The keyring is stored encrypted in the configuration. If it gets corrupted or the config file is lost then all backups are unusable.
Solution
Is it enough to simply know the config file is versioned on github?
Should the encrypted keyring be stored in the metadata?
In such case the password for the keyring and the backup IAM user creds should be different. Otherwise breaking into the backup account will allow decryption of the backup data.
Problem
The keyring is stored encrypted in the configuration. If it gets corrupted or the config file is lost then all backups are unusable.
Solution