Cloud-only
Dump straight into an object store as the only copy — bandwidth-capped so it stays polite, encrypted because the bucket is untrusted.
When to use this
You have no room or appetite for local backup storage, so the object store is
the backup — nb dump writes directly to it. This trades the fast local copy of
Disk → S3 offsite for simplicity. Two things make it safe to run:
a throughput cap so dumps don’t saturate the office uplink, and encryption so a
single, possibly untrusted destination never holds readable data.
Config
Save this as nbackup.yaml. The single cloud medium is both the only medium and
the landing.
cycle: 7d
compress:
scheme: zstd
level: 3
media:
# The bucket is the only copy. The backend is the URL scheme.
cloud:
type: cloud
url: s3://company-backups?region=eu-north-1
# For an S3-compatible store at a custom URL (MinIO, Wasabi, Synology C2,
# Backblaze B2…), add an endpoint to the query instead:
# url: s3://my-bucket?region=eu-005&endpoint=https://s3.example.com
capacity: 50TB
throughput: 50MB/s # cap the uplink so nb dump stays polite
# The only medium is also the landing.
landing: cloud
# Recommended for an untrusted destination: encrypt each archive with a public-key
# recipient after compression. Only the public key need be present here; restore
# finds the matching private key in the operator's keyring.
encrypt:
scheme: gpg
recipient: backups@example.com
archivers:
default:
type: gnutar
one-file-system: "true"
sparse: "true"
dumptypes:
default:
archiver: default
no-logs:
archiver: default
exclude: ["*.log", "*.tmp"]
sources:
default:
localhost: [/home, /etc]
no-logs:
localhost: [/srv/www, /var/log]
Credentials never live in the config. They come from each SDK’s standard
environment — AWS_* (and endpoint/region are passed through to the AWS SDK),
GOOGLE_APPLICATION_CREDENTIALS, or AZURE_*.
Commands
nb plan # preview the run AND the storage $/month
nb dump # dump straight to the bucket
# Routine recoverability check, structural tier (decrypt + decompress + list,
# no extract) to keep egress down:
nb drill --tier structural
An offsite drill spends the full archive bytes in egress — an encrypted,
compressed stream is all-or-nothing to read. Watch the egress $ the dry-run
forecast prints before running a heavier tier:
nb drill --dry-run
Caveats
A single copy is not 3-2-1. One bucket is one copy on one medium with no offsite redundancy. For real durability, add a second medium and replicate to it — see Full 3-2-1-1-0.
- Immutability is operator-side. Enable Object Lock on the bucket yourself;
NBackup only detects it.
nb drill’s WORM probe checks that deleting a fixed probe object is refused and reports it in the posture audit. See Verification & drills. - Restores cost egress. Every recovery pulls the full bytes back out of the
store.
nb recoverestimates the egress$before it pulls, andnb planshows the running storage$/month. See Cost forecasting.
For more on the recipient model and per-dumptype overrides, see Encryption; for the cloud medium and its URL schemes, see Storage media.