Produce an evidence bundle
Export a verifiable evidence bundle for a backup artifact and hand it to an auditor.
This guide: export an evidence bundle for a backup artifact and verify it offline. The bundle is what a compliance reviewer needs to confirm a backup exists, is signed, and has an intact audit chain — without trusting the dashboard.
Prerequisites
- A protected database with at least one
completedbackup. - Node 20+ on the machine where you will verify the bundle.
Step 1: Export the bundle
- In the dashboard, open the database detail page.
- In Backup history, find the backup artifact you want evidence for.
- Click Download evidence bundle. You get a
.tgzcontaining the signed manifest and every audit event for that artifact.
Step 2: Verify it offline
The bundle is verifiable without contacting walwarden. Download the public Ed25519 verification key, then run the verifier:
# Walwarden's published public key
curl -O https://walwarden.com/.well-known/walwarden-pubkey.pem
# Verify the bundle you exported
npx @walwarden/verifier \
--bundle evidence-bundle.tgz \
--pubkey walwarden-pubkey.pemA successful run prints, for example:
OK: 1 manifests verified, 6 audit events chain-intact (exit 0)Verify it worked
The verifier exits 0 and reports the manifest signature valid and the audit event sequence contiguous. That bundle is now self-contained evidence: an auditor can re-run the same command on an air-gapped machine given only the bundle and the public key.
For what the audit chain records and how verification works in detail, see The audit chain.