walwarden
GuidesEvidence

Produce an evidence bundle

Export a verifiable evidence bundle for a backup artifact and hand it to an auditor.

This guide: export an evidence bundle for a backup artifact and verify it offline. The bundle is what a compliance reviewer needs to confirm a backup exists, is signed, and has an intact audit chain — without trusting the dashboard.

Prerequisites

  • A protected database with at least one completed backup.
  • Node 20+ on the machine where you will verify the bundle.

Step 1: Export the bundle

  1. In the dashboard, open the database detail page.
  2. In Backup history, find the backup artifact you want evidence for.
  3. Click Download evidence bundle. You get a .tgz containing the signed manifest and every audit event for that artifact.

Step 2: Verify it offline

The bundle is verifiable without contacting walwarden. Download the public Ed25519 verification key, then run the verifier:

# Walwarden's published public key
curl -O https://walwarden.com/.well-known/walwarden-pubkey.pem

# Verify the bundle you exported
npx @walwarden/verifier \
  --bundle evidence-bundle.tgz \
  --pubkey walwarden-pubkey.pem

A successful run prints, for example:

OK: 1 manifests verified, 6 audit events chain-intact  (exit 0)

Verify it worked

The verifier exits 0 and reports the manifest signature valid and the audit event sequence contiguous. That bundle is now self-contained evidence: an auditor can re-run the same command on an air-gapped machine given only the bundle and the public key.

For what the audit chain records and how verification works in detail, see The audit chain.