Backups

MZPanel backs up your sites, databases, and Docker stacks from a single account-level hub at /backups. Open a server’s card to see its jobs, or use the fleet-wide views to manage everything in one place.

The Backup Job model

A Job is the unit of backup. Each job belongs to exactly one server and bundles everything needed to run a backup on that VPS:

Concept	Scope	What it holds
Destination	account	Where backups are stored (local / object / peer) + credential
Job	per-server	Schedule (when) · kind (what) · retention · one or more destinations
Snapshot	per-run	One execution of a job

A server can have many jobs (for example, a nightly full backup and an hourly database backup). Because destinations live at the account level, a job on any server can target the same destination — which is how MZPanel unifies the account view with per-server backups. Send a job to two destinations for a true 3-2-1 setup.

Under the hood, the engine is restic: snapshots are immutable, content-addressed, and deduplicated, with one repository per server. Retention is enforced per job, so each job prunes its own history even when sharing a repository.

Local backups (Free)

On the Free plan you can run full (files + database) and database-only backups to a local destination on the same server. Local backups need no credentials and are the fastest path to a working snapshot.

Offsite backups (Plus)

Offsite backups via the restic engine are available on Plus. Add an object destination (S3 / R2 / B2 or any rclone-supported remote) or a peer destination (another of your servers), then point a job at it. The same restic snapshot model applies, so offsite backups dedup and prune just like local ones.

Zero-knowledge credential sealing

Destination credentials — object-store keys, rclone tokens, the restic repository password — are sealed in your browser before they ever leave it. The control plane stores only ciphertext and never holds a key that can decrypt it.

• The plaintext exists only in your browser when you enter it, and in the agent’s memory when it runs a backup.
• Each agent has its own keypair; the private key never leaves the VPS. The browser wraps the credential for each server that uses the destination.
• Adding a new server to an existing destination re-seals for that server — you do not re-enter the credential.

Note

Credential sealing is the design for offsite destinations (Plus). The client-side sealing is in place; some server-side wiring is still being finished — see docs/77.

Caution

The restic repository password decrypts your backup contents. If it is lost, restic cannot recover the data. MZPanel seals and stores it so it can be re-sealed if a server is reinstalled — but treat it as critical.

Schedules (box-side timer)

In addition to control-plane scheduling, MZPanel installs a systemd backup timer on the box itself. This makes scheduled backups offline-safe: they fire from the server’s own timer and keep running even if the control plane is briefly unreachable, rather than depending on a live WebSocket session.

Next

When you need to recover, see Restore a backup.