Backups Updated 2026-05-19

Offsite backup destinations — S3, B2, Wasabi for cPanel

How to choose and configure an offsite backup destination for cPanel: S3, Backblaze B2, Wasabi, with the lifecycle and access policies that matter.

The “offsite” leg of a cPanel backup design is usually an object store: Amazon S3, Backblaze B2, or Wasabi. They are commodity-priced and JetBackup/R1Soft support all three natively. The price difference is significant; the operational differences are smaller than the marketing material suggests. Pick on egress cost and lifecycle ergonomics.

What’s happening

S3-compatible object storage with versioning and lifecycle is the canonical cPanel offsite backup target. JetBackup writes through an S3 client to the bucket; R1Soft can write via SFTP or S3. The bucket’s lifecycle policy handles old-version pruning; the IAM (or equivalent) policy locks down who can delete from the bucket.

Wasabi: no egress fees but a 90-day minimum storage charge. B2: lowest list price, modest egress, simple model. AWS S3: most features (S3 Object Lock, cross-region replication) but priciest egress.

How to verify

Test the destination before relying on it:

aws s3 ls s3://<bucket>/ --endpoint-url <endpoint-if-not-aws>
jetbackup5api -F testDestination -D '{"_id":"<dest-id>"}'
aws s3api get-bucket-versioning --bucket <bucket>
aws s3api get-bucket-lifecycle-configuration --bucket <bucket>

A destination test that hangs is usually a firewall issue (egress to port 443 of the object store endpoint) or a clock skew issue (S3 signs requests with a timestamp).

The fix

  1. Pick by economic profile: low restore frequency, large retention — Wasabi (no egress). Frequent partial restores from offsite — B2 or AWS S3 with CloudFront for caching. Strict object lock requirements — AWS S3.
  2. Create a dedicated bucket per server. Shared buckets across servers complicate IAM and lifecycle; one bucket per cPanel host scales cleanly.
  3. Enable versioning. Object versioning is what lets you recover from an “operator deleted the bucket contents” event. Add a lifecycle rule to expire non-current versions after 90 days.
  4. Create an IAM user (or equivalent) with bucket-scoped permissions: s3:PutObject, s3:GetObject, s3:ListBucket, no s3:DeleteObject if your retention is handled by lifecycle.
  5. Encrypt at rest. Both client-side (JetBackup GPG) and server-side (S3 SSE-S3 or SSE-KMS) are acceptable. Document which is used and where the key lives.

Stack Harbor handles offsite destination selection and setup as part of environment management for cPanel servers.

Book consult