Stop Losing Sleep Over Database Backups: Databasus Automates Encrypted, Point‑in‑Time Recovery for PostgreSQL, MySQL & MongoDB + Video

Listen to this Post

Featured Image

Introduction:

Manual backup scripts are the silent killers of data integrity—they often fail without anyone noticing until a catastrophic loss occurs. Databasus is a self‑hosted, open‑source platform that eliminates this risk by providing scheduled, encrypted, and verifiable backups for PostgreSQL, MySQL/MariaDB, and MongoDB, complete with Point‑in‑Time Recovery (PITR) and real‑time alerting. With over 6,200 GitHub stars, it brings enterprise‑grade backup orchestration to DevOps and InfoSec teams, ensuring that “do we have a backup?” is never a question asked after disaster strikes.

Learning Objectives:

  • Deploy and configure Databasus using Docker Compose or Kubernetes/Helm in a production‑ready environment
  • Implement encrypted, scheduled backups (logical, physical, incremental) to S3, Google Drive, SFTP, or NAS with AES‑256‑GCM
  • Execute Point‑in‑Time Recovery (PITR) for PostgreSQL to restore data to the exact second before corruption or deletion
  • Integrate real‑time failure/success notifications via Telegram, Slack, Discord, email, or generic webhooks
  • Harden the backup pipeline with role‑based access control (RBAC), audit logs, and zero‑trust storage principles

You Should Know

  1. Deploying Databasus with Docker Compose (Linux & Windows)

Databasus runs as a set of containers, making it portable across any Docker‑capable OS. Below is a production‑ready `docker‑compose.yml` that includes the backend, web UI, and a PostgreSQL metadata store.

Step‑by‑step guide:

  1. Create a project directory and save the following as docker‑compose.yml:
    version: '3.8'
    services:
    db:
    image: postgres:15
    environment:
    POSTGRES_DB: databasus
    POSTGRES_USER: admin
    POSTGRES_PASSWORD: strong_password
    volumes:</li>
    </ol>
    
    - pg_data:/var/lib/postgresql/data
    networks:
    - backup_net
    
    databasus:
    image: ghcr.io/databasus/databasus:latest
    ports:
    - "8080:8080"
    environment:
    DATABASE_URL: postgres://admin:strong_password@db:5432/databasus
    ENCRYPTION_KEY: your_32_byte_aes256_key_base64
    STORAGE_TYPE: s3
    S3_ENDPOINT: https://s3.amazonaws.com
    S3_BUCKET: my-backup-bucket
    AWS_ACCESS_KEY_ID: your_key
    AWS_SECRET_ACCESS_KEY: your_secret
    depends_on:
    - db
    networks:
    - backup_net
    
    volumes:
    pg_data:
    
    networks:
    backup_net:
    

    2. Generate a secure AES‑256‑GCM key (Linux/macOS/WSL):

    openssl rand -base64 32
    

    On Windows (PowerShell):

    
    

    3. Start the stack:

    docker-compose up -d
    

    For Windows, ensure Docker Desktop is running and use the same command in a Command Prompt or PowerShell.

    1. Access the dashboard at `http://localhost:8080`. The default credentials are typically `admin` / `changeme` (refer to documentation).

    Kubernetes/Helm alternative – clone the Helm chart:

    helm repo add databasus https://charts.databasus.io
    helm install my-backup databasus/databasus --set encryption.key=$(openssl rand -base64 32)
    

    2. Scheduling Backups with Cron and GFS Retention

    Databasus supports cron‑based scheduling and Grandfather‑Father‑Son (GFS) retention policies. You can define hourly, daily, weekly, or custom intervals directly from the UI or via API.

    Step‑by‑step for a PostgreSQL hourly backup with 7‑day retention:

    1. In the Databasus dashboard, navigate to Backup Jobs → Create New.
    2. Select database type: PostgreSQL (also supports MySQL, MariaDB, MongoDB).

    3. Enter connection string: `postgres://user:pass@postgres-svc:5432/mydb`

    1. Backup type: Logical (pg_dump) or Physical (base backup) or Incremental (PITR).
    2. Schedule: `0 ` (every hour on the hour). Test cron syntax with crontab.guru.
    3. Retention: GFS policy – keep 24 hourly, 7 daily, 4 weekly, 12 monthly.
    4. Enable AES‑256‑GCM encryption using the key generated earlier.

    Verify backup execution via CLI (Linux):

     List recent backups using the databasus CLI (if installed)
    databasus-cli backup list --job-id pg_prod --limit 5
    

    Windows (PowerShell) equivalent using REST API:

    $token = Get-DatabasusToken -Username admin -Password yourpass
    Invoke-RestMethod -Uri "http://localhost:8080/api/v1/backups?job=pg_prod" -Headers @{Authorization="Bearer $token"}
    

    3. Implementing Zero‑Trust Storage with AES‑256‑GCM Encryption

    All backups are encrypted client‑side before leaving the Databasus container. Even the storage provider (S3, Google Drive, SFTP) never sees plaintext data. You can decrypt backups independently using standard OpenSSL.

    How to manually decrypt a Databasus backup (Linux/macOS):

     Download the encrypted backup from S3
    aws s3 cp s3://my-bucket/backup-20250115-040001.encrypted ./backup.enc
    
    Decrypt using the same AES‑256‑GCM key (base64 encoded)
    openssl enc -aes-256-gcm -d -in backup.enc -out backup.sql -base64 -K $(echo "your_base64_key" | base64 -d | xxd -p) -iv $(cat iv.txt)
    

    Windows (with OpenSSL installed):

    openssl enc -aes-256-gcm -d -in backup.enc -out backup.sql -base64 -K %KEY_HEX% -iv %IV_HEX%
    

    API security best practice: Never store the encryption key in environment variables of production orchestrators. Use a secret manager (HashiCorp Vault, AWS Secrets Manager) and inject it at runtime:

     Docker secret injection example
    echo "$ENCRYPTION_KEY" | docker secret create databasus_enc_key -
    docker service update --secret-add databasus_enc_key databasus_service
    
    1. Point‑in‑Time Recovery (PITR) for PostgreSQL – Step by Step

    PITR allows you to restore a database to any second before an incident (e.g., accidental `DROP TABLE` at 14:32:07). Databasus automates the required WAL archiving and base backups.

    Scenario: Your production database crashed at 14:35. You need to restore to 14:32:00.

    Step‑by‑step guide:

    1. In Databasus, go to Restore → select the database pg_prod.

    2. Choose Point‑in‑Time Recovery.

    3. Set target time: `2025-01-15 14:32:00 UTC`.

    4. Databasus will automatically:

    • Fetch the latest full base backup before that time.
    • Apply all Write‑Ahead Log (WAL) segments from the archive (S3/SFTP/NAS) up to 14:32:00.
    • Spawn a temporary PostgreSQL container with the recovered data.
    1. Verify the recovered data by connecting to the temporary instance:
      docker exec -it temp_postgres psql -U postgres -d mydb -c "SELECT COUNT() FROM critical_table;"
      
    2. Promote the temporary instance to production or export the data.

    Manual PITR using underlying tools (if you ever need to bypass Databasus):

     On Linux, using pg_basebackup and wal-g
    pg_basebackup -D /recovery -Fp -Xs -P -h source_host -U replicator
     then configure recovery.conf with restore_command = 'wal-g wal-fetch "%f" "%p"'
    

    5. Real‑time Monitoring and Alerting with Webhooks

    Silent backup failures are the root cause of most unrecoverable data losses. Databasus sends success/failure notifications to Slack, Telegram, Discord, email, or any custom webhook.

    Configure Slack alerts (example):

    1. Create a Slack Incoming Webhook URL from your Slack apps page.
    2. In Databasus, navigate to Settings → Notifications → Add Webhook.
    3. Set URL: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXX`
      <h2 style="color: yellow;">4. Choose events:
      backup.success,backup.failure,restore.completed`.

    5. Test with a manual backup run.

    Telegram integration:

    • Create a bot via BotFather, get the API_TOKEN.
    • Find your chat ID (by sending a message to @userinfobot).
    • In Databasus, set webhook URL: `https://api.telegram.org/bot/sendMessage?chat_id=&text=`

      Custom script to forward alerts to Microsoft Teams (Linux):

      !/bin/bash
      Called by Databasus webhook on failure
      PAYLOAD='{"text":"❌ Backup FAILED for job '$JOB_NAME' at '$TIMESTAMP'"}'
      curl -H "Content-Type: application/json" -d "$PAYLOAD" $TEAMS_WEBHOOK_URL
      
    1. Hardening Databasus for Production (RBAC, Audit Logs, Cloud IAM)

    To meet compliance (SOC2, GDPR, ISO 27001), you need role‑based access, immutable audit trails, and cloud IAM integration.

    Step‑by‑step hardening:

    1. Enable RBAC – Databasus supports three built‑in roles: admin, `operator` (can run backups/restores), `viewer` (read‑only). Create users via CLI:
      databasus-cli user create --username devops --role operator --email [email protected]
      

    2. Audit Logging – All actions (backup start, restore, config change) are logged to a dedicated PostgreSQL table. Forward logs to SIEM using a webhook:

      Example: send audit logs to Splunk HEC
      databasus-cli config set audit_webhook "https://splunk:8088/services/collector/event"
      

    3. Cloud IAM for S3 – Instead of static AWS keys, use IAM roles for EC2/EKS or workload identity for GCP/Azure.

    – On EKS: annotate the service account with eks.amazonaws.com/role-arn.
    – Then remove `AWS_ACCESS_KEY_ID` from Databasus environment – it will automatically use the instance metadata.

    1. Network isolation – Run Databasus in a private subnet, expose only via internal load balancer or VPN. Use mutual TLS (mTLS) between Databasus and database agents.

    7. Vendor Lock‑In Prevention: Restore Without Databasus

    One of Databasus’s strongest features is that you are never locked in. Encrypted backups can be restored using only standard open‑source tools.

    Restoring a PostgreSQL logical backup without Databasus:

    1. Download the encrypted file from S3/Drive:

    rclone copy s3:my-bucket/backup.enc ./backup.enc
    
    1. Decrypt with OpenSSL (using the same key you originally set):
      openssl enc -aes-256-gcm -d -in backup.enc -out backup.sql -pass pass:your_password
      

    3. Restore into any PostgreSQL instance:

    psql -h target_host -U postgres -d mydb < backup.sql
    

    For physical backups (PITR ready): the decrypted output is a `tar` of the `pg_wal` and base data directory. You can spin up a standard PostgreSQL container and point it to that directory.

    Windows alternative using 7-Zip and OpenSSL:

     Decrypt then decompress
    openssl enc -d -aes-256-gcm -in backup.enc -out backup.tar.gz -pass pass:key
    & "C:\Program Files\7-Zip\7z.exe" x backup.tar.gz -oC:\restore
    

    What Undercode Say:

    • Automation without silence is the true game‑changer. Databasus doesn’t just run backups—it makes failures visible instantly via Slack, Telegram, or webhooks, closing the loop that manual cron jobs leave open.
    • PITR is no longer an enterprise‑only luxury. With Databasus, any team can achieve second‑level recovery for PostgreSQL, turning hours of forensic recovery into minutes of automated restore.
    • Encryption and zero‑trust storage are non‑negotiable. By enforcing client‑side AES‑256‑GCM and allowing decryption with standard OpenSSL, Databasus ensures compliance without vendor lock‑in.
    • Self‑hosted does not mean DIY. The project provides production‑grade Helm charts, Docker Compose templates, and RBAC, making it viable for regulated industries (finance, healthcare) that cannot use cloud‑native backup SaaS.
    • Backup is a visibility problem, not a tooling problem. Most data loss occurs because teams assume backups are working. Databasus turns backup into a monitored, audited, and testable service.

    Prediction:

    As ransomware and insider threats continue to rise, the ability to perform granular, encrypted, and independently verifiable PITR will shift from “nice to have” to mandatory compliance requirement (similar to GDPR’s 32 on security of processing). We predict that within 18 months, open‑source platforms like Databasus will become the default for mid‑size companies, displacing fragile custom scripts. Additionally, we expect to see integrations with infrastructure‑as‑code tools (Terraform, Pulumi) and GitOps pipelines, where backup policies are versioned alongside application code. The future of backup is not just scheduled dumps—it is continuous, immutable, and always recoverable to any point in time, with zero trust built into the storage layer.

    ▶️ Related Video (76% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Nusretonen Opensource – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky