/backups/backups/dto.go

@@ -1,5 +1,10 @@
 package backups
 
+import (
+	"io"
+	"postgresus-backend/internal/features/backups/backups/encryption"
+)
+
 type GetBackupsRequest struct {
 	DatabaseID string `form:"database_id" binding:"required"`
 	Limit      int    `form:"limit"`
@@ -12,3 +17,12 @@ type GetBackupsResponse struct {
 	Limit   int       `json:"limit"`
 	Offset  int       `json:"offset"`
 }
+
+type decryptionReaderCloser struct {
+	*encryption.DecryptionReader
+	baseReader io.ReadCloser
+}
+
+func (r *decryptionReaderCloser) Close() error {
+	return r.baseReader.Close()
+}

backend/internal/features/backups/backups/encryption/decrypting_reader.go

@@ -0,0 +1,156 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+type DecryptionReader struct {
+	baseReader io.Reader
+	cipher     cipher.AEAD
+	buffer     []byte
+	nonce      []byte
+	chunkIndex uint64
+	headerRead bool
+	eof        bool
+}
+
+func NewDecryptionReader(
+	baseReader io.Reader,
+	masterKey string,
+	backupID uuid.UUID,
+	salt []byte,
+	nonce []byte,
+) (*DecryptionReader, error) {
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes, got %d", SaltLen, len(salt))
+	}
+	if len(nonce) != NonceLen {
+		return nil, fmt.Errorf("nonce must be %d bytes, got %d", NonceLen, len(nonce))
+	}
+
+	derivedKey, err := DeriveBackupKey(masterKey, backupID, salt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive backup key: %w", err)
+	}
+
+	block, err := aes.NewCipher(derivedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	reader := &DecryptionReader{
+		baseReader,
+		aesgcm,
+		make([]byte, 0),
+		nonce,
+		0,
+		false,
+		false,
+	}
+
+	if err := reader.readAndValidateHeader(salt, nonce); err != nil {
+		return nil, err
+	}
+
+	return reader, nil
+}
+
+func (r *DecryptionReader) Read(p []byte) (n int, err error) {
+	for len(r.buffer) < len(p) && !r.eof {
+		if err := r.readAndDecryptChunk(); err != nil {
+			if err == io.EOF {
+				r.eof = true
+				break
+			}
+			return 0, err
+		}
+	}
+
+	if len(r.buffer) == 0 {
+		return 0, io.EOF
+	}
+
+	n = copy(p, r.buffer)
+	r.buffer = r.buffer[n:]
+
+	return n, nil
+}
+
+func (r *DecryptionReader) readAndValidateHeader(expectedSalt, expectedNonce []byte) error {
+	header := make([]byte, HeaderLen)
+
+	if _, err := io.ReadFull(r.baseReader, header); err != nil {
+		return fmt.Errorf("failed to read header: %w", err)
+	}
+
+	magic := string(header[0:MagicBytesLen])
+	if magic != MagicBytes {
+		return fmt.Errorf("invalid magic bytes: expected %s, got %s", MagicBytes, magic)
+	}
+
+	salt := header[MagicBytesLen : MagicBytesLen+SaltLen]
+	nonce := header[MagicBytesLen+SaltLen : MagicBytesLen+SaltLen+NonceLen]
+
+	if string(salt) != string(expectedSalt) {
+		return fmt.Errorf("salt mismatch in file header")
+	}
+
+	if string(nonce) != string(expectedNonce) {
+		return fmt.Errorf("nonce mismatch in file header")
+	}
+
+	r.headerRead = true
+	return nil
+}
+
+func (r *DecryptionReader) readAndDecryptChunk() error {
+	lengthBuf := make([]byte, 4)
+	if _, err := io.ReadFull(r.baseReader, lengthBuf); err != nil {
+		return err
+	}
+
+	chunkLen := binary.BigEndian.Uint32(lengthBuf)
+	if chunkLen == 0 || chunkLen > ChunkSize+16 {
+		return fmt.Errorf("invalid chunk length: %d", chunkLen)
+	}
+
+	encrypted := make([]byte, chunkLen)
+	if _, err := io.ReadFull(r.baseReader, encrypted); err != nil {
+		return fmt.Errorf("failed to read encrypted chunk: %w", err)
+	}
+
+	chunkNonce := r.generateChunkNonce()
+
+	decrypted, err := r.cipher.Open(nil, chunkNonce, encrypted, nil)
+	if err != nil {
+		return fmt.Errorf(
+			"failed to decrypt chunk (authentication failed - file may be corrupted or tampered): %w",
+			err,
+		)
+	}
+
+	r.buffer = append(r.buffer, decrypted...)
+	r.chunkIndex++
+
+	return nil
+}
+
+func (r *DecryptionReader) generateChunkNonce() []byte {
+	chunkNonce := make([]byte, NonceLen)
+	copy(chunkNonce, r.nonce)
+
+	binary.BigEndian.PutUint64(chunkNonce[4:], r.chunkIndex)
+
+	return chunkNonce
+}

backend/internal/features/backups/backups/encryption/encrypting_writer.go

@@ -0,0 +1,147 @@
+package encryption
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	"github.com/google/uuid"
+)
+
+type EncryptionWriter struct {
+	baseWriter    io.Writer
+	cipher        cipher.AEAD
+	buffer        []byte
+	nonce         []byte
+	salt          []byte
+	chunkIndex    uint64
+	headerWritten bool
+}
+
+func NewEncryptionWriter(
+	baseWriter io.Writer,
+	masterKey string,
+	backupID uuid.UUID,
+	salt []byte,
+	nonce []byte,
+) (*EncryptionWriter, error) {
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes, got %d", SaltLen, len(salt))
+	}
+	if len(nonce) != NonceLen {
+		return nil, fmt.Errorf("nonce must be %d bytes, got %d", NonceLen, len(nonce))
+	}
+
+	derivedKey, err := DeriveBackupKey(masterKey, backupID, salt)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive backup key: %w", err)
+	}
+
+	block, err := aes.NewCipher(derivedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	writer := &EncryptionWriter{
+		baseWriter:    baseWriter,
+		cipher:        aesgcm,
+		buffer:        make([]byte, 0, ChunkSize),
+		nonce:         nonce,
+		chunkIndex:    0,
+		headerWritten: false,
+		salt:          salt, // Store salt for lazy header writing
+	}
+
+	return writer, nil
+}
+
+func (w *EncryptionWriter) Write(p []byte) (n int, err error) {
+	// Write header on first write (lazy initialization)
+	if !w.headerWritten {
+		if err := w.writeHeader(w.salt, w.nonce); err != nil {
+			return 0, fmt.Errorf("failed to write header: %w", err)
+		}
+	}
+
+	n = len(p)
+	w.buffer = append(w.buffer, p...)
+
+	for len(w.buffer) >= ChunkSize {
+		chunk := w.buffer[:ChunkSize]
+		if err := w.encryptAndWriteChunk(chunk); err != nil {
+			return 0, err
+		}
+		w.buffer = w.buffer[ChunkSize:]
+	}
+
+	return n, nil
+}
+
+func (w *EncryptionWriter) Close() error {
+	// Write header if it hasn't been written yet (in case Close is called without any writes)
+	if !w.headerWritten {
+		if err := w.writeHeader(w.salt, w.nonce); err != nil {
+			return fmt.Errorf("failed to write header: %w", err)
+		}
+	}
+
+	if len(w.buffer) > 0 {
+		if err := w.encryptAndWriteChunk(w.buffer); err != nil {
+			return err
+		}
+		w.buffer = nil
+	}
+	return nil
+}
+
+func (w *EncryptionWriter) writeHeader(salt, nonce []byte) error {
+	header := make([]byte, HeaderLen)
+
+	copy(header[0:MagicBytesLen], []byte(MagicBytes))
+	copy(header[MagicBytesLen:MagicBytesLen+SaltLen], salt)
+	copy(header[MagicBytesLen+SaltLen:MagicBytesLen+SaltLen+NonceLen], nonce)
+
+	_, err := w.baseWriter.Write(header)
+	if err != nil {
+		return fmt.Errorf("failed to write header: %w", err)
+	}
+
+	w.headerWritten = true
+	return nil
+}
+
+func (w *EncryptionWriter) encryptAndWriteChunk(chunk []byte) error {
+	chunkNonce := w.generateChunkNonce()
+
+	encrypted := w.cipher.Seal(nil, chunkNonce, chunk, nil)
+
+	lengthBuf := make([]byte, 4)
+	binary.BigEndian.PutUint32(lengthBuf, uint32(len(encrypted)))
+
+	if _, err := w.baseWriter.Write(lengthBuf); err != nil {
+		return fmt.Errorf("failed to write chunk length: %w", err)
+	}
+
+	if _, err := w.baseWriter.Write(encrypted); err != nil {
+		return fmt.Errorf("failed to write encrypted chunk: %w", err)
+	}
+
+	w.chunkIndex++
+	return nil
+}
+
+func (w *EncryptionWriter) generateChunkNonce() []byte {
+	chunkNonce := make([]byte, NonceLen)
+	copy(chunkNonce, w.nonce)
+
+	binary.BigEndian.PutUint64(chunkNonce[4:], w.chunkIndex)
+
+	return chunkNonce
+}

backend/internal/features/backups/backups/encryption/encryption_test.go

@@ -0,0 +1,387 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_EncryptDecryptRoundTrip_ReturnsOriginalData(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte(
+		"This is a test backup data that should be encrypted and then decrypted successfully.",
+	)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	n, err := writer.Write(originalData)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted := make([]byte, len(originalData))
+	n, err = io.ReadFull(reader, decrypted)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_EncryptDecryptRoundTrip_LargeData_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := make([]byte, 100*1024)
+	_, err = rand.Read(originalData)
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	n, err := writer.Write(originalData)
+	require.NoError(t, err)
+	assert.Equal(t, len(originalData), n)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_EncryptionWriter_MultipleWrites_CombinesCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	part1 := []byte("First part of data. ")
+	part2 := []byte("Second part of data. ")
+	part3 := []byte("Third part of data.")
+	expectedData := append(append(part1, part2...), part3...)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(part1)
+	require.NoError(t, err)
+	_, err = writer.Write(part2)
+	require.NoError(t, err)
+	_, err = writer.Write(part3)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, expectedData, decrypted)
+}
+
+func Test_DecryptionReader_InvalidHeader_ReturnsError(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	invalidHeader := make([]byte, HeaderLen)
+	copy(invalidHeader, []byte("INVALID!"))
+
+	invalidData := bytes.NewBuffer(invalidHeader)
+
+	_, err = NewDecryptionReader(invalidData, masterKey, backupID, salt, nonce)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid magic bytes")
+}
+
+func Test_DecryptionReader_TamperedData_ReturnsError(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("This data will be tampered with.")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	encryptedBytes := encrypted.Bytes()
+	if len(encryptedBytes) > HeaderLen+10 {
+		encryptedBytes[HeaderLen+10] ^= 0xFF
+	}
+
+	tamperedBuffer := bytes.NewBuffer(encryptedBytes)
+
+	reader, err := NewDecryptionReader(tamperedBuffer, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = io.ReadAll(reader)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "authentication failed")
+}
+
+func Test_DeriveBackupKey_SameInputs_ReturnsSameKey(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+
+	key1, err := DeriveBackupKey(masterKey, backupID, salt)
+	require.NoError(t, err)
+
+	key2, err := DeriveBackupKey(masterKey, backupID, salt)
+	require.NoError(t, err)
+
+	assert.Equal(t, key1, key2)
+}
+
+func Test_DeriveBackupKey_DifferentInputs_ReturnsDifferentKeys(t *testing.T) {
+	masterKey1 := uuid.New().String() + uuid.New().String()
+	masterKey2 := uuid.New().String() + uuid.New().String()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	salt1, err := GenerateSalt()
+	require.NoError(t, err)
+	salt2, err := GenerateSalt()
+	require.NoError(t, err)
+
+	key1, err := DeriveBackupKey(masterKey1, backupID1, salt1)
+	require.NoError(t, err)
+
+	key2, err := DeriveBackupKey(masterKey2, backupID1, salt1)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key2)
+
+	key3, err := DeriveBackupKey(masterKey1, backupID2, salt1)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key3)
+
+	key4, err := DeriveBackupKey(masterKey1, backupID1, salt2)
+	require.NoError(t, err)
+	assert.NotEqual(t, key1, key4)
+}
+
+func Test_EncryptionWriter_PartialChunk_HandledCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	smallData := []byte("Small data less than chunk size")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(smallData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, smallData, decrypted)
+}
+
+func Test_GenerateSalt_ReturnsCorrectLength(t *testing.T) {
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	assert.Equal(t, SaltLen, len(salt))
+}
+
+func Test_GenerateSalt_GeneratesUniqueSalts(t *testing.T) {
+	salt1, err := GenerateSalt()
+	require.NoError(t, err)
+
+	salt2, err := GenerateSalt()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, salt1, salt2)
+}
+
+func Test_GenerateNonce_ReturnsCorrectLength(t *testing.T) {
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+	assert.Equal(t, NonceLen, len(nonce))
+}
+
+func Test_GenerateNonce_GeneratesUniqueNonces(t *testing.T) {
+	nonce1, err := GenerateNonce()
+	require.NoError(t, err)
+
+	nonce2, err := GenerateNonce()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, nonce1, nonce2)
+}
+
+func Test_DecryptionReader_WrongMasterKey_ReturnsError(t *testing.T) {
+	masterKey1 := uuid.New().String() + uuid.New().String()
+	masterKey2 := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("Secret data")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey1, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey2, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = io.ReadAll(reader)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "authentication failed")
+}
+
+func Test_EncryptionWriter_EmptyData_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, 0, len(decrypted))
+}
+
+func Test_EncryptionWriter_MultipleChunks_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	dataSize := ChunkSize*3 + 1000
+	originalData := make([]byte, dataSize)
+	_, err = rand.Read(originalData)
+	require.NoError(t, err)
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	decrypted, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	assert.Equal(t, originalData, decrypted)
+}
+
+func Test_DecryptionReader_SmallReads_WorksCorrectly(t *testing.T) {
+	masterKey := uuid.New().String() + uuid.New().String()
+	backupID := uuid.New()
+	salt, err := GenerateSalt()
+	require.NoError(t, err)
+	nonce, err := GenerateNonce()
+	require.NoError(t, err)
+
+	originalData := []byte("This is test data that will be read in small chunks.")
+
+	var encrypted bytes.Buffer
+	writer, err := NewEncryptionWriter(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	_, err = writer.Write(originalData)
+	require.NoError(t, err)
+
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := NewDecryptionReader(&encrypted, masterKey, backupID, salt, nonce)
+	require.NoError(t, err)
+
+	var decrypted []byte
+	buf := make([]byte, 5)
+	for {
+		n, err := reader.Read(buf)
+		if n > 0 {
+			decrypted = append(decrypted, buf[:n]...)
+		}
+		if err == io.EOF {
+			break
+		}
+		require.NoError(t, err)
+	}
+
+	assert.Equal(t, originalData, decrypted)
+}

backend/internal/features/backups/backups/encryption/utils.go

@@ -0,0 +1,52 @@
+package encryption
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/google/uuid"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	MagicBytes       = "PGRSUS01"
+	MagicBytesLen    = 8
+	SaltLen          = 32
+	NonceLen         = 12
+	ReservedLen      = 12
+	HeaderLen        = MagicBytesLen + SaltLen + NonceLen + ReservedLen
+	ChunkSize        = 32 * 1024
+	PBKDF2Iterations = 100000
+)
+
+func DeriveBackupKey(masterKey string, backupID uuid.UUID, salt []byte) ([]byte, error) {
+	if masterKey == "" {
+		return nil, fmt.Errorf("master key cannot be empty")
+	}
+	if len(salt) != SaltLen {
+		return nil, fmt.Errorf("salt must be %d bytes", SaltLen)
+	}
+
+	keyMaterial := []byte(masterKey + backupID.String())
+
+	derivedKey := pbkdf2.Key(keyMaterial, salt, PBKDF2Iterations, 32, sha256.New)
+
+	return derivedKey, nil
+}
+
+func GenerateSalt() ([]byte, error) {
+	salt := make([]byte, SaltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, fmt.Errorf("failed to generate salt: %w", err)
+	}
+	return salt, nil
+}
+
+func GenerateNonce() ([]byte, error) {
+	nonce := make([]byte, NonceLen)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+	return nonce, nil
+}

backend/internal/features/backups/backups/interfaces.go

@@ -3,6 +3,7 @@ package backups
 import (
 	"context"
 
+	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/notifiers"
@@ -29,7 +30,7 @@ type CreateBackupUsecase interface {
 		backupProgressListener func(
 			completedMBs float64,
 		),
-	) error
+	) (*usecases_postgresql.BackupMetadata, error)
 }
 
 type BackupRemoveListener interface {

backend/internal/features/backups/backups/model.go

@@ -1,6 +1,7 @@
 package backups
 
 import (
+	backups_config "postgresus-backend/internal/features/backups/config"
 	"time"
 
 	"github.com/google/uuid"
@@ -19,5 +20,9 @@ type Backup struct {
 
 	BackupDurationMs int64 `json:"backupDurationMs" gorm:"column:backup_duration_ms;default:0"`
 
+	EncryptionSalt *string                         `json:"-"          gorm:"column:encryption_salt"`
+	EncryptionIV   *string                         `json:"-"          gorm:"column:encryption_iv"`
+	Encryption     backups_config.BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
+
 	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at"`
 }

backend/internal/features/backups/backups/service.go

@@ -2,16 +2,19 @@ package backups
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	audit_logs "postgresus-backend/internal/features/audit_logs"
+	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_models "postgresus-backend/internal/features/users/models"
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	"slices"
 	"strings"
@@ -27,6 +30,7 @@ type BackupService struct {
 	notifierService     *notifiers.NotifierService
 	notificationSender  NotificationSender
 	backupConfigService *backups_config.BackupConfigService
+	secretKeyRepo       *users_repositories.SecretKeyRepository
 
 	createBackupUseCase CreateBackupUsecase
 
@@ -34,9 +38,9 @@ type BackupService struct {
 
 	backupRemoveListeners []BackupRemoveListener
 
-	workspaceService *workspaces_services.WorkspaceService
-	auditLogService  *audit_logs.AuditLogService
-	backupContextMgr *BackupContextManager
+	workspaceService     *workspaces_services.WorkspaceService
+	auditLogService      *audit_logs.AuditLogService
+	backupContextManager *BackupContextManager
 }
 
 func (s *BackupService) AddBackupRemoveListener(listener BackupRemoveListener) {
@@ -253,10 +257,10 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
-	s.backupContextMgr.RegisterBackup(backup.ID, cancel)
-	defer s.backupContextMgr.UnregisterBackup(backup.ID)
+	s.backupContextManager.RegisterBackup(backup.ID, cancel)
+	defer s.backupContextManager.UnregisterBackup(backup.ID)
 
-	err = s.createBackupUseCase.Execute(
+	backupMetadata, err := s.createBackupUseCase.Execute(
 		ctx,
 		backup.ID,
 		backupConfig,
@@ -326,6 +330,13 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 	backup.Status = BackupStatusCompleted
 	backup.BackupDurationMs = time.Since(start).Milliseconds()
 
+	// Update backup with encryption metadata if provided
+	if backupMetadata != nil {
+		backup.EncryptionSalt = backupMetadata.EncryptionSalt
+		backup.EncryptionIV = backupMetadata.EncryptionIV
+		backup.Encryption = backupMetadata.Encryption
+	}
+
 	if err := s.backupRepository.Save(backup); err != nil {
 		s.logger.Error("Failed to save backup", "error", err)
 		return
@@ -463,7 +474,7 @@ func (s *BackupService) CancelBackup(
 		return errors.New("backup is not in progress")
 	}
 
-	if err := s.backupContextMgr.CancelBackup(backupID); err != nil {
+	if err := s.backupContextManager.CancelBackup(backupID); err != nil {
 		return err
 	}
 
@@ -509,11 +520,6 @@ func (s *BackupService) GetBackupFile(
 		return nil, errors.New("insufficient permissions to download backup for this database")
 	}
 
-	storage, err := s.storageService.GetStorageByID(backup.StorageID)
-	if err != nil {
-		return nil, err
-	}
-
 	s.auditLogService.WriteAuditLog(
 		fmt.Sprintf(
 			"Backup file downloaded for database: %s (ID: %s)",
@@ -524,7 +530,7 @@ func (s *BackupService) GetBackupFile(
 		database.WorkspaceID,
 	)
 
-	return storage.GetFile(backup.ID)
+	return s.getBackupReader(backupID)
 }
 
 func (s *BackupService) deleteBackup(backup *Backup) error {
@@ -579,3 +585,91 @@ func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 
 	return nil
 }
+
+// GetBackupReader returns a reader for the backup file
+// If encrypted, wraps with DecryptionReader
+func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find backup: %w", err)
+	}
+
+	storage, err := s.storageService.GetStorageByID(backup.StorageID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get storage: %w", err)
+	}
+
+	fileReader, err := storage.GetFile(backup.ID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup file: %w", err)
+	}
+
+	// If not encrypted, return raw reader
+	if backup.Encryption == backups_config.BackupEncryptionNone {
+		s.logger.Info("Returning non-encrypted backup", "backupId", backupID)
+		return fileReader, nil
+	}
+
+	// Decrypt on-the-fly for encrypted backups
+	if backup.Encryption != backups_config.BackupEncryptionEncrypted {
+		if err := fileReader.Close(); err != nil {
+			s.logger.Error("Failed to close file reader", "error", err)
+		}
+		return nil, fmt.Errorf("unsupported encryption type: %s", backup.Encryption)
+	}
+
+	if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+		if err := fileReader.Close(); err != nil {
+			s.logger.Error("Failed to close file reader", "error", err)
+		}
+		return nil, fmt.Errorf("backup marked as encrypted but missing encryption metadata")
+	}
+
+	// Get master key
+	masterKey, err := s.secretKeyRepo.GetSecretKey()
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	// Decode salt and IV
+	salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to decode salt: %w", err)
+	}
+
+	iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to decode IV: %w", err)
+	}
+
+	// Wrap with decrypting reader
+	decryptionReader, err := encryption.NewDecryptionReader(
+		fileReader,
+		masterKey,
+		backup.ID,
+		salt,
+		iv,
+	)
+	if err != nil {
+		if closeErr := fileReader.Close(); closeErr != nil {
+			s.logger.Error("Failed to close file reader", "error", closeErr)
+		}
+		return nil, fmt.Errorf("failed to create decrypting reader: %w", err)
+	}
+
+	s.logger.Info("Returning encrypted backup with decryption", "backupId", backupID)
+
+	return &decryptionReaderCloser{
+		decryptionReader,
+		fileReader,
+	}, nil
+}

backend/internal/features/backups/backups/service_test.go

@@ -3,11 +3,13 @@ package backups
 import (
 	"context"
 	"errors"
+	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_enums "postgresus-backend/internal/features/users/enums"
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
@@ -53,6 +55,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			users_repositories.GetSecretKeyRepository(),
 			&CreateFailedBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
@@ -99,6 +102,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			users_repositories.GetSecretKeyRepository(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
@@ -122,6 +126,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
+			users_repositories.GetSecretKeyRepository(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
@@ -171,9 +176,9 @@ func (uc *CreateFailedBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) error {
+) (*usecases_postgresql.BackupMetadata, error) {
 	backupProgressListener(10) // Assume we completed 10MB
-	return errors.New("backup failed")
+	return nil, errors.New("backup failed")
 }
 
 type CreateSuccessBackupUsecase struct {
@@ -188,7 +193,11 @@ func (uc *CreateSuccessBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) error {
+) (*usecases_postgresql.BackupMetadata, error) {
 	backupProgressListener(10) // Assume we completed 10MB
-	return nil
+	return &usecases_postgresql.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
 }

backend/internal/features/backups/backups/usecases/create_backup_uc.go

@@ -15,7 +15,7 @@ type CreateBackupUsecase struct {
 	CreatePostgresqlBackupUsecase *usecases_postgresql.CreatePostgresqlBackupUsecase
 }
 
-// Execute creates a backup of the database and returns the backup size in MB
+// Execute creates a backup of the database and returns the backup metadata
 func (uc *CreateBackupUsecase) Execute(
 	ctx context.Context,
 	backupID uuid.UUID,
@@ -25,7 +25,7 @@ func (uc *CreateBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) error {
+) (*usecases_postgresql.BackupMetadata, error) {
 	if database.Type == databases.DatabaseTypePostgres {
 		return uc.CreatePostgresqlBackupUsecase.Execute(
 			ctx,
@@ -37,5 +37,5 @@ func (uc *CreateBackupUsecase) Execute(
 		)
 	}
 
-	return errors.New("database type not supported")
+	return nil, errors.New("database type not supported")
 }

backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go

@@ -2,6 +2,7 @@ package usecases_postgresql
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -14,17 +15,33 @@ import (
 	"time"
 
 	"postgresus-backend/internal/config"
+	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/storages"
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	"postgresus-backend/internal/util/tools"
 
 	"github.com/google/uuid"
 )
 
+const (
+	backupTimeout            = 23 * time.Hour
+	shutdownCheckInterval    = 1 * time.Second
+	copyBufferSize           = 32 * 1024
+	progressReportIntervalMB = 1.0
+	pgConnectTimeout         = 30
+	compressionLevel         = 5
+	defaultBackupLimit       = 1000
+	exitCodeAccessViolation  = -1073741819
+	exitCodeGenericError     = 1
+	exitCodeConnectionError  = 2
+)
+
 type CreatePostgresqlBackupUsecase struct {
-	logger *slog.Logger
+	logger        *slog.Logger
+	secretKeyRepo *users_repositories.SecretKeyRepository
 }
 
 // Execute creates a backup of the database
@@ -37,7 +54,7 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) error {
+) (*BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating PostgreSQL backup via pg_dump custom format",
 		"databaseId",
@@ -47,39 +64,20 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 	)
 
 	if !backupConfig.IsBackupsEnabled {
-		return fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
+		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
 	}
 
 	pg := db.Postgresql
 
 	if pg == nil {
-		return fmt.Errorf("postgresql database configuration is required for pg_dump backups")
+		return nil, fmt.Errorf("postgresql database configuration is required for pg_dump backups")
 	}
 
 	if pg.Database == nil || *pg.Database == "" {
-		return fmt.Errorf("database name is required for pg_dump backups")
+		return nil, fmt.Errorf("database name is required for pg_dump backups")
 	}
 
-	args := []string{
-		"-Fc",           // custom format with built-in compression
-		"--no-password", // Use environment variable for password, prevent prompts
-		"-h", pg.Host,
-		"-p", strconv.Itoa(pg.Port),
-		"-U", pg.Username,
-		"-d", *pg.Database,
-		"--verbose", // Add verbose output to help with debugging
-	}
-
-	// Use zstd compression level 5 for PostgreSQL 16+ (better compression and speed)
-	// Fall back to gzip compression level 5 for older versions (12-15)
-	if pg.Version == tools.PostgresqlVersion12 || pg.Version == tools.PostgresqlVersion13 ||
-		pg.Version == tools.PostgresqlVersion14 || pg.Version == tools.PostgresqlVersion15 {
-		args = append(args, "-Z", "5")
-		uc.logger.Info("Using gzip compression level 5 (zstd not available)", "version", pg.Version)
-	} else {
-		args = append(args, "--compress=zstd:5")
-		uc.logger.Info("Using zstd compression level 5", "version", pg.Version)
-	}
+	args := uc.buildPgDumpArgs(pg)
 
 	return uc.streamToStorage(
 		ctx,
@@ -110,36 +108,15 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	db *databases.Database,
 	backupProgressListener func(completedMBs float64),
-) error {
+) (*BackupMetadata, error) {
 	uc.logger.Info("Streaming PostgreSQL backup to storage", "pgBin", pgBin, "args", args)
 
-	// if backup not fit into 23 hours, Postgresus
-	// seems not to work for such database size
-	ctx, cancel := context.WithTimeout(parentCtx, 23*time.Hour)
+	ctx, cancel := uc.createBackupContext(parentCtx)
 	defer cancel()
 
-	// Monitor for shutdown and cancel context if needed
-	go func() {
-		ticker := time.NewTicker(1 * time.Second)
-		defer ticker.Stop()
-
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				if config.IsShouldShutdown() {
-					cancel()
-					return
-				}
-			}
-		}
-	}()
-
-	// Create temporary .pgpass file as a more reliable alternative to PGPASSWORD
-	pgpassFile, err := uc.createTempPgpassFile(db.Postgresql, password)
+	pgpassFile, err := uc.setupPgpassFile(db.Postgresql, password)
 	if err != nil {
-		return fmt.Errorf("failed to create temporary .pgpass file: %w", err)
+		return nil, err
 	}
 	defer func() {
 		if pgpassFile != "" {
@@ -147,87 +124,21 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 		}
 	}()
 
-	// Verify .pgpass file was created successfully
-	if pgpassFile == "" {
-		return fmt.Errorf("temporary .pgpass file was not created")
-	}
-
-	// Verify .pgpass file was created correctly
-	if info, err := os.Stat(pgpassFile); err == nil {
-		uc.logger.Info("Temporary .pgpass file created successfully",
-			"pgpassFile", pgpassFile,
-			"size", info.Size(),
-			"mode", info.Mode(),
-		)
-	} else {
-		return fmt.Errorf("failed to verify .pgpass file: %w", err)
-	}
-
 	cmd := exec.CommandContext(ctx, pgBin, args...)
 	uc.logger.Info("Executing PostgreSQL backup command", "command", cmd.String())
 
-	// Start with system environment variables to preserve Windows PATH, SystemRoot, etc.
-	cmd.Env = os.Environ()
-
-	// Use the .pgpass file for authentication
-	cmd.Env = append(cmd.Env, "PGPASSFILE="+pgpassFile)
-	uc.logger.Info("Using temporary .pgpass file for authentication", "pgpassFile", pgpassFile)
-
-	// Debug password setup (without exposing the actual password)
-	uc.logger.Info("Setting up PostgreSQL environment",
-		"passwordLength", len(password),
-		"passwordEmpty", password == "",
-		"pgBin", pgBin,
-		"usingPgpassFile", true,
-		"parallelJobs", backupConfig.CpuCount,
-	)
-
-	// Add PostgreSQL-specific environment variables
-	cmd.Env = append(cmd.Env, "PGCLIENTENCODING=UTF8")
-	cmd.Env = append(cmd.Env, "PGCONNECT_TIMEOUT=30")
-
-	// Add encoding-related environment variables to handle character encoding issues
-	cmd.Env = append(cmd.Env, "LC_ALL=C.UTF-8")
-	cmd.Env = append(cmd.Env, "LANG=C.UTF-8")
-
-	// Add PostgreSQL-specific encoding settings
-	cmd.Env = append(cmd.Env, "PGOPTIONS=--client-encoding=UTF8")
-
-	shouldRequireSSL := db.Postgresql.IsHttps
-
-	// Require SSL when explicitly configured
-	if shouldRequireSSL {
-		cmd.Env = append(cmd.Env, "PGSSLMODE=require")
-		uc.logger.Info("Using required SSL mode", "configuredHttps", db.Postgresql.IsHttps)
-	} else {
-		// SSL not explicitly required, but prefer it if available
-		cmd.Env = append(cmd.Env, "PGSSLMODE=prefer")
-		uc.logger.Info("Using preferred SSL mode", "configuredHttps", db.Postgresql.IsHttps)
-	}
-
-	// Set other SSL parameters to avoid certificate issues
-	cmd.Env = append(cmd.Env, "PGSSLCERT=")     // No client certificate
-	cmd.Env = append(cmd.Env, "PGSSLKEY=")      // No client key
-	cmd.Env = append(cmd.Env, "PGSSLROOTCERT=") // No root certificate verification
-	cmd.Env = append(cmd.Env, "PGSSLCRL=")      // No certificate revocation list
-
-	// Verify executable exists and is accessible
-	if _, err := exec.LookPath(pgBin); err != nil {
-		return fmt.Errorf(
-			"PostgreSQL executable not found or not accessible: %s - %w",
-			pgBin,
-			err,
-		)
+	if err := uc.setupPgEnvironment(cmd, pgpassFile, db.Postgresql.IsHttps, password, backupConfig.CpuCount, pgBin); err != nil {
+		return nil, err
 	}
 
 	pgStdout, err := cmd.StdoutPipe()
 	if err != nil {
-		return fmt.Errorf("stdout pipe: %w", err)
+		return nil, fmt.Errorf("stdout pipe: %w", err)
 	}
 
 	pgStderr, err := cmd.StderrPipe()
 	if err != nil {
-		return fmt.Errorf("stderr pipe: %w", err)
+		return nil, fmt.Errorf("stderr pipe: %w", err)
 	}
 
 	// Capture stderr in a separate goroutine to ensure we don't miss any error output
@@ -237,23 +148,31 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 		stderrCh <- stderrOutput
 	}()
 
-	// A pipe connecting pg_dump output → storage
 	storageReader, storageWriter := io.Pipe()
 
-	// Create a counting writer to track bytes
-	countingWriter := &CountingWriter{writer: storageWriter}
+	finalWriter, encryptionWriter, backupMetadata, err := uc.setupBackupEncryption(
+		backupID,
+		backupConfig,
+		storageWriter,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	countingWriter := &CountingWriter{writer: finalWriter}
 
 	// The backup ID becomes the object key / filename in storage
 
 	// Start streaming into storage in its own goroutine
 	saveErrCh := make(chan error, 1)
 	go func() {
-		saveErrCh <- storage.SaveFile(uc.logger, backupID, storageReader)
+		saveErr := storage.SaveFile(uc.logger, backupID, storageReader)
+		saveErrCh <- saveErr
 	}()
 
 	// Start pg_dump
 	if err = cmd.Start(); err != nil {
-		return fmt.Errorf("start %s: %w", filepath.Base(pgBin), err)
+		return nil, fmt.Errorf("start %s: %w", filepath.Base(pgBin), err)
 	}
 
 	// Copy pg output directly to storage with shutdown checks
@@ -278,26 +197,14 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	// Check for shutdown or cancellation before finalizing
 	select {
 	case <-ctx.Done():
-		if pipeWriter, ok := countingWriter.writer.(*io.PipeWriter); ok {
-			if err := pipeWriter.Close(); err != nil {
-				uc.logger.Error("Failed to close counting writer", "error", err)
-			}
-		}
-
-		<-saveErrCh // Wait for storage to finish
-
-		if config.IsShouldShutdown() {
-			return fmt.Errorf("backup cancelled due to shutdown")
-		}
-		return fmt.Errorf("backup cancelled")
+		uc.cleanupOnCancellation(encryptionWriter, storageWriter, saveErrCh)
+		return nil, uc.checkCancellationReason()
 	default:
 	}
 
-	// Close the pipe writer to signal end of data
-	if pipeWriter, ok := countingWriter.writer.(*io.PipeWriter); ok {
-		if err := pipeWriter.Close(); err != nil {
-			uc.logger.Error("Failed to close counting writer", "error", err)
-		}
+	if err := uc.closeWriters(encryptionWriter, storageWriter); err != nil {
+		<-saveErrCh
+		return nil, err
 	}
 
 	// Wait until storage ends reading
@@ -312,149 +219,34 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 
 	switch {
 	case waitErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		// Enhanced error handling for PostgreSQL connection and SSL issues
-		stderrStr := string(stderrOutput)
-		errorMsg := fmt.Sprintf(
-			"%s failed: %v – stderr: %s",
-			filepath.Base(pgBin),
-			waitErr,
-			stderrStr,
-		)
-
-		// Check for specific PostgreSQL error patterns
-		if exitErr, ok := waitErr.(*exec.ExitError); ok {
-			exitCode := exitErr.ExitCode()
-
-			// Enhanced debugging for exit status 1 with empty stderr
-			if exitCode == 1 && strings.TrimSpace(stderrStr) == "" {
-				uc.logger.Error("pg_dump failed with exit status 1 but no stderr output",
-					"pgBin", pgBin,
-					"args", args,
-					"env_vars", []string{
-						"PGCLIENTENCODING=UTF8",
-						"PGCONNECT_TIMEOUT=30",
-						"LC_ALL=C.UTF-8",
-						"LANG=C.UTF-8",
-						"PGOPTIONS=--client-encoding=UTF8",
-					},
-				)
-
-				errorMsg = fmt.Sprintf(
-					"%s failed with exit status 1 but provided no error details. "+
-						"This often indicates: "+
-						"1) Connection timeout or refused connection, "+
-						"2) Authentication failure with incorrect credentials, "+
-						"3) Database does not exist, "+
-						"4) Network connectivity issues, "+
-						"5) PostgreSQL server not running. "+
-						"Command executed: %s %s",
-					filepath.Base(pgBin),
-					pgBin,
-					strings.Join(args, " "),
-				)
-			} else if exitCode == -1073741819 { // 0xC0000005 in decimal
-				uc.logger.Error("PostgreSQL tool crashed with access violation",
-					"pgBin", pgBin,
-					"args", args,
-					"exitCode", fmt.Sprintf("0x%X", uint32(exitCode)),
-				)
-
-				errorMsg = fmt.Sprintf(
-					"%s crashed with access violation (0xC0000005). This may indicate incompatible PostgreSQL version, corrupted installation, or connection issues. stderr: %s",
-					filepath.Base(pgBin),
-					stderrStr,
-				)
-			} else if exitCode == 1 || exitCode == 2 {
-				// Check for common connection and authentication issues
-				if containsIgnoreCase(stderrStr, "pg_hba.conf") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection rejected by server configuration (pg_hba.conf). The server may not allow connections from your IP address or may require different authentication settings. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "no password supplied") || containsIgnoreCase(stderrStr, "fe_sendauth") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL authentication failed - no password supplied. "+
-							"PGPASSWORD environment variable may not be working correctly on this system. "+
-							"Password length: %d, Password empty: %v. "+
-							"Consider using a .pgpass file as an alternative. stderr: %s",
-						len(password),
-						password == "",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "ssl") && containsIgnoreCase(stderrStr, "connection") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL SSL connection failed. The server may require SSL encryption or have SSL configuration issues. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "connection") && containsIgnoreCase(stderrStr, "refused") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection refused. Check if the server is running and accessible from your network. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "authentication") || containsIgnoreCase(stderrStr, "password") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL authentication failed. Check username and password. stderr: %s",
-						stderrStr,
-					)
-				} else if containsIgnoreCase(stderrStr, "timeout") {
-					errorMsg = fmt.Sprintf(
-						"PostgreSQL connection timeout. The server may be unreachable or overloaded. stderr: %s",
-						stderrStr,
-					)
-				}
-			}
-		}
-
-		return errors.New(errorMsg)
+		return nil, uc.buildPgDumpErrorMessage(waitErr, stderrOutput, pgBin, args, password)
 	case copyErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		return fmt.Errorf("copy to storage: %w", copyErr)
+		return nil, fmt.Errorf("copy to storage: %w", copyErr)
 	case saveErr != nil:
-		select {
-		case <-ctx.Done():
-			if config.IsShouldShutdown() {
-				return fmt.Errorf("backup cancelled due to shutdown")
-			}
-			return fmt.Errorf("backup cancelled")
-		default:
+		if err := uc.checkCancellation(ctx); err != nil {
+			return nil, err
 		}
-
-		return fmt.Errorf("save to storage: %w", saveErr)
+		return nil, fmt.Errorf("save to storage: %w", saveErr)
 	}
 
-	return nil
+	return &backupMetadata, nil
 }
 
-// copyWithShutdownCheck copies data from src to dst while checking for shutdown
 func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 	ctx context.Context,
 	dst io.Writer,
 	src io.Reader,
 	backupProgressListener func(completedMBs float64),
 ) (int64, error) {
-	buf := make([]byte, 32*1024) // 32KB buffer
+	buf := make([]byte, copyBufferSize)
 	var totalBytesWritten int64
-
-	// Progress reporting interval - report every 1MB of data
 	var lastReportedMB float64
-	const reportIntervalMB = 1.0
 
 	for {
 		select {
@@ -487,12 +279,9 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 
 			totalBytesWritten += int64(bytesWritten)
 
-			// Report progress based on total size
 			if backupProgressListener != nil {
 				currentSizeMB := float64(totalBytesWritten) / (1024 * 1024)
-
-				// Only report if we've written at least 1MB more data than last report
-				if currentSizeMB >= lastReportedMB+reportIntervalMB {
+				if currentSizeMB >= lastReportedMB+progressReportIntervalMB {
 					backupProgressListener(currentSizeMB)
 					lastReportedMB = currentSizeMB
 				}
@@ -503,7 +292,6 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 			if readErr != io.EOF {
 				return totalBytesWritten, readErr
 			}
-
 			break
 		}
 	}
@@ -511,12 +299,412 @@ func (uc *CreatePostgresqlBackupUsecase) copyWithShutdownCheck(
 	return totalBytesWritten, nil
 }
 
-// containsIgnoreCase checks if a string contains a substring, ignoring case
-func containsIgnoreCase(str, substr string) bool {
-	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+func (uc *CreatePostgresqlBackupUsecase) buildPgDumpArgs(pg *pgtypes.PostgresqlDatabase) []string {
+	args := []string{
+		"-Fc",
+		"--no-password",
+		"-h", pg.Host,
+		"-p", strconv.Itoa(pg.Port),
+		"-U", pg.Username,
+		"-d", *pg.Database,
+		"--verbose",
+	}
+
+	compressionArgs := uc.getCompressionArgs(pg.Version)
+	return append(args, compressionArgs...)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) getCompressionArgs(
+	version tools.PostgresqlVersion,
+) []string {
+	if uc.isOlderPostgresVersion(version) {
+		uc.logger.Info("Using gzip compression level 5 (zstd not available)", "version", version)
+		return []string{"-Z", strconv.Itoa(compressionLevel)}
+	}
+
+	uc.logger.Info("Using zstd compression level 5", "version", version)
+	return []string{fmt.Sprintf("--compress=zstd:%d", compressionLevel)}
+}
+
+func (uc *CreatePostgresqlBackupUsecase) isOlderPostgresVersion(
+	version tools.PostgresqlVersion,
+) bool {
+	return version == tools.PostgresqlVersion12 ||
+		version == tools.PostgresqlVersion13 ||
+		version == tools.PostgresqlVersion14 ||
+		version == tools.PostgresqlVersion15
+}
+
+func (uc *CreatePostgresqlBackupUsecase) createBackupContext(
+	parentCtx context.Context,
+) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithTimeout(parentCtx, backupTimeout)
+
+	go func() {
+		ticker := time.NewTicker(shutdownCheckInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if config.IsShouldShutdown() {
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	return ctx, cancel
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupPgpassFile(
+	pgConfig *pgtypes.PostgresqlDatabase,
+	password string,
+) (string, error) {
+	pgpassFile, err := uc.createTempPgpassFile(pgConfig, password)
+	if err != nil {
+		return "", fmt.Errorf("failed to create temporary .pgpass file: %w", err)
+	}
+
+	if pgpassFile == "" {
+		return "", fmt.Errorf("temporary .pgpass file was not created")
+	}
+
+	if info, err := os.Stat(pgpassFile); err == nil {
+		uc.logger.Info("Temporary .pgpass file created successfully",
+			"pgpassFile", pgpassFile,
+			"size", info.Size(),
+			"mode", info.Mode(),
+		)
+	} else {
+		return "", fmt.Errorf("failed to verify .pgpass file: %w", err)
+	}
+
+	return pgpassFile, nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupPgEnvironment(
+	cmd *exec.Cmd,
+	pgpassFile string,
+	shouldRequireSSL bool,
+	password string,
+	cpuCount int,
+	pgBin string,
+) error {
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, "PGPASSFILE="+pgpassFile)
+
+	uc.logger.Info("Using temporary .pgpass file for authentication", "pgpassFile", pgpassFile)
+	uc.logger.Info("Setting up PostgreSQL environment",
+		"passwordLength", len(password),
+		"passwordEmpty", password == "",
+		"pgBin", pgBin,
+		"usingPgpassFile", true,
+		"parallelJobs", cpuCount,
+	)
+
+	cmd.Env = append(cmd.Env,
+		"PGCLIENTENCODING=UTF8",
+		"PGCONNECT_TIMEOUT="+strconv.Itoa(pgConnectTimeout),
+		"LC_ALL=C.UTF-8",
+		"LANG=C.UTF-8",
+		"PGOPTIONS=--client-encoding=UTF8",
+	)
+
+	if shouldRequireSSL {
+		cmd.Env = append(cmd.Env, "PGSSLMODE=require")
+		uc.logger.Info("Using required SSL mode", "configuredHttps", shouldRequireSSL)
+	} else {
+		cmd.Env = append(cmd.Env, "PGSSLMODE=prefer")
+		uc.logger.Info("Using preferred SSL mode", "configuredHttps", shouldRequireSSL)
+	}
+
+	cmd.Env = append(cmd.Env,
+		"PGSSLCERT=",
+		"PGSSLKEY=",
+		"PGSSLROOTCERT=",
+		"PGSSLCRL=",
+	)
+
+	if _, err := exec.LookPath(pgBin); err != nil {
+		return fmt.Errorf("PostgreSQL executable not found or not accessible: %s - %w", pgBin, err)
+	}
+
+	return nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	storageWriter io.WriteCloser,
+) (io.Writer, *encryption.EncryptionWriter, BackupMetadata, error) {
+	metadata := BackupMetadata{}
+
+	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
+		metadata.Encryption = backups_config.BackupEncryptionNone
+		uc.logger.Info("Encryption disabled for backup", "backupId", backupID)
+		return storageWriter, nil, metadata, nil
+	}
+
+	salt, err := encryption.GenerateSalt()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	nonce, err := encryption.GenerateNonce()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
+	}
+
+	masterKey, err := uc.secretKeyRepo.GetSecretKey()
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
+	}
+
+	encWriter, err := encryption.NewEncryptionWriter(
+		storageWriter,
+		masterKey,
+		backupID,
+		salt,
+		nonce,
+	)
+	if err != nil {
+		return nil, nil, metadata, fmt.Errorf("failed to create encrypting writer: %w", err)
+	}
+
+	saltBase64 := base64.StdEncoding.EncodeToString(salt)
+	nonceBase64 := base64.StdEncoding.EncodeToString(nonce)
+	metadata.EncryptionSalt = &saltBase64
+	metadata.EncryptionIV = &nonceBase64
+	metadata.Encryption = backups_config.BackupEncryptionEncrypted
+
+	uc.logger.Info("Encryption enabled for backup", "backupId", backupID)
+	return encWriter, encWriter, metadata, nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) cleanupOnCancellation(
+	encryptionWriter *encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+	saveErrCh chan error,
+) {
+	if encryptionWriter != nil {
+		go func() {
+			if closeErr := encryptionWriter.Close(); closeErr != nil {
+				uc.logger.Error(
+					"Failed to close encrypting writer during cancellation",
+					"error",
+					closeErr,
+				)
+			}
+		}()
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer during cancellation", "error", err)
+	}
+
+	<-saveErrCh
+}
+
+func (uc *CreatePostgresqlBackupUsecase) closeWriters(
+	encryptionWriter *encryption.EncryptionWriter,
+	storageWriter io.WriteCloser,
+) error {
+	encryptionCloseErrCh := make(chan error, 1)
+	if encryptionWriter != nil {
+		go func() {
+			closeErr := encryptionWriter.Close()
+			if closeErr != nil {
+				uc.logger.Error("Failed to close encrypting writer", "error", closeErr)
+			}
+			encryptionCloseErrCh <- closeErr
+		}()
+	} else {
+		encryptionCloseErrCh <- nil
+	}
+
+	encryptionCloseErr := <-encryptionCloseErrCh
+	if encryptionCloseErr != nil {
+		if err := storageWriter.Close(); err != nil {
+			uc.logger.Error("Failed to close pipe writer after encryption error", "error", err)
+		}
+		return fmt.Errorf("failed to close encryption writer: %w", encryptionCloseErr)
+	}
+
+	if err := storageWriter.Close(); err != nil {
+		uc.logger.Error("Failed to close pipe writer", "error", err)
+		return err
+	}
+
+	return nil
+}
+
+func (uc *CreatePostgresqlBackupUsecase) checkCancellation(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		if config.IsShouldShutdown() {
+			return fmt.Errorf("backup cancelled due to shutdown")
+		}
+		return fmt.Errorf("backup cancelled")
+	default:
+		return nil
+	}
+}
+
+func (uc *CreatePostgresqlBackupUsecase) checkCancellationReason() error {
+	if config.IsShouldShutdown() {
+		return fmt.Errorf("backup cancelled due to shutdown")
+	}
+	return fmt.Errorf("backup cancelled")
+}
+
+func (uc *CreatePostgresqlBackupUsecase) buildPgDumpErrorMessage(
+	waitErr error,
+	stderrOutput []byte,
+	pgBin string,
+	args []string,
+	password string,
+) error {
+	stderrStr := string(stderrOutput)
+	errorMsg := fmt.Sprintf("%s failed: %v – stderr: %s", filepath.Base(pgBin), waitErr, stderrStr)
+
+	exitErr, ok := waitErr.(*exec.ExitError)
+	if !ok {
+		return errors.New(errorMsg)
+	}
+
+	exitCode := exitErr.ExitCode()
+
+	if exitCode == exitCodeGenericError && strings.TrimSpace(stderrStr) == "" {
+		return uc.handleExitCode1NoStderr(pgBin, args)
+	}
+
+	if exitCode == exitCodeAccessViolation {
+		return uc.handleAccessViolation(pgBin, stderrStr)
+	}
+
+	if exitCode == exitCodeGenericError || exitCode == exitCodeConnectionError {
+		return uc.handleConnectionErrors(stderrStr, password)
+	}
+
+	return errors.New(errorMsg)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleExitCode1NoStderr(
+	pgBin string,
+	args []string,
+) error {
+	uc.logger.Error("pg_dump failed with exit status 1 but no stderr output",
+		"pgBin", pgBin,
+		"args", args,
+		"env_vars", []string{
+			"PGCLIENTENCODING=UTF8",
+			"PGCONNECT_TIMEOUT=" + strconv.Itoa(pgConnectTimeout),
+			"LC_ALL=C.UTF-8",
+			"LANG=C.UTF-8",
+			"PGOPTIONS=--client-encoding=UTF8",
+		},
+	)
+
+	return fmt.Errorf(
+		"%s failed with exit status 1 but provided no error details. "+
+			"This often indicates: "+
+			"1) Connection timeout or refused connection, "+
+			"2) Authentication failure with incorrect credentials, "+
+			"3) Database does not exist, "+
+			"4) Network connectivity issues, "+
+			"5) PostgreSQL server not running. "+
+			"Command executed: %s %s",
+		filepath.Base(pgBin),
+		pgBin,
+		strings.Join(args, " "),
+	)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleAccessViolation(
+	pgBin string,
+	stderrStr string,
+) error {
+	uc.logger.Error("PostgreSQL tool crashed with access violation",
+		"pgBin", pgBin,
+		"exitCode", "0xC0000005",
+	)
+
+	return fmt.Errorf(
+		"%s crashed with access violation (0xC0000005). "+
+			"This may indicate incompatible PostgreSQL version, corrupted installation, or connection issues. "+
+			"stderr: %s",
+		filepath.Base(pgBin),
+		stderrStr,
+	)
+}
+
+func (uc *CreatePostgresqlBackupUsecase) handleConnectionErrors(
+	stderrStr string,
+	password string,
+) error {
+	if containsIgnoreCase(stderrStr, "pg_hba.conf") {
+		return fmt.Errorf(
+			"PostgreSQL connection rejected by server configuration (pg_hba.conf). "+
+				"The server may not allow connections from your IP address or may require different authentication settings. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "no password supplied") ||
+		containsIgnoreCase(stderrStr, "fe_sendauth") {
+		return fmt.Errorf(
+			"PostgreSQL authentication failed - no password supplied. "+
+				"PGPASSWORD environment variable may not be working correctly on this system. "+
+				"Password length: %d, Password empty: %v. "+
+				"Consider using a .pgpass file as an alternative. "+
+				"stderr: %s",
+			len(password),
+			password == "",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "ssl") && containsIgnoreCase(stderrStr, "connection") {
+		return fmt.Errorf(
+			"PostgreSQL SSL connection failed. "+
+				"The server may require SSL encryption or have SSL configuration issues. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "connection") && containsIgnoreCase(stderrStr, "refused") {
+		return fmt.Errorf(
+			"PostgreSQL connection refused. "+
+				"Check if the server is running and accessible from your network. "+
+				"stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "authentication") ||
+		containsIgnoreCase(stderrStr, "password") {
+		return fmt.Errorf(
+			"PostgreSQL authentication failed. Check username and password. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	if containsIgnoreCase(stderrStr, "timeout") {
+		return fmt.Errorf(
+			"PostgreSQL connection timeout. The server may be unreachable or overloaded. stderr: %s",
+			stderrStr,
+		)
+	}
+
+	return fmt.Errorf("PostgreSQL connection or authentication error. stderr: %s", stderrStr)
 }
 
-// createTempPgpassFile creates a temporary .pgpass file with the given password
 func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 	pgConfig *pgtypes.PostgresqlDatabase,
 	password string,
@@ -532,7 +720,6 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 		password,
 	)
 
-	// it always create unique directory like /tmp/pgpass-1234567890
 	tempDir, err := os.MkdirTemp("", "pgpass")
 	if err != nil {
 		return "", fmt.Errorf("failed to create temporary directory: %w", err)
@@ -546,3 +733,7 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 
 	return pgpassFile, nil
 }
+
+func containsIgnoreCase(str, substr string) bool {
+	return strings.Contains(strings.ToLower(str), strings.ToLower(substr))
+}

backend/internal/features/backups/backups/usecases/postgresql/di.go

@@ -1,11 +1,13 @@
 package usecases_postgresql
 
 import (
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	"postgresus-backend/internal/util/logger"
 )
 
 var createPostgresqlBackupUsecase = &CreatePostgresqlBackupUsecase{
 	logger.GetLogger(),
+	users_repositories.GetSecretKeyRepository(),
 }
 
 func GetCreatePostgresqlBackupUsecase() *CreatePostgresqlBackupUsecase {

backend/internal/features/backups/backups/usecases/postgresql/dto.go

@@ -0,0 +1,15 @@
+package usecases_postgresql
+
+import backups_config "postgresus-backend/internal/features/backups/config"
+
+type EncryptionMetadata struct {
+	Salt       string
+	IV         string
+	Encryption backups_config.BackupEncryption
+}
+
+type BackupMetadata struct {
+	EncryptionSalt *string
+	EncryptionIV   *string
+	Encryption     backups_config.BackupEncryption
+}

backend/internal/features/backups/config/controller.go

@@ -20,15 +20,15 @@ func (c *BackupConfigController) RegisterRoutes(router *gin.RouterGroup) {
 
 // SaveBackupConfig
 // @Summary Save backup configuration
-// @Description Save or update backup configuration for a database
+// @Description Save or update backup configuration for a database. Encryption can be set to NONE (no encryption) or ENCRYPTED (AES-256-GCM encryption).
 // @Tags backup-configs
 // @Accept json
 // @Produce json
-// @Param request body BackupConfig true "Backup configuration data"
-// @Success 200 {object} BackupConfig
-// @Failure 400
-// @Failure 401
-// @Failure 500
+// @Param request body BackupConfig true "Backup configuration data (encryption field: NONE or ENCRYPTED)"
+// @Success 200 {object} BackupConfig "Returns the saved backup configuration including encryption settings"
+// @Failure 400 {object} map[string]string "Invalid encryption value or other validation errors"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 500 {object} map[string]string "Internal server error"
 // @Router /backup-configs/save [post]
 func (c *BackupConfigController) SaveBackupConfig(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)
@@ -57,14 +57,14 @@ func (c *BackupConfigController) SaveBackupConfig(ctx *gin.Context) {
 
 // GetBackupConfigByDbID
 // @Summary Get backup configuration by database ID
-// @Description Get backup configuration for a specific database
+// @Description Get backup configuration for a specific database including encryption settings (NONE or ENCRYPTED)
 // @Tags backup-configs
 // @Produce json
 // @Param id path string true "Database ID"
-// @Success 200 {object} BackupConfig
-// @Failure 400
-// @Failure 401
-// @Failure 404
+// @Success 200 {object} BackupConfig "Returns backup configuration with encryption field"
+// @Failure 400 {object} map[string]string "Invalid database ID"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 404 {object} map[string]string "Backup configuration not found"
 // @Router /backup-configs/database/{id} [get]
 func (c *BackupConfigController) GetBackupConfigByDbID(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)

backend/internal/features/backups/config/controller_test.go

@@ -368,6 +368,86 @@ func Test_IsStorageUsing_PermissionsEnforced(t *testing.T) {
 	}
 }
 
+func Test_SaveBackupConfig_WithEncryptionNone_ConfigSaved(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		CpuCount:            2,
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.Equal(t, BackupEncryptionNone, response.Encryption)
+}
+
+func Test_SaveBackupConfig_WithEncryptionEncrypted_ConfigSaved(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		CpuCount:            2,
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionEncrypted,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.Equal(t, BackupEncryptionEncrypted, response.Encryption)
+}
+
 func createTestDatabaseViaAPI(
 	name string,
 	workspaceID uuid.UUID,

backend/internal/features/backups/config/enums.go

@@ -6,3 +6,10 @@ const (
 	NotificationBackupFailed  BackupNotificationType = "BACKUP_FAILED"
 	NotificationBackupSuccess BackupNotificationType = "BACKUP_SUCCESS"
 )
+
+type BackupEncryption string
+
+const (
+	BackupEncryptionNone      BackupEncryption = "NONE"
+	BackupEncryptionEncrypted BackupEncryption = "ENCRYPTED"
+)

backend/internal/features/backups/config/model.go

@@ -31,6 +31,8 @@ type BackupConfig struct {
 	MaxFailedTriesCount int  `json:"maxFailedTriesCount" gorm:"column:max_failed_tries_count;type:int;not null"`
 
 	CpuCount int `json:"cpuCount" gorm:"type:int;not null"`
+
+	Encryption BackupEncryption `json:"encryption" gorm:"column:encryption;type:text;not null;default:'NONE'"`
 }
 
 func (h *BackupConfig) TableName() string {
@@ -88,6 +90,11 @@ func (b *BackupConfig) Validate() error {
 		return errors.New("max failed tries count must be greater than 0")
 	}
 
+	if b.Encryption != "" && b.Encryption != BackupEncryptionNone &&
+		b.Encryption != BackupEncryptionEncrypted {
+		return errors.New("encryption must be NONE or ENCRYPTED")
+	}
+
 	return nil
 }
 
@@ -103,5 +110,6 @@ func (b *BackupConfig) Copy(newDatabaseID uuid.UUID) *BackupConfig {
 		IsRetryIfFailed:     b.IsRetryIfFailed,
 		MaxFailedTriesCount: b.MaxFailedTriesCount,
 		CpuCount:            b.CpuCount,
+		Encryption:          b.Encryption,
 	}
 }

backend/internal/features/backups/config/service.go

@@ -171,6 +171,7 @@ func (s *BackupConfigService) initializeDefaultConfig(
 		CpuCount:            1,
 		IsRetryIfFailed:     true,
 		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
 	})
 
 	return err

backend/internal/features/restores/usecases/postgresql/di.go

@@ -1,11 +1,13 @@
 package usecases_postgresql
 
 import (
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	"postgresus-backend/internal/util/logger"
 )
 
 var restorePostgresqlBackupUsecase = &RestorePostgresqlBackupUsecase{
 	logger.GetLogger(),
+	users_repositories.GetSecretKeyRepository(),
 }
 
 func GetRestorePostgresqlBackupUsecase() *RestorePostgresqlBackupUsecase {

backend/internal/features/restores/usecases/postgresql/restore_backup_uc.go

@@ -2,6 +2,7 @@ package usecases_postgresql
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -15,11 +16,13 @@ import (
 
 	"postgresus-backend/internal/config"
 	"postgresus-backend/internal/features/backups/backups"
+	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/restores/models"
 	"postgresus-backend/internal/features/storages"
+	users_repositories "postgresus-backend/internal/features/users/repositories"
 	files_utils "postgresus-backend/internal/util/files"
 	"postgresus-backend/internal/util/tools"
 
@@ -27,7 +30,8 @@ import (
 )
 
 type RestorePostgresqlBackupUsecase struct {
-	logger *slog.Logger
+	logger        *slog.Logger
+	secretKeyRepo *users_repositories.SecretKeyRepository
 }
 
 func (uc *RestorePostgresqlBackupUsecase) Execute(
@@ -202,18 +206,66 @@ func (uc *RestorePostgresqlBackupUsecase) downloadBackupToTempFile(
 		backup.ID,
 		"tempFile",
 		tempBackupFile,
+		"encrypted",
+		backup.Encryption == backups_config.BackupEncryptionEncrypted,
 	)
-	backupReader, err := storage.GetFile(backup.ID)
+	rawReader, err := storage.GetFile(backup.ID)
 	if err != nil {
 		cleanupFunc()
 		return "", nil, fmt.Errorf("failed to get backup file from storage: %w", err)
 	}
 	defer func() {
-		if err := backupReader.Close(); err != nil {
+		if err := rawReader.Close(); err != nil {
 			uc.logger.Error("Failed to close backup reader", "error", err)
 		}
 	}()
 
+	// Create a reader that handles decryption if needed
+	var backupReader io.Reader = rawReader
+	if backup.Encryption == backups_config.BackupEncryptionEncrypted {
+		// Validate encryption metadata
+		if backup.EncryptionSalt == nil || backup.EncryptionIV == nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("backup is encrypted but missing encryption metadata")
+		}
+
+		// Get master key
+		masterKey, err := uc.secretKeyRepo.GetSecretKey()
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to get master key for decryption: %w", err)
+		}
+
+		// Decode salt and IV from base64
+		salt, err := base64.StdEncoding.DecodeString(*backup.EncryptionSalt)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to decode encryption salt: %w", err)
+		}
+
+		iv, err := base64.StdEncoding.DecodeString(*backup.EncryptionIV)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to decode encryption IV: %w", err)
+		}
+
+		// Create decryption reader
+		decryptReader, err := encryption.NewDecryptionReader(
+			rawReader,
+			masterKey,
+			backup.ID,
+			salt,
+			iv,
+		)
+		if err != nil {
+			cleanupFunc()
+			return "", nil, fmt.Errorf("failed to create decryption reader: %w", err)
+		}
+
+		backupReader = decryptReader
+		uc.logger.Info("Using decryption for encrypted backup", "backupId", backup.ID)
+	}
+
 	// Create temporary backup file
 	tempFile, err := os.Create(tempBackupFile)
 	if err != nil {

backend/internal/features/storages/enums.go

@@ -7,4 +7,5 @@ const (
 	StorageTypeS3          StorageType = "S3"
 	StorageTypeGoogleDrive StorageType = "GOOGLE_DRIVE"
 	StorageTypeNAS         StorageType = "NAS"
+	StorageTypeAzureBlob   StorageType = "AZURE_BLOB"
 )

backend/internal/features/storages/model.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"io"
 	"log/slog"
+	azure_blob_storage "postgresus-backend/internal/features/storages/models/azure_blob"
 	google_drive_storage "postgresus-backend/internal/features/storages/models/google_drive"
 	local_storage "postgresus-backend/internal/features/storages/models/local"
 	nas_storage "postgresus-backend/internal/features/storages/models/nas"
@@ -24,6 +25,7 @@ type Storage struct {
 	S3Storage          *s3_storage.S3Storage                    `json:"s3Storage"          gorm:"foreignKey:StorageID"`
 	GoogleDriveStorage *google_drive_storage.GoogleDriveStorage `json:"googleDriveStorage" gorm:"foreignKey:StorageID"`
 	NASStorage         *nas_storage.NASStorage                  `json:"nasStorage"         gorm:"foreignKey:StorageID"`
+	AzureBlobStorage   *azure_blob_storage.AzureBlobStorage     `json:"azureBlobStorage"   gorm:"foreignKey:StorageID"`
 }
 
 func (s *Storage) SaveFile(logger *slog.Logger, fileID uuid.UUID, file io.Reader) error {
@@ -88,6 +90,10 @@ func (s *Storage) Update(incoming *Storage) {
 		if s.NASStorage != nil && incoming.NASStorage != nil {
 			s.NASStorage.Update(incoming.NASStorage)
 		}
+	case StorageTypeAzureBlob:
+		if s.AzureBlobStorage != nil && incoming.AzureBlobStorage != nil {
+			s.AzureBlobStorage.Update(incoming.AzureBlobStorage)
+		}
 	}
 }
 
@@ -101,6 +107,8 @@ func (s *Storage) getSpecificStorage() StorageFileSaver {
 		return s.GoogleDriveStorage
 	case StorageTypeNAS:
 		return s.NASStorage
+	case StorageTypeAzureBlob:
+		return s.AzureBlobStorage
 	default:
 		panic("invalid storage type: " + string(s.Type))
 	}

backend/internal/features/storages/model_test.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"postgresus-backend/internal/config"
+	azure_blob_storage "postgresus-backend/internal/features/storages/models/azure_blob"
 	google_drive_storage "postgresus-backend/internal/features/storages/models/google_drive"
 	local_storage "postgresus-backend/internal/features/storages/models/local"
 	nas_storage "postgresus-backend/internal/features/storages/models/nas"
@@ -17,6 +18,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/google/uuid"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
@@ -32,6 +34,15 @@ type S3Container struct {
 	region     string
 }
 
+type AzuriteContainer struct {
+	endpoint         string
+	accountName      string
+	accountKey       string
+	containerNameKey string
+	containerNameStr string
+	connectionString string
+}
+
 func Test_Storage_BasicOperations(t *testing.T) {
 	ctx := context.Background()
 
@@ -41,6 +52,10 @@ func Test_Storage_BasicOperations(t *testing.T) {
 	s3Container, err := setupS3Container(ctx)
 	require.NoError(t, err, "Failed to setup S3 container")
 
+	// Setup Azurite connection
+	azuriteContainer, err := setupAzuriteContainer(ctx)
+	require.NoError(t, err, "Failed to setup Azurite container")
+
 	// Setup test file
 	testFilePath, err := setupTestFile()
 	require.NoError(t, err, "Failed to setup test file")
@@ -88,6 +103,26 @@ func Test_Storage_BasicOperations(t *testing.T) {
 				Path:      "test-files",
 			},
 		},
+		{
+			name: "AzureBlobStorage_AccountKey",
+			storage: &azure_blob_storage.AzureBlobStorage{
+				StorageID:     uuid.New(),
+				AuthMethod:    azure_blob_storage.AuthMethodAccountKey,
+				AccountName:   azuriteContainer.accountName,
+				AccountKey:    azuriteContainer.accountKey,
+				ContainerName: azuriteContainer.containerNameKey,
+				Endpoint:      azuriteContainer.endpoint,
+			},
+		},
+		{
+			name: "AzureBlobStorage_ConnectionString",
+			storage: &azure_blob_storage.AzureBlobStorage{
+				StorageID:        uuid.New(),
+				AuthMethod:       azure_blob_storage.AuthMethodConnectionString,
+				ConnectionString: azuriteContainer.connectionString,
+				ContainerName:    azuriteContainer.containerNameStr,
+			},
+		},
 	}
 
 	// Add Google Drive storage test only if environment variables are available
@@ -230,8 +265,59 @@ func setupS3Container(ctx context.Context) (*S3Container, error) {
 	}, nil
 }
 
+func setupAzuriteContainer(ctx context.Context) (*AzuriteContainer, error) {
+	env := config.GetEnv()
+
+	accountName := "devstoreaccount1"
+	// this is real testing key for azurite, it's not a real key
+	accountKey := "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
+	serviceURL := fmt.Sprintf("http://127.0.0.1:%s/%s", env.TestAzuriteBlobPort, accountName)
+	containerNameKey := "test-container-key"
+	containerNameStr := "test-container-connstr"
+
+	// Build explicit connection string for Azurite
+	connectionString := fmt.Sprintf(
+		"DefaultEndpointsProtocol=http;AccountName=%s;AccountKey=%s;BlobEndpoint=http://127.0.0.1:%s/%s",
+		accountName,
+		accountKey,
+		env.TestAzuriteBlobPort,
+		accountName,
+	)
+
+	// Create client using connection string to set up containers
+	client, err := azblob.NewClientFromConnectionString(connectionString, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create azblob client: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	// Create container for account key auth
+	_, err = client.CreateContainer(ctx, containerNameKey, nil)
+	if err != nil {
+		// Container might already exist, that's okay
+	}
+
+	// Create container for connection string auth
+	_, err = client.CreateContainer(ctx, containerNameStr, nil)
+	if err != nil {
+		// Container might already exist, that's okay
+	}
+
+	return &AzuriteContainer{
+		endpoint:         serviceURL,
+		accountName:      accountName,
+		accountKey:       accountKey,
+		containerNameKey: containerNameKey,
+		containerNameStr: containerNameStr,
+		connectionString: connectionString,
+	}, nil
+}
+
 func validateEnvVariables(t *testing.T) {
 	env := config.GetEnv()
 	assert.NotEmpty(t, env.TestMinioPort, "TEST_MINIO_PORT is empty")
+	assert.NotEmpty(t, env.TestAzuriteBlobPort, "TEST_AZURITE_BLOB_PORT is empty")
 	assert.NotEmpty(t, env.TestNASPort, "TEST_NAS_PORT is empty")
 }

backend/internal/features/storages/models/azure_blob/model.go

@@ -0,0 +1,269 @@
+package azure_blob_storage
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"strings"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
+	"github.com/google/uuid"
+)
+
+type AuthMethod string
+
+const (
+	AuthMethodConnectionString AuthMethod = "CONNECTION_STRING"
+	AuthMethodAccountKey       AuthMethod = "ACCOUNT_KEY"
+)
+
+type AzureBlobStorage struct {
+	StorageID        uuid.UUID  `json:"storageId"        gorm:"primaryKey;type:uuid;column:storage_id"`
+	AuthMethod       AuthMethod `json:"authMethod"       gorm:"not null;type:text;column:auth_method"`
+	ConnectionString string     `json:"connectionString" gorm:"type:text;column:connection_string"`
+	AccountName      string     `json:"accountName"      gorm:"type:text;column:account_name"`
+	AccountKey       string     `json:"accountKey"       gorm:"type:text;column:account_key"`
+	ContainerName    string     `json:"containerName"    gorm:"not null;type:text;column:container_name"`
+	Endpoint         string     `json:"endpoint"         gorm:"type:text;column:endpoint"`
+	Prefix           string     `json:"prefix"           gorm:"type:text;column:prefix"`
+}
+
+func (s *AzureBlobStorage) TableName() string {
+	return "azure_blob_storages"
+}
+
+func (s *AzureBlobStorage) SaveFile(logger *slog.Logger, fileID uuid.UUID, file io.Reader) error {
+	client, err := s.getClient()
+	if err != nil {
+		return err
+	}
+
+	blobName := s.buildBlobName(fileID.String())
+
+	_, err = client.UploadStream(
+		context.TODO(),
+		s.ContainerName,
+		blobName,
+		file,
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to upload blob to Azure: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AzureBlobStorage) GetFile(fileID uuid.UUID) (io.ReadCloser, error) {
+	client, err := s.getClient()
+	if err != nil {
+		return nil, err
+	}
+
+	blobName := s.buildBlobName(fileID.String())
+
+	response, err := client.DownloadStream(
+		context.TODO(),
+		s.ContainerName,
+		blobName,
+		nil,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to download blob from Azure: %w", err)
+	}
+
+	return response.Body, nil
+}
+
+func (s *AzureBlobStorage) DeleteFile(fileID uuid.UUID) error {
+	client, err := s.getClient()
+	if err != nil {
+		return err
+	}
+
+	blobName := s.buildBlobName(fileID.String())
+
+	_, err = client.DeleteBlob(
+		context.TODO(),
+		s.ContainerName,
+		blobName,
+		nil,
+	)
+	if err != nil {
+		var respErr *azcore.ResponseError
+		if errors.As(err, &respErr) && respErr.StatusCode == 404 {
+			return nil
+		}
+		return fmt.Errorf("failed to delete blob from Azure: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AzureBlobStorage) Validate() error {
+	if s.ContainerName == "" {
+		return errors.New("container name is required")
+	}
+
+	switch s.AuthMethod {
+	case AuthMethodConnectionString:
+		if s.ConnectionString == "" {
+			return errors.New(
+				"connection string is required when using CONNECTION_STRING auth method",
+			)
+		}
+	case AuthMethodAccountKey:
+		if s.AccountName == "" {
+			return errors.New("account name is required when using ACCOUNT_KEY auth method")
+		}
+		if s.AccountKey == "" {
+			return errors.New("account key is required when using ACCOUNT_KEY auth method")
+		}
+	default:
+		return fmt.Errorf("invalid auth method: %s", s.AuthMethod)
+	}
+
+	_, err := s.getClient()
+	if err != nil {
+		return fmt.Errorf("invalid Azure Blob configuration: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AzureBlobStorage) TestConnection() error {
+	client, err := s.getClient()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	containerClient := client.ServiceClient().NewContainerClient(s.ContainerName)
+	_, err = containerClient.GetProperties(ctx, nil)
+	if err != nil {
+		var respErr *azcore.ResponseError
+		if errors.As(err, &respErr) {
+			if respErr.StatusCode == 404 {
+				return fmt.Errorf("container '%s' does not exist", s.ContainerName)
+			}
+		}
+		if errors.Is(err, context.DeadlineExceeded) {
+			return errors.New("failed to connect to Azure Blob Storage. Please check params")
+		}
+		return fmt.Errorf("failed to connect to Azure Blob Storage: %w", err)
+	}
+
+	testBlobName := s.buildBlobName(uuid.New().String() + "-test")
+	testData := []byte("test connection")
+
+	_, err = client.UploadStream(
+		ctx,
+		s.ContainerName,
+		testBlobName,
+		bytes.NewReader(testData),
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to upload test blob to Azure: %w", err)
+	}
+
+	_, err = client.DeleteBlob(
+		ctx,
+		s.ContainerName,
+		testBlobName,
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to delete test blob from Azure: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AzureBlobStorage) HideSensitiveData() {
+	s.ConnectionString = ""
+	s.AccountKey = ""
+}
+
+func (s *AzureBlobStorage) Update(incoming *AzureBlobStorage) {
+	s.AuthMethod = incoming.AuthMethod
+	s.ContainerName = incoming.ContainerName
+	s.Endpoint = incoming.Endpoint
+
+	if incoming.ConnectionString != "" {
+		s.ConnectionString = incoming.ConnectionString
+	}
+
+	if incoming.AccountName != "" {
+		s.AccountName = incoming.AccountName
+	}
+
+	if incoming.AccountKey != "" {
+		s.AccountKey = incoming.AccountKey
+	}
+}
+
+func (s *AzureBlobStorage) buildBlobName(fileName string) string {
+	if s.Prefix == "" {
+		return fileName
+	}
+
+	prefix := s.Prefix
+	prefix = strings.TrimPrefix(prefix, "/")
+
+	if !strings.HasSuffix(prefix, "/") {
+		prefix = prefix + "/"
+	}
+
+	return prefix + fileName
+}
+
+func (s *AzureBlobStorage) getClient() (*azblob.Client, error) {
+	var client *azblob.Client
+	var err error
+
+	switch s.AuthMethod {
+	case AuthMethodConnectionString:
+		client, err = azblob.NewClientFromConnectionString(s.ConnectionString, nil)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"failed to create Azure Blob client from connection string: %w",
+				err,
+			)
+		}
+	case AuthMethodAccountKey:
+		accountURL := s.buildAccountURL()
+		credential, credErr := azblob.NewSharedKeyCredential(s.AccountName, s.AccountKey)
+		if credErr != nil {
+			return nil, fmt.Errorf("failed to create Azure shared key credential: %w", credErr)
+		}
+
+		client, err = azblob.NewClientWithSharedKeyCredential(accountURL, credential, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create Azure Blob client with shared key: %w", err)
+		}
+	default:
+		return nil, fmt.Errorf("unsupported auth method: %s", s.AuthMethod)
+	}
+
+	return client, nil
+}
+
+func (s *AzureBlobStorage) buildAccountURL() string {
+	if s.Endpoint != "" {
+		endpoint := s.Endpoint
+		if !strings.HasPrefix(endpoint, "http://") && !strings.HasPrefix(endpoint, "https://") {
+			endpoint = "https://" + endpoint
+		}
+		return endpoint
+	}
+
+	return fmt.Sprintf("https://%s.blob.core.windows.net/", s.AccountName)
+}

backend/internal/features/storages/repository.go

@@ -30,17 +30,21 @@ func (r *StorageRepository) Save(storage *Storage) (*Storage, error) {
 			if storage.NASStorage != nil {
 				storage.NASStorage.StorageID = storage.ID
 			}
+		case StorageTypeAzureBlob:
+			if storage.AzureBlobStorage != nil {
+				storage.AzureBlobStorage.StorageID = storage.ID
+			}
 		}
 
 		if storage.ID == uuid.Nil {
 			if err := tx.Create(storage).
-				Omit("LocalStorage", "S3Storage", "GoogleDriveStorage", "NASStorage").
+				Omit("LocalStorage", "S3Storage", "GoogleDriveStorage", "NASStorage", "AzureBlobStorage").
 				Error; err != nil {
 				return err
 			}
 		} else {
 			if err := tx.Save(storage).
-				Omit("LocalStorage", "S3Storage", "GoogleDriveStorage", "NASStorage").
+				Omit("LocalStorage", "S3Storage", "GoogleDriveStorage", "NASStorage", "AzureBlobStorage").
 				Error; err != nil {
 				return err
 			}
@@ -75,6 +79,13 @@ func (r *StorageRepository) Save(storage *Storage) (*Storage, error) {
 					return err
 				}
 			}
+		case StorageTypeAzureBlob:
+			if storage.AzureBlobStorage != nil {
+				storage.AzureBlobStorage.StorageID = storage.ID // Ensure ID is set
+				if err := tx.Save(storage.AzureBlobStorage).Error; err != nil {
+					return err
+				}
+			}
 		}
 
 		return nil
@@ -96,6 +107,7 @@ func (r *StorageRepository) FindByID(id uuid.UUID) (*Storage, error) {
 		Preload("S3Storage").
 		Preload("GoogleDriveStorage").
 		Preload("NASStorage").
+		Preload("AzureBlobStorage").
 		Where("id = ?", id).
 		First(&s).Error; err != nil {
 		return nil, err
@@ -113,6 +125,7 @@ func (r *StorageRepository) FindByWorkspaceID(workspaceID uuid.UUID) ([]*Storage
 		Preload("S3Storage").
 		Preload("GoogleDriveStorage").
 		Preload("NASStorage").
+		Preload("AzureBlobStorage").
 		Where("workspace_id = ?", workspaceID).
 		Order("name ASC").
 		Find(&storages).Error; err != nil {
@@ -150,6 +163,12 @@ func (r *StorageRepository) Delete(s *Storage) error {
 					return err
 				}
 			}
+		case StorageTypeAzureBlob:
+			if s.AzureBlobStorage != nil {
+				if err := tx.Delete(s.AzureBlobStorage).Error; err != nil {
+					return err
+				}
+			}
 		}
 
 		// Delete the main storage

backend/internal/features/tests/postgresql_backup_restore_test.go

@@ -79,14 +79,171 @@ func Test_BackupAndRestorePostgresql_RestoreIsSuccesful(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		tc := tc // capture loop variable
 		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel() // Enable parallel execution
+			t.Parallel()
 			testBackupRestoreForVersion(t, tc.version, tc.port)
 		})
 	}
 }
 
+func Test_BackupAndRestorePostgresqlWithEncryption_RestoreIsSuccessful(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+		{"PostgreSQL 18", "18", env.TestPostgres18Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			testBackupRestoreWithEncryptionForVersion(t, tc.version, tc.port)
+		})
+	}
+}
+
+func testBackupRestoreWithEncryptionForVersion(t *testing.T, pgVersion string, port string) {
+	// Connect to pre-configured PostgreSQL container
+	container, err := connectToPostgresContainer(pgVersion, port)
+	assert.NoError(t, err)
+	defer func() {
+		if container.DB != nil {
+			container.DB.Close()
+		}
+	}()
+
+	_, err = container.DB.Exec(createAndFillTableQuery)
+	assert.NoError(t, err)
+
+	// Prepare data for backup
+	backupID := uuid.New()
+	pgVersionEnum := tools.GetPostgresqlVersionEnum(pgVersion)
+
+	backupDb := &databases.Database{
+		ID:   uuid.New(),
+		Type: databases.DatabaseTypePostgres,
+		Name: "Test Database",
+		Postgresql: &pgtypes.PostgresqlDatabase{
+			Version:  pgVersionEnum,
+			Host:     container.Host,
+			Port:     container.Port,
+			Username: container.Username,
+			Password: container.Password,
+			Database: &container.Database,
+			IsHttps:  false,
+		},
+	}
+
+	storageID := uuid.New()
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:       backupDb.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodDay,
+		BackupInterval:   &intervals.Interval{Interval: intervals.IntervalDaily},
+		StorageID:        &storageID,
+		CpuCount:         1,
+		Encryption:       backups_config.BackupEncryptionEncrypted,
+	}
+
+	storage := &storages.Storage{
+		WorkspaceID:  uuid.New(),
+		Type:         storages.StorageTypeLocal,
+		Name:         "Test Storage",
+		LocalStorage: &local_storage.LocalStorage{},
+	}
+
+	// Make backup
+	progressTracker := func(completedMBs float64) {}
+	metadata, err := usecases_postgresql_backup.GetCreatePostgresqlBackupUsecase().Execute(
+		context.Background(),
+		backupID,
+		backupConfig,
+		backupDb,
+		storage,
+		progressTracker,
+	)
+	assert.NoError(t, err)
+	assert.NotNil(t, metadata)
+
+	// Verify encryption metadata is set
+	assert.Equal(t, backups_config.BackupEncryptionEncrypted, metadata.Encryption)
+	assert.NotNil(t, metadata.EncryptionSalt)
+	assert.NotNil(t, metadata.EncryptionIV)
+
+	// Create new database
+	newDBName := "restoreddb_encrypted"
+	_, err = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS %s;", newDBName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE %s;", newDBName))
+	assert.NoError(t, err)
+
+	// Connect to the new database
+	newDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, container.Username, container.Password, newDBName)
+	newDB, err := sqlx.Connect("postgres", newDSN)
+	assert.NoError(t, err)
+	defer newDB.Close()
+
+	// Setup data for restore with encryption metadata
+	completedBackup := &backups.Backup{
+		ID:             backupID,
+		DatabaseID:     backupDb.ID,
+		StorageID:      storage.ID,
+		Status:         backups.BackupStatusCompleted,
+		CreatedAt:      time.Now().UTC(),
+		EncryptionSalt: metadata.EncryptionSalt,
+		EncryptionIV:   metadata.EncryptionIV,
+		Encryption:     metadata.Encryption,
+	}
+
+	restoreID := uuid.New()
+	restore := models.Restore{
+		ID:     restoreID,
+		Backup: completedBackup,
+		Postgresql: &pgtypes.PostgresqlDatabase{
+			Version:  pgVersionEnum,
+			Host:     container.Host,
+			Port:     container.Port,
+			Username: container.Username,
+			Password: container.Password,
+			Database: &newDBName,
+			IsHttps:  false,
+		},
+	}
+
+	// Restore the encrypted backup
+	restoreBackupUC := usecases_postgresql_restore.GetRestorePostgresqlBackupUsecase()
+	err = restoreBackupUC.Execute(backupDb, backupConfig, restore, completedBackup, storage)
+	assert.NoError(t, err)
+
+	// Verify restored table exists
+	var tableExists bool
+	err = newDB.Get(
+		&tableExists,
+		"SELECT EXISTS (SELECT FROM information_schema.tables WHERE table_name = 'test_data')",
+	)
+	assert.NoError(t, err)
+	assert.True(t, tableExists, "Table 'test_data' should exist in restored database")
+
+	// Verify data integrity
+	verifyDataIntegrity(t, container.DB, newDB)
+
+	// Clean up the backup file after the test
+	err = os.Remove(filepath.Join(config.GetEnv().DataFolder, backupID.String()))
+	if err != nil {
+		t.Logf("Warning: Failed to delete backup file: %v", err)
+	}
+}
+
 // Run a test for a specific PostgreSQL version
 func testBackupRestoreForVersion(t *testing.T, pgVersion string, port string) {
 	// Connect to pre-configured PostgreSQL container
@@ -139,7 +296,7 @@ func testBackupRestoreForVersion(t *testing.T, pgVersion string, port string) {
 
 	// Make backup
 	progressTracker := func(completedMBs float64) {}
-	err = usecases_postgresql_backup.GetCreatePostgresqlBackupUsecase().Execute(
+	_, err = usecases_postgresql_backup.GetCreatePostgresqlBackupUsecase().Execute(
 		context.Background(),
 		backupID,
 		backupConfig,

backend/internal/features/users/models/secret_key.go

@@ -1,7 +1,7 @@
 package users_models
 
 type SecretKey struct {
-	Secret string `gorm:"column:secret"`
+	Secret string `gorm:"column:secret" json:"-"`
 }
 
 func (SecretKey) TableName() string {

backend/internal/features/users/repositories/di.go

@@ -0,0 +1,17 @@
+package users_repositories
+
+var secretKeyRepository = &SecretKeyRepository{}
+var userRepository = &UserRepository{}
+var usersSettingsRepository = &UsersSettingsRepository{}
+
+func GetSecretKeyRepository() *SecretKeyRepository {
+	return secretKeyRepository
+}
+
+func GetUserRepository() *UserRepository {
+	return userRepository
+}
+
+func GetUsersSettingsRepository() *UsersSettingsRepository {
+	return usersSettingsRepository
+}

backend/internal/features/users/repositories/secret_key_repository.go

@@ -14,9 +14,7 @@ type SecretKeyRepository struct{}
 func (r *SecretKeyRepository) GetSecretKey() (string, error) {
 	var secretKey user_models.SecretKey
 
-	if err := storage.
-		GetDb().
-		First(&secretKey).Error; err != nil {
+	if err := storage.GetDb().First(&secretKey).Error; err != nil {
 		// create a new secret key if not found
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			newSecretKey := user_models.SecretKey{

backend/internal/features/users/services/di.go

@@ -1,25 +1,19 @@
 package users_services
 
-import (
-	user_repositories "postgresus-backend/internal/features/users/repositories"
-)
-
-var secretKeyRepository = &user_repositories.SecretKeyRepository{}
-var userRepository = &user_repositories.UserRepository{}
-var usersSettingsRepository = &user_repositories.UsersSettingsRepository{}
+import users_repositories "postgresus-backend/internal/features/users/repositories"
 
 var userService = &UserService{
-	userRepository,
-	secretKeyRepository,
+	users_repositories.GetUserRepository(),
+	users_repositories.GetSecretKeyRepository(),
 	settingsService,
 	nil,
 }
 var settingsService = &SettingsService{
-	usersSettingsRepository,
+	users_repositories.GetUsersSettingsRepository(),
 	nil,
 }
 var managementService = &UserManagementService{
-	userRepository,
+	users_repositories.GetUserRepository(),
 	nil,
 }
 

backend/migrations/20251116195618_add_azure_blob_storage.sql

@@ -0,0 +1,28 @@
+-- +goose Up
+-- +goose StatementBegin
+
+CREATE TABLE azure_blob_storages (
+    storage_id        UUID PRIMARY KEY,
+    auth_method       TEXT NOT NULL,
+    connection_string TEXT,
+    account_name      TEXT,
+    account_key       TEXT,
+    container_name    TEXT NOT NULL,
+    endpoint          TEXT,
+    prefix            TEXT
+);
+
+ALTER TABLE azure_blob_storages
+    ADD CONSTRAINT fk_azure_blob_storages_storage
+    FOREIGN KEY (storage_id)
+    REFERENCES storages (id)
+    ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP TABLE IF EXISTS azure_blob_storages;
+
+-- +goose StatementEnd

backend/migrations/20251117064849_add_backup_encryption_fields.sql

@@ -0,0 +1,25 @@
+-- +goose Up
+-- +goose StatementBegin
+
+ALTER TABLE backup_configs
+    ADD COLUMN encryption TEXT NOT NULL DEFAULT 'NONE';
+
+ALTER TABLE backups
+    ADD COLUMN encryption_salt TEXT,
+    ADD COLUMN encryption_iv   TEXT,
+    ADD COLUMN encryption      TEXT NOT NULL DEFAULT 'NONE';
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+ALTER TABLE backups
+    DROP COLUMN IF EXISTS encryption,
+    DROP COLUMN IF EXISTS encryption_iv,
+    DROP COLUMN IF EXISTS encryption_salt;
+
+ALTER TABLE backup_configs
+    DROP COLUMN IF EXISTS encryption;
+
+-- +goose StatementEnd

frontend/public/icons/storages/azure.svg

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 -28.5 256 256" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>path21</title>
+    <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <path d="M118.431947,187.698037 C151.322003,181.887937 178.48731,177.08008 178.799309,177.013916 L179.366585,176.893612 L148.31513,139.958881 C131.236843,119.644776 117.26369,102.945381 117.26369,102.849118 C117.26369,102.666861 149.32694,14.3716012 149.507189,14.057257 C149.567455,13.952452 171.38747,51.62411 202.400338,105.376064 C231.435152,155.699606 255.372949,197.191547 255.595444,197.580359 L255.999996,198.287301 L157.315912,198.274572 L58.6318456,198.261895 L118.431947,187.698073 L118.431947,187.698037 Z M-4.03864498e-06,176.434723 C-4.03864498e-06,176.382721 14.631291,150.983941 32.5139844,119.992969 L65.0279676,63.6457518 L102.919257,31.8473052 C123.759465,14.3581634 140.866667,0.0274832751 140.935253,0.00062917799 C141.003839,-0.0247829554 140.729691,0.665213042 140.326034,1.53468179 C139.922377,2.40415053 121.407304,42.1170321 99.1814268,89.7855264 L58.7707514,176.455514 L29.3853737,176.492355 C13.2234196,176.512639 -4.03864498e-06,176.486664 -4.03864498e-06,176.434703 L-4.03864498e-06,176.434723 Z" fill="#0089D6" fill-rule="nonzero">
+
+</path>
+    </g>

frontend/src/entity/backups/index.ts

@@ -4,3 +4,4 @@ export { BackupStatus } from './model/BackupStatus';
 export type { Backup } from './model/Backup';
 export type { BackupConfig } from './model/BackupConfig';
 export { BackupNotificationType } from './model/BackupNotificationType';
+export { BackupEncryption } from './model/BackupEncryption';

frontend/src/entity/backups/model/Backup.ts

@@ -1,5 +1,6 @@
 import type { Database } from '../../databases/model/Database';
 import type { Storage } from '../../storages';
+import { BackupEncryption } from './BackupEncryption';
 import { BackupStatus } from './BackupStatus';
 
 export interface Backup {
@@ -15,5 +16,7 @@ export interface Backup {
 
   backupDurationMs: number;
 
+  encryption: BackupEncryption;
+
   createdAt: Date;
 }

frontend/src/entity/backups/model/BackupConfig.ts

@@ -1,6 +1,7 @@
 import type { Period } from '../../databases/model/Period';
 import type { Interval } from '../../intervals';
 import type { Storage } from '../../storages';
+import { BackupEncryption } from './BackupEncryption';
 import type { BackupNotificationType } from './BackupNotificationType';
 
 export interface BackupConfig {
@@ -14,4 +15,5 @@ export interface BackupConfig {
   cpuCount: number;
   isRetryIfFailed: boolean;
   maxFailedTriesCount: number;
+  encryption: BackupEncryption;
 }

frontend/src/entity/backups/model/BackupEncryption.ts

@@ -0,0 +1,4 @@
+export enum BackupEncryption {
+  NONE = 'NONE',
+  ENCRYPTED = 'ENCRYPTED',
+}

frontend/src/entity/storages/index.ts

@@ -7,3 +7,4 @@ export { type NASStorage } from './models/NASStorage';
 export { getStorageLogoFromType } from './models/getStorageLogoFromType';
 export { getStorageNameFromType } from './models/getStorageNameFromType';
 export { type GoogleDriveStorage } from './models/GoogleDriveStorage';
+export { type AzureBlobStorage } from './models/AzureBlobStorage';

frontend/src/entity/storages/models/AzureBlobStorage.ts

@@ -0,0 +1,9 @@
+export interface AzureBlobStorage {
+  authMethod: 'CONNECTION_STRING' | 'ACCOUNT_KEY';
+  connectionString: string;
+  accountName: string;
+  accountKey: string;
+  containerName: string;
+  endpoint?: string;
+  prefix?: string;
+}

frontend/src/entity/storages/models/Storage.ts

@@ -1,3 +1,4 @@
+import type { AzureBlobStorage } from './AzureBlobStorage';
 import type { GoogleDriveStorage } from './GoogleDriveStorage';
 import type { LocalStorage } from './LocalStorage';
 import type { NASStorage } from './NASStorage';
@@ -16,4 +17,5 @@ export interface Storage {
   s3Storage?: S3Storage;
   googleDriveStorage?: GoogleDriveStorage;
   nasStorage?: NASStorage;
+  azureBlobStorage?: AzureBlobStorage;
 }

frontend/src/entity/storages/models/StorageType.ts

@@ -3,4 +3,5 @@ export enum StorageType {
   S3 = 'S3',
   GOOGLE_DRIVE = 'GOOGLE_DRIVE',
   NAS = 'NAS',
+  AZURE_BLOB = 'AZURE_BLOB',
 }

frontend/src/entity/storages/models/getStorageLogoFromType.ts

@@ -10,6 +10,8 @@ export const getStorageLogoFromType = (type: StorageType) => {
       return '/icons/storages/google-drive.svg';
     case StorageType.NAS:
       return '/icons/storages/nas.svg';
+    case StorageType.AZURE_BLOB:
+      return '/icons/storages/azure.svg';
     default:
       return '';
   }

frontend/src/entity/storages/models/getStorageNameFromType.ts

@@ -10,6 +10,8 @@ export const getStorageNameFromType = (type: StorageType) => {
       return 'Google Drive';
     case StorageType.NAS:
       return 'NAS';
+    case StorageType.AZURE_BLOB:
+      return 'Azure Blob Storage';
     default:
       return '';
   }

frontend/src/features/backups/ui/BackupsComponent.tsx

@@ -6,6 +6,7 @@ import {
   DownloadOutlined,
   ExclamationCircleOutlined,
   InfoCircleOutlined,
+  LockOutlined,
   SyncOutlined,
 } from '@ant-design/icons';
 import { Button, Modal, Spin, Table, Tooltip } from 'antd';
@@ -16,6 +17,7 @@ import { useEffect, useRef, useState } from 'react';
 import {
   type Backup,
   type BackupConfig,
+  BackupEncryption,
   BackupStatus,
   backupConfigApi,
   backupsApi,
@@ -318,6 +320,12 @@ export const BackupsComponent = ({ database, isCanManageDBs, scrollContainerRef
             <div className="flex items-center text-green-600">
               <CheckCircleOutlined className="mr-2" style={{ fontSize: 16 }} />
               <div>Successful</div>
+
+              {record.encryption === BackupEncryption.ENCRYPTED && (
+                <Tooltip title="Encrypted">
+                  <LockOutlined className="ml-1" style={{ fontSize: 14 }} />
+                </Tooltip>
+              )}
             </div>
           );
         }

frontend/src/features/backups/ui/EditBackupConfigComponent.tsx

@@ -13,7 +13,7 @@ import {
 import dayjs, { Dayjs } from 'dayjs';
 import { useEffect, useMemo, useState } from 'react';
 
-import { type BackupConfig, backupConfigApi } from '../../../entity/backups';
+import { type BackupConfig, BackupEncryption, backupConfigApi } from '../../../entity/backups';
 import { BackupNotificationType } from '../../../entity/backups/model/BackupNotificationType';
 import type { Database } from '../../../entity/databases';
 import { Period } from '../../../entity/databases/model/Period';
@@ -153,6 +153,7 @@ export const EditBackupConfigComponent = ({
         sendNotificationsOn: [],
         isRetryIfFailed: true,
         maxFailedTriesCount: 3,
+        encryption: BackupEncryption.ENCRYPTED,
       });
     }
     loadStorages();
@@ -195,6 +196,7 @@ export const EditBackupConfigComponent = ({
     (Boolean(backupConfig.storePeriod) &&
       Boolean(backupConfig.storage?.id) &&
       Boolean(backupConfig.cpuCount) &&
+      Boolean(backupConfig.encryption) &&
       Boolean(backupInterval?.interval) &&
       (!backupInterval ||
         ((backupInterval.interval !== IntervalType.WEEKLY || displayedWeekday) &&
@@ -418,6 +420,27 @@ export const EditBackupConfigComponent = ({
         )}
       </div>
 
+      <div className="mb-1 flex w-full items-center">
+        <div className="min-w-[150px]">Encryption</div>
+        <Select
+          value={backupConfig.encryption}
+          onChange={(v) => updateBackupConfig({ encryption: v })}
+          size="small"
+          className="max-w-[200px] grow"
+          options={[
+            { label: 'None', value: BackupEncryption.NONE },
+            { label: 'Encrypt backup files', value: BackupEncryption.ENCRYPTED },
+          ]}
+        />
+
+        <Tooltip
+          className="cursor-pointer"
+          title="If backup is encrypted, backup files in your storage (S3, local, etc.) cannot be used directly. You can restore backups through Postgresus or download them unencrypted via the 'Download' button."
+        >
+          <InfoCircleOutlined className="ml-2" style={{ color: 'gray' }} />
+        </Tooltip>
+      </div>
+
       {backupConfig.isBackupsEnabled && (
         <>
           <div className="mt-4 mb-1 flex w-full items-start">

frontend/src/features/backups/ui/ShowBackupConfigComponent.tsx

@@ -1,8 +1,10 @@
+import { InfoCircleOutlined } from '@ant-design/icons';
+import { Tooltip } from 'antd';
 import dayjs from 'dayjs';
 import { useMemo } from 'react';
 import { useEffect, useState } from 'react';
 
-import { type BackupConfig, backupConfigApi } from '../../../entity/backups';
+import { type BackupConfig, BackupEncryption, backupConfigApi } from '../../../entity/backups';
 import { BackupNotificationType } from '../../../entity/backups/model/BackupNotificationType';
 import type { Database } from '../../../entity/databases';
 import { Period } from '../../../entity/databases/model/Period';
@@ -167,6 +169,18 @@ export const ShowBackupConfigComponent = ({ database }: Props) => {
             </div>
           </div>
 
+          <div className="mb-1 flex w-full items-center">
+            <div className="min-w-[150px]">Encryption</div>
+            <div>{backupConfig.encryption === BackupEncryption.ENCRYPTED ? 'Enabled' : 'None'}</div>
+
+            <Tooltip
+              className="cursor-pointer"
+              title="If backup is encrypted, backup files in your storage (S3, local, etc.) cannot be used directly. You can restore backups through Postgresus or download them unencrypted via the 'Download' button."
+            >
+              <InfoCircleOutlined className="ml-2" style={{ color: 'gray' }} />
+            </Tooltip>
+          </div>
+
           <div className="mb-1 flex w-full items-center">
             <div className="min-w-[150px]">Notifications</div>
             <div>

frontend/src/features/storages/ui/edit/EditStorageComponent.tsx

@@ -8,6 +8,7 @@ import {
   storageApi,
 } from '../../../../entity/storages';
 import { ToastHelper } from '../../../../shared/toast';
+import { EditAzureBlobStorageComponent } from './storages/EditAzureBlobStorageComponent';
 import { EditGoogleDriveStorageComponent } from './storages/EditGoogleDriveStorageComponent';
 import { EditNASStorageComponent } from './storages/EditNASStorageComponent';
 import { EditS3StorageComponent } from './storages/EditS3StorageComponent';
@@ -80,6 +81,7 @@ export function EditStorageComponent({
     storage.localStorage = undefined;
     storage.s3Storage = undefined;
     storage.googleDriveStorage = undefined;
+    storage.azureBlobStorage = undefined;
 
     if (type === StorageType.LOCAL) {
       storage.localStorage = {};
@@ -115,6 +117,18 @@ export function EditStorageComponent({
       };
     }
 
+    if (type === StorageType.AZURE_BLOB) {
+      storage.azureBlobStorage = {
+        authMethod: 'ACCOUNT_KEY',
+        connectionString: '',
+        accountName: '',
+        accountKey: '',
+        containerName: '',
+        endpoint: '',
+        prefix: '',
+      };
+    }
+
     setStorage(
       JSON.parse(
         JSON.stringify({
@@ -197,6 +211,26 @@ export function EditStorageComponent({
       );
     }
 
+    if (storage.type === StorageType.AZURE_BLOB) {
+      if (storage.id) {
+        return storage.azureBlobStorage?.containerName;
+      }
+
+      const isContainerNameFilled = storage.azureBlobStorage?.containerName;
+
+      if (storage.azureBlobStorage?.authMethod === 'CONNECTION_STRING') {
+        return isContainerNameFilled && storage.azureBlobStorage?.connectionString;
+      }
+
+      if (storage.azureBlobStorage?.authMethod === 'ACCOUNT_KEY') {
+        return (
+          isContainerNameFilled &&
+          storage.azureBlobStorage?.accountName &&
+          storage.azureBlobStorage?.accountKey
+        );
+      }
+    }
+
     return false;
   };
 
@@ -231,6 +265,7 @@ export function EditStorageComponent({
             { label: 'S3', value: StorageType.S3 },
             { label: 'Google Drive', value: StorageType.GOOGLE_DRIVE },
             { label: 'NAS', value: StorageType.NAS },
+            { label: 'Azure Blob Storage', value: StorageType.AZURE_BLOB },
           ]}
           onChange={(value) => {
             setStorageType(value);
@@ -278,6 +313,17 @@ export function EditStorageComponent({
             }}
           />
         )}
+
+        {storage?.type === StorageType.AZURE_BLOB && (
+          <EditAzureBlobStorageComponent
+            storage={storage}
+            setStorage={setStorage}
+            setUnsaved={() => {
+              setIsUnsaved(true);
+              setIsTestConnectionSuccess(false);
+            }}
+          />
+        )}
       </div>
 
       <div className="mt-3 flex">

frontend/src/features/storages/ui/edit/storages/EditAzureBlobStorageComponent.tsx

@@ -0,0 +1,226 @@
+import { DownOutlined, InfoCircleOutlined, UpOutlined } from '@ant-design/icons';
+import { Input, Radio, Tooltip } from 'antd';
+import { useState } from 'react';
+
+import type { Storage } from '../../../../../entity/storages';
+
+interface Props {
+  storage: Storage;
+  setStorage: (storage: Storage) => void;
+  setUnsaved: () => void;
+}
+
+export function EditAzureBlobStorageComponent({ storage, setStorage, setUnsaved }: Props) {
+  const hasAdvancedValues =
+    !!storage?.azureBlobStorage?.prefix || !!storage?.azureBlobStorage?.endpoint;
+  const [showAdvanced, setShowAdvanced] = useState(hasAdvancedValues);
+
+  return (
+    <>
+      <div className="mb-1 flex items-center">
+        <div className="min-w-[110px]">Auth method</div>
+        <Radio.Group
+          value={storage?.azureBlobStorage?.authMethod || 'ACCOUNT_KEY'}
+          onChange={(e) => {
+            if (!storage?.azureBlobStorage) return;
+
+            setStorage({
+              ...storage,
+              azureBlobStorage: {
+                ...storage.azureBlobStorage,
+                authMethod: e.target.value,
+              },
+            });
+            setUnsaved();
+          }}
+          size="small"
+        >
+          <Radio value="ACCOUNT_KEY">Account key</Radio>
+          <Radio value="CONNECTION_STRING">Connection string</Radio>
+        </Radio.Group>
+      </div>
+
+      {storage?.azureBlobStorage?.authMethod === 'CONNECTION_STRING' && (
+        <div className="mb-1 flex items-center">
+          <div className="min-w-[110px]">Connection</div>
+          <Input.Password
+            value={storage?.azureBlobStorage?.connectionString || ''}
+            onChange={(e) => {
+              if (!storage?.azureBlobStorage) return;
+
+              setStorage({
+                ...storage,
+                azureBlobStorage: {
+                  ...storage.azureBlobStorage,
+                  connectionString: e.target.value.trim(),
+                },
+              });
+              setUnsaved();
+            }}
+            size="small"
+            className="w-full max-w-[250px]"
+            placeholder="DefaultEndpointsProtocol=https;AccountName=..."
+          />
+
+          <Tooltip
+            className="cursor-pointer"
+            title="Azure Storage connection string from Azure Portal"
+          >
+            <InfoCircleOutlined className="ml-2" style={{ color: 'gray' }} />
+          </Tooltip>
+        </div>
+      )}
+
+      {storage?.azureBlobStorage?.authMethod === 'ACCOUNT_KEY' && (
+        <>
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Account name</div>
+            <Input
+              value={storage?.azureBlobStorage?.accountName || ''}
+              onChange={(e) => {
+                if (!storage?.azureBlobStorage) return;
+
+                setStorage({
+                  ...storage,
+                  azureBlobStorage: {
+                    ...storage.azureBlobStorage,
+                    accountName: e.target.value.trim(),
+                  },
+                });
+                setUnsaved();
+              }}
+              size="small"
+              className="w-full max-w-[250px]"
+              placeholder="mystorageaccount"
+            />
+          </div>
+
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Account key</div>
+            <Input.Password
+              value={storage?.azureBlobStorage?.accountKey || ''}
+              onChange={(e) => {
+                if (!storage?.azureBlobStorage) return;
+
+                setStorage({
+                  ...storage,
+                  azureBlobStorage: {
+                    ...storage.azureBlobStorage,
+                    accountKey: e.target.value.trim(),
+                  },
+                });
+                setUnsaved();
+              }}
+              size="small"
+              className="w-full max-w-[250px]"
+              placeholder="your-account-key"
+            />
+          </div>
+        </>
+      )}
+
+      <div className="mb-1 flex items-center">
+        <div className="min-w-[110px]">Container name</div>
+        <Input
+          value={storage?.azureBlobStorage?.containerName || ''}
+          onChange={(e) => {
+            if (!storage?.azureBlobStorage) return;
+
+            setStorage({
+              ...storage,
+              azureBlobStorage: {
+                ...storage.azureBlobStorage,
+                containerName: e.target.value.trim(),
+              },
+            });
+            setUnsaved();
+          }}
+          size="small"
+          className="w-full max-w-[250px]"
+          placeholder="my-container"
+        />
+      </div>
+
+      <div className="mt-4 mb-3 flex items-center">
+        <div
+          className="flex cursor-pointer items-center text-sm text-blue-600 hover:text-blue-800"
+          onClick={() => setShowAdvanced(!showAdvanced)}
+        >
+          <span className="mr-2">Advanced settings</span>
+
+          {showAdvanced ? (
+            <UpOutlined style={{ fontSize: '12px' }} />
+          ) : (
+            <DownOutlined style={{ fontSize: '12px' }} />
+          )}
+        </div>
+      </div>
+
+      {showAdvanced && (
+        <>
+          {storage?.azureBlobStorage?.authMethod === 'ACCOUNT_KEY' && (
+            <div className="mb-1 flex items-center">
+              <div className="min-w-[110px]">Endpoint</div>
+              <Input
+                value={storage?.azureBlobStorage?.endpoint || ''}
+                onChange={(e) => {
+                  if (!storage?.azureBlobStorage) return;
+
+                  setStorage({
+                    ...storage,
+                    azureBlobStorage: {
+                      ...storage.azureBlobStorage,
+                      endpoint: e.target.value.trim(),
+                    },
+                  });
+                  setUnsaved();
+                }}
+                size="small"
+                className="w-full max-w-[250px]"
+                placeholder="https://myaccount.blob.core.windows.net (optional)"
+              />
+
+              <Tooltip
+                className="cursor-pointer"
+                title="Custom endpoint URL (optional, leave empty for standard Azure)"
+              >
+                <InfoCircleOutlined className="ml-2" style={{ color: 'gray' }} />
+              </Tooltip>
+            </div>
+          )}
+
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Blob prefix</div>
+            <Input
+              value={storage?.azureBlobStorage?.prefix || ''}
+              onChange={(e) => {
+                if (!storage?.azureBlobStorage) return;
+
+                setStorage({
+                  ...storage,
+                  azureBlobStorage: {
+                    ...storage.azureBlobStorage,
+                    prefix: e.target.value.trim(),
+                  },
+                });
+                setUnsaved();
+              }}
+              size="small"
+              className="w-full max-w-[250px]"
+              placeholder="my-prefix/ (optional)"
+            />
+
+            <Tooltip
+              className="cursor-pointer"
+              title="Optional prefix for all blob names (e.g., 'backups/' or 'my_team/')"
+            >
+              <InfoCircleOutlined className="ml-2" style={{ color: 'gray' }} />
+            </Tooltip>
+          </div>
+        </>
+      )}
+
+      <div className="mb-5" />
+    </>
+  );
+}

frontend/src/features/storages/ui/show/ShowStorageComponent.tsx

@@ -1,6 +1,7 @@
 import { type Storage, StorageType } from '../../../../entity/storages';
 import { getStorageLogoFromType } from '../../../../entity/storages/models/getStorageLogoFromType';
 import { getStorageNameFromType } from '../../../../entity/storages/models/getStorageNameFromType';
+import { ShowAzureBlobStorageComponent } from './storages/ShowAzureBlobStorageComponent';
 import { ShowGoogleDriveStorageComponent } from './storages/ShowGoogleDriveStorageComponent';
 import { ShowNASStorageComponent } from './storages/ShowNASStorageComponent';
 import { ShowS3StorageComponent } from './storages/ShowS3StorageComponent';
@@ -37,6 +38,12 @@ export function ShowStorageComponent({ storage }: Props) {
       <div>
         {storage?.type === StorageType.NAS && <ShowNASStorageComponent storage={storage} />}
       </div>
+
+      <div>
+        {storage?.type === StorageType.AZURE_BLOB && (
+          <ShowAzureBlobStorageComponent storage={storage} />
+        )}
+      </div>
     </div>
   );
 }

frontend/src/features/storages/ui/show/storages/ShowAzureBlobStorageComponent.tsx

@@ -0,0 +1,56 @@
+import type { Storage } from '../../../../../entity/storages';
+
+interface Props {
+  storage: Storage;
+}
+
+export function ShowAzureBlobStorageComponent({ storage }: Props) {
+  return (
+    <>
+      <div className="mb-1 flex items-center">
+        <div className="min-w-[110px]">Auth method</div>
+        {storage?.azureBlobStorage?.authMethod === 'CONNECTION_STRING'
+          ? 'Connection string'
+          : 'Account key'}
+      </div>
+
+      {storage?.azureBlobStorage?.authMethod === 'CONNECTION_STRING' && (
+        <div className="mb-1 flex items-center">
+          <div className="min-w-[110px]">Connection string</div>
+          {'*************'}
+        </div>
+      )}
+
+      {storage?.azureBlobStorage?.authMethod === 'ACCOUNT_KEY' && (
+        <>
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Account name</div>
+            {storage?.azureBlobStorage?.accountName || '-'}
+          </div>
+
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Account key</div>
+            {'*************'}
+          </div>
+
+          <div className="mb-1 flex items-center">
+            <div className="min-w-[110px]">Endpoint</div>
+            {storage?.azureBlobStorage?.endpoint || '-'}
+          </div>
+        </>
+      )}
+
+      <div className="mb-1 flex items-center">
+        <div className="min-w-[110px]">Container name</div>
+        {storage?.azureBlobStorage?.containerName || '-'}
+      </div>
+
+      {storage?.azureBlobStorage?.prefix && (
+        <div className="mb-1 flex items-center">
+          <div className="min-w-[110px]">Prefix</div>
+          {storage.azureBlobStorage.prefix}
+        </div>
+      )}
+    </>
+  );
+}