Offsite Backup

Encrypted offsite backups.
Zero-knowledge.

HostAtlas Offsite Backup encrypts your data on the agent using AES-256-GCM before it ever leaves your server. The encryption key never touches HostAtlas infrastructure. We cannot read your backups — by design. Combined with an entropy gate that refuses ransomware-encrypted files, your offsite copies are guaranteed to be both encrypted and clean.

Start free — no credit card How encryption works

AES-256

Encryption

Zero

Knowledge

S3

Direct upload

SHA-256

Integrity check

Client-Side Encryption

AES-256-GCM. On your server. Before upload.

The HostAtlas agent encrypts backup files locally using AES-256-GCM authenticated encryption. The key is generated on first setup and stored only on the agent. It never leaves your infrastructure. HostAtlas servers receive only encrypted ciphertext — we cannot decrypt your data under any circumstances.

description

Step 1

Backup Created

Backup job produces a file (SQL dump, tar archive, etc.) on the local filesystem.

shield

Step 2

Entropy Check

Agent analyzes file entropy and format. Ransomware-encrypted files are rejected before encryption.

lock

Step 3

AES-256-GCM Encrypt

File is encrypted with AES-256-GCM using the local key. Output is wrapped in HABK format with metadata.

cloud_upload

Step 4

S3 Upload

Agent uploads encrypted .habk file directly to S3 via presigned URLs. Multipart upload for large files.

check_circle

Step 5

Verify

SHA-256 checksum is verified after upload. Backup is registered in the HostAtlas catalog.

HABK file format

HostAtlas uses a custom binary format (.habk) that wraps the encrypted payload with metadata needed for decryption and verification. The format is simple, portable, and contains everything needed to restore — except the encryption key.

# HABK File Structure
+-------------------+
| Magic: "HABK" | 4 bytes
| Version: 1 | 1 byte
| Key ID | 16 bytes (UUID)
| Nonce | 12 bytes (GCM)
| Original size | 8 bytes
| Original SHA-256 | 32 bytes
| Timestamp | 8 bytes
| Metadata length | 4 bytes
| Metadata (JSON) | variable
| Encrypted payload | variable
| GCM Auth Tag | 16 bytes
+-------------------+

Zero-knowledge guarantee

key_off

Key never leaves your server

The AES-256 encryption key is generated locally on the agent during setup. It is stored in the agent's config directory with 0600 permissions. The key is never transmitted to HostAtlas servers, never included in API calls, and never logged.

visibility_off

We cannot read your data

HostAtlas infrastructure receives only encrypted ciphertext. Without the key, the data is indistinguishable from random bytes. Even if our servers were compromised, your backup data remains encrypted and unreadable.

gpp_good

GCM authenticated encryption

AES-256-GCM provides both confidentiality and integrity. The authentication tag detects any tampering with the ciphertext. If a single bit is modified, decryption fails — protecting against data corruption and manipulation.

fingerprint

SHA-256 integrity verification

The original file's SHA-256 hash is stored in the HABK header (before encryption). After decryption, the hash is verified to confirm the file is identical to the original.

Entropy Gate

Ransomware stops here.

Before encrypting and uploading any backup, the agent runs Shannon entropy analysis and magic byte format detection on the source file. If the file shows signs of ransomware encryption — high entropy with no recognized format — the upload is refused. This means ransomware-encrypted backups never make it to offsite storage. Your offsite copies are guaranteed clean.

check_circle

Pre-Upload Validation

Every file passes through entropy analysis before encryption. Files flagged as suspicious are blocked and an incident is created automatically.

check_circle

Clean Offsite Guarantee

Since suspicious files are rejected before upload, your offsite storage only contains verified clean backups. Even if your server is fully compromised, offsite copies remain trustworthy.

check_circle

Configurable Sensitivity

The entropy threshold for blocking uploads is configurable. Default is 7.95 for unknown formats. Paths marked as "Encrypted" (GPG, age) bypass the gate.

check
daily_backup.sql.gz

Entropy: 5.23 | Format: gzip

Passed
arrow_forward Encrypting with AES-256-GCM → Uploading to S3
check
files_backup.tar.xz

Entropy: 7.81 | Format: xz

Passed
arrow_forward Encrypting with AES-256-GCM → Uploading to S3
block
daily_backup.sql.gz

Entropy: 7.98 | Format: UNKNOWN

Blocked
close Upload refused → Incident INC-3901 created
key
secrets.gpg

Entropy: 7.99 | Path marked as encrypted

Bypassed
arrow_forward Encrypting with AES-256-GCM → Uploading to S3
# Upload flow (agent log)
[INFO] Starting backup upload: daily_backup.sql.gz
[INFO] Entropy check passed: 5.23 (gzip)
[INFO] Encrypting with AES-256-GCM (key: ab12cd34)
[INFO] Output: daily_backup.sql.gz.habk (142 MB)
[INFO] Requesting presigned multipart upload URL
[INFO] Uploading part 1/3 (50 MB)... done
[INFO] Uploading part 2/3 (50 MB)... done
[INFO] Uploading part 3/3 (42 MB)... done
[INFO] Completing multipart upload
[OK] Upload complete. SHA-256 verified.
[OK] Backup registered: offsite/prod-db-01/2026-04-03/daily_backup.sql.gz.habk

Direct S3 Upload

Agent uploads directly. No middleman.

The HostAtlas agent uploads encrypted backups directly to S3 storage using presigned URLs. The data never passes through HostAtlas application servers — it goes straight from your server to object storage. Multipart upload handles large files efficiently, with automatic retry for failed parts.

link

Presigned URLs

The agent requests a presigned URL from the HostAtlas API. The URL grants temporary, scoped write access to a specific S3 path. The agent uploads directly to S3 without HostAtlas servers touching the data.

view_in_ar

Multipart Upload

Files over 50 MB are split into parts and uploaded in parallel. Each part is checksummed independently. Failed parts are retried without re-uploading the entire file.

verified

Post-Upload Verification

After upload completes, the SHA-256 hash of the uploaded object is compared against the local hash. Any mismatch triggers a re-upload. The backup is only registered in the catalog after verification passes.

Restore

Download. Verify. Decrypt. Restore.

Restoring from offsite backup is a four-step process handled entirely by the agent. The encrypted file is downloaded from S3, the SHA-256 hash is verified to confirm integrity, the file is decrypted using the local key, and the original file is restored. No manual key handling, no complex tooling.

cloud_download

Step 1

Download

Agent downloads the .habk file from S3 via presigned URL. Multipart download for large files.

fingerprint

Step 2

Verify SHA-256

Verify the downloaded file's SHA-256 matches the catalog record. Detects corruption during transfer.

lock_open

Step 3

Decrypt

Agent reads key ID from HABK header, finds the local key, decrypts with AES-256-GCM, and verifies the GCM auth tag.

check_circle

Step 4

Verify & Restore

Original file SHA-256 from HABK header is verified against the decrypted output. File is restored to the target path.

Key Management

Auto-generated. Exportable. Your responsibility.

The encryption key is automatically generated when you enable offsite backup for a server. You can export it for safekeeping or import an existing key when migrating between servers. Because HostAtlas never stores your key, losing it means losing access to your encrypted backups permanently.

auto_awesome

Auto-Generated

A 256-bit key is generated using a cryptographically secure random number generator on first setup. The key is stored in the agent's config directory with restricted file permissions (0600).

download

Export / Import

Export your key via the agent CLI for safekeeping. Import it on another server to access the same encrypted backups. Useful for disaster recovery scenarios where the original server is lost.

warning

Key Loss = Data Loss

HostAtlas cannot recover lost keys. We recommend exporting the key immediately after setup and storing it in a secure location (password manager, hardware security module, or printed and locked away).

# Key management commands
$ hostatlas-agent backup key export
Key ID: ab12cd34-5678-9012-ef34-567890abcdef
Key: bG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFt...
WARNING: Store this key securely. HostAtlas cannot recover lost keys.
$ hostatlas-agent backup key import --key-file /path/to/key
Key imported: ab12cd34-5678-9012-ef34-567890abcdef
OK: Key verified and stored.
$ hostatlas-agent backup key info
Key ID: ab12cd34-5678-9012-ef34-567890abcdef
Algorithm: AES-256-GCM
Created: 2026-04-03T10:15:00Z
Backups: 47 files (23.4 GB encrypted)

Storage Tiers

Simple pricing. No surprises.

Choose the storage tier that fits your backup volume. All tiers include AES-256-GCM encryption, entropy gate protection, SHA-256 verification, and the full backup management dashboard. Pricing is per server, billed monthly.

Starter

$5 /mo

50 GB storage per server

check_circle AES-256-GCM encryption
check_circle Entropy gate protection
check_circle SHA-256 verification
check_circle 7-day retention minimum

Professional

$15 /mo

250 GB storage per server

check_circle Everything in Starter
check_circle 30-day retention minimum
check_circle Multipart upload (50 MB+ files)
check_circle Priority restore queue

Enterprise

$39 /mo

1 TB storage per server

check_circle Everything in Professional
check_circle 90-day retention minimum
check_circle Cross-region replication
check_circle Dedicated support

Get started

Your backups, your keys, your control.

Enable offsite backup from the server settings page. The agent generates an encryption key, starts analyzing your backups with the entropy gate, and uploads encrypted copies to secure S3 storage. Zero-knowledge by design — we never see your data unencrypted.

Start free — no credit card View pricing plans

Quick install

$ curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- --key=SERVER_KEY_