SpipCP
Backups

Bring your own storage

Send backups to your own S3 bucket (AWS, Cloudflare R2, IONOS, Hetzner) or an SFTP server. Set the credentials, test the connection, and turn on provider object-lock where it's supported.

Don't want to run a storage node? Point SpipCP at storage you already have. A storage target can be your own S3 bucket or an SFTP server β€” backups go there exactly the same way, through the restic engine. Add one with Add a backup target on the Targets tab.

Add a bring-your-own storage target
πŸ“·Targets β†’ Add a backup target: pick S3 or SFTP, enter the credentials, and Test connection before saving.img/backups-byo-storage.avif
Targets β†’ Add a backup target: pick S3 or SFTP, enter the credentials, and Test connection before saving.

Bring your own S3 bucket

Any S3-compatible bucket works. The picker recommends EU / sovereign providers first, then accepts the rest:

ProviderNotes
Hetzner Object StorageEU / GDPR β€” recommended first.
IONOS S3EU / GDPR β€” recommended first.
Cloudflare R2Accepted; additionally supports object-lock (hard immutability).
AWS S3Accepted; additionally supports object-lock (hard immutability).

Pick a provider to prefill its endpoint, then enter:

  • the bucket name,
  • an access key ID + secret access key (the secret is encrypted at rest the moment you save it β€” it's never returned to the browser again),
  • the region if your provider needs one.

Use scoped keys

Give SpipCP a key scoped to just this bucket. Where the provider supports it, use a key that can write but not delete for the append-only backup lane, and a separate delete-capable key only for pruning β€” that's the same two-lane split a storage node enforces. See Append-only & immutability.

Bring your own SFTP server

An SFTP server is the non-S3 option restic speaks natively. Enter the host, port, and username, and authenticate with a private key (recommended) or a password. The key is encrypted at rest like every other credential.

Test connection

Every target has a Test connection button. It does a read-only check β€” for S3 it confirms the bucket is reachable with your credentials and reports whether versioning is on; for SFTP it confirms it can log in. A bad credential or a missing bucket comes back as an actionable message ("Cannot reach bucket … access denied") β€” never a stack trace, and never your secret echoed back.

Provider object-lock (immutability)

On a provider that supports it β€” AWS S3 and Cloudflare R2 β€” SpipCP can turn on object-lock, which makes objects immutable for a retention window at the bucket level: even a delete-capable key can't remove them until the lock expires. That's the strongest form of "ransomware on a node can't destroy its own history."

Object-lock is provider-enforced

Object-lock is only offered where the provider can actually enforce it (AWS S3 / R2). Other S3-compatible endpoints β€” Hetzner, IONOS, and self-hosted Garage/SeaweedFS/RustFS β€” can't enforce it, so SpipCP doesn't pretend to. For server-enforced immutability without a managed provider, run a storage node (rest-server append-only). The full story is in Append-only & immutability.

On this page