Skip to content

Backblaze B2 Offsite Backup Strategy

Overview

Backblaze B2 provides cost-effective offsite backup for critical business data, completing the 3-2-1 backup rule implementation.

Data Selection Strategy

Critical Data for B2 (Priority 1)

Business-critical data that requires offsite protection

  • VaultWarden database: Password manager data (essential for access)
  • WordPress database: Business website and customer data
  • SSL certificates: TLS certs and keys for services
  • Kubernetes configs: Cluster state and application manifests
  • Business documents: Invoices, customer data, contracts

Estimated size: ~5-10GB total Backup frequency: Weekly, with emergency manual triggers

Important Data for B2 (Priority 2)

Important but less critical data

  • Application configurations: Media system configs, service settings
  • Container images: Custom-built application images
  • Monitoring data: Essential dashboards and alert configurations

Estimated size: ~20-50GB total Backup frequency: Monthly

Excluded from B2 (Local only)

Large, replaceable, or less critical data

  • Media files: Movies, TV shows (can be re-acquired)
  • Download cache: Temporary files and processing data
  • Container image cache: Publicly available images
  • Log files: Historical log data (keep recent only)

Implementation Architecture

Backup Flow

text Apollo Freezer Pool → Restic → Backblaze B2 ↑ VolSync Backups (filtered/compressed)text

```text

B2 Bucket Structure

```text

text k8s-backups-critical/ ├── vaultwarden/ │ ├── 2024/01/vaultwarden-20240115.tar.gz │ └── 2024/01/vaultwarden-20240122.tar.gz ├── wordpress/ │ ├── 2024/01/wordpress-db-20240115.sql.gz │ └── 2024/01/wordpress-files-20240115.tar.gz ├── configs/ │ ├── 2024/01/k8s-manifests-20240115.tar.gz │ └── 2024/01/ssl-certs-20240115.tar.gz └── business/ ├── 2024/01/customer-data-20240115.tar.gz └── 2024/01/invoices-20240115.tar.gztext

```text

Cost Optimization

B2 Pricing (as of 2024)

  • Storage: $0.005/GB/month
  • Download: $0.01/GB
  • Upload: Free
  • API calls: Minimal cost

Monthly Cost Estimates

```text

```text Critical data (10GB):

  • Storage: $0.05/month
  • Annual: ~$0.60

Important data (50GB total):

  • Storage: $0.25/month
  • Annual: ~$3.00

Total estimated cost: <$5/month ```text

```text

Optimization Strategies

  • Compression: Use gzip/xz compression before upload
  • Deduplication: Restic handles incremental backups
  • Lifecycle policies: Automatically delete old snapshots
  • Selective restore: Only download what's needed

Implementation Tools

Option 1: Restic with B2 Backend

```bash

```bash

Configure restic for B2

export RESTIC_REPOSITORY="b2:k8s-backups-critical" export RESTIC_PASSWORD="secure-backup-password" export B2_ACCOUNT_ID="your-account-id" export B2_ACCOUNT_KEY="your-application-key"

Initialize repository

restic init

Backup critical data

restic backup /mnt/disks/Freezer/k8s-backups/vaultwarden/ restic backup /mnt/disks/Freezer/k8s-backups/wordpress/ ```text

```text

Option 2: Kubernetes CronJob

```yaml

```yaml apiVersion: batch/v1 kind: CronJob metadata: name: b2-offsite-backup namespace: backup-system spec: schedule: "0 2 * * 0" # Weekly on Sunday at 2 AM jobTemplate: spec: template: spec: containers:

      - name: b2-backup

        image: restic/restic:latest

        env:

        - name: RESTIC_REPOSITORY

          value: "b2:k8s-backups-critical"

        - name: RESTIC_PASSWORD

          valueFrom:

            secretKeyRef:
              name: restic-b2-secret
              key: password

        - name: B2_ACCOUNT_ID

          valueFrom:

            secretKeyRef:
              name: b2-credentials
              key: account-id

        - name: B2_ACCOUNT_KEY

          valueFrom:

            secretKeyRef:
              name: b2-credentials
              key: application-key
        command:

        - /bin/sh
        - -c
        - |

          # Backup critical data from Freezer pool

          restic backup /mnt/freezer/vaultwarden/ --tag vaultwarden
          restic backup /mnt/freezer/wordpress/ --tag wordpress
          restic backup /mnt/freezer/configs/ --tag configs

          # Cleanup old snapshots (keep monthly for 1 year)
          restic forget --keep-monthly 12 --prune
        volumeMounts:

        - name: freezer-storage

          mountPath: /mnt/freezer

          readOnly: true
      volumes:

      - name: freezer-storage

        nfs:

          server: apollo.local
          path: /mnt/disks/Freezer/k8s-backups
      restartPolicy: OnFailure

```text

```text

Option 3: Apollo unRAID Plugin

```bash

```bash

Use B2 Sync plugin for unRAID

Configure to sync specific Freezer directories

Automated scheduling and monitoring

```text

```text

Security Considerations

Encryption

  • At rest: Restic encrypts all data before upload
  • In transit: HTTPS/TLS for all B2 communications
  • Key management: Secure storage of B2 credentials and restic passwords

Access Control

  • B2 Application Keys: Limited scope and permissions
  • Kubernetes secrets: Encrypted secret storage
  • Network isolation: Backup operations from secure networks only

Compliance

  • Data residency: B2 allows region selection
  • Retention policies: Configurable data lifecycle
  • Audit logging: Track backup and restore operations

Disaster Recovery Scenarios

Complete Site Loss

  1. Provision new infrastructure (cloud or new location)
  2. Install restic and configure B2 access
  3. Restore critical data from B2 repository
  4. Rebuild cluster with restored configurations
  5. Restore applications with backed-up data

Selective Recovery

```bash

```bash

List available snapshots

restic snapshots --tag vaultwarden

Restore specific service

restic restore latest --tag vaultwarden --target /tmp/restore/

Import to new cluster

kubectl create -f /tmp/restore/vaultwarden/ ```text

```text

Monitoring and Alerting

Backup Success Monitoring

```yaml

```yaml

Prometheus alert for B2 backup failures

  • alert: B2BackupFailed

expr: time() - b2_last_backup_timestamp > 604800 # 1 week

annotations: summary: "B2 offsite backup has not completed in over a week"

Monitor B2 storage usage

  • alert: B2StorageUsageHigh

expr: b2_bucket_size_bytes > 100 * 1024^3 # 100GB threshold

annotations: summary: "B2 storage usage exceeding expected levels" ```text

```text

Cost Monitoring

  • Monthly reports: Track B2 usage and costs
  • Budget alerts: Alert if costs exceed expectations
  • Usage optimization: Regular review of backup efficiency

Benefits of This Strategy

Business Continuity

  • Geographic separation: Protection from local disasters
  • Long-term retention: Historical data preservation
  • Quick critical recovery: Essential business data always available

Cost Effectiveness

  • Selective backup: Only critical data goes offsite
  • Compression: Minimize storage costs
  • Automated lifecycle: Prevent runaway storage costs

Operational Simplicity

  • Restic integration: Same tools as local backups
  • Kubernetes native: CronJobs for automation
  • Monitoring integration: Fits existing observability stack

Priority: Implement B2 offsite backups for critical business data after local VolSync backups are operational