Backups
MZPanel backs up your sites, databases, and Docker stacks from a single account-level hub at /backups. Open a server’s card to see its jobs, or use the fleet-wide views to manage everything in one place.
The Backup Job model
Section titled “The Backup Job model”A Job is the unit of backup. Each job belongs to exactly one server and bundles everything needed to run a backup on that VPS:
| Concept | Scope | What it holds |
|---|---|---|
| Destination | account | Where backups are stored (local / object / peer) + credential |
| Job | per-server | Schedule (when) · kind (what) · retention · one or more destinations |
| Snapshot | per-run | One execution of a job |
A server can have many jobs (for example, a nightly full backup and an hourly database backup). Because destinations live at the account level, a job on any server can target the same destination — which is how MZPanel unifies the account view with per-server backups. Send a job to two destinations for a true 3-2-1 setup.
Under the hood, the engine is restic: snapshots are immutable, content-addressed, and deduplicated, with one repository per server. Retention is enforced per job, so each job prunes its own history even when sharing a repository.
Local backups (Free)
Section titled “Local backups (Free)”On the Free plan you can run full (files + database) and database-only backups to a local destination on the same server. Local backups need no credentials and are the fastest path to a working snapshot.
Offsite backups (Plus)
Section titled “Offsite backups (Plus)”Offsite backups via the restic engine are available on Plus. Add an object destination (S3 / R2 / B2 or any rclone-supported remote) or a peer destination (another of your servers), then point a job at it. The same restic snapshot model applies, so offsite backups dedup and prune just like local ones.
Zero-knowledge credential sealing
Section titled “Zero-knowledge credential sealing”Destination credentials — object-store keys, rclone tokens, the restic repository password — are sealed in your browser before they ever leave it. The control plane stores only ciphertext and never holds a key that can decrypt it.
- The plaintext exists only in your browser when you enter it, and in the agent’s memory when it runs a backup.
- Each agent has its own keypair; the private key never leaves the VPS. The browser wraps the credential for each server that uses the destination.
- Adding a new server to an existing destination re-seals for that server — you do not re-enter the credential.
Schedules (box-side timer)
Section titled “Schedules (box-side timer)”In addition to control-plane scheduling, MZPanel installs a systemd backup timer on the box itself. This makes scheduled backups offline-safe: they fire from the server’s own timer and keep running even if the control plane is briefly unreachable, rather than depending on a live WebSocket session.
When you need to recover, see Restore a backup.