Backup with Duplicati and Minio

With Crashplan’s announced deprecation of Home services, I set up Minio on my various endpoints, exposed the port to relevant subnets, and set up peer-to-peer backup.

My requirements:

  1. Low cost.
  2. Scalable storage options, ability to add more drives as needed.
  3. Peer-to-peer backup across various sites.
  4. Snapshot capabilities.
  5. On-premise encryption.
  6. Cross-platform backup client.


  1. Client: Duplicati snapshots data and is free.
  2. Storage for backups: Minio Server exposes an s3-compatible storage endpoint which runs on a variety of OSes.
  3. Storage TLS certificate: Concert can be used to get a letsencrypt certificate for your s3-compatible endpoint. You should probably compile from source instead of using the binaries.

Server Configuration (example):

  1. Minio supports erasure coding/checksums to be resilient against bitrot and drive failures. So directly expose disks (without RAID) on a Windows server. Minimum 4 disks, even numbers, and up to 12 disks are currently supported.
  2. Configure 4 storage drives as E:, F:, G: and H:. (You may wish to mount the disks in directory-mountpoints, but that’s left as an exercise to the reader.)
  3. Download Minio, and NSSM to run Minio as a service on a Windows server. In the example below, drop these binaries in c:\minio\ then execute:
    nssm install minio-backup-storage c:\minio\minio.exe
    nssm set minio-backup-storage AppDirectory c:\minio
    nssm set minio-backup-storage AppParameters server --config-dir c:\minio\config e:\minio-storage f:\minio-storage g:\minio-storage h:\minio-storage
  4. Forward port 443 to port 9000 on this server (NAT).
  5. Open config.json in c:\minio and note the accessKey and secretKey.
  6. Confirm that you can log in at http://serverip:9000/ with the accessKey and secretKey.

Enable TLS encryption with Let’s Encrypt (example 1):

  1. Point to the machine running minio.
  2. Grab Concert and drop this binary in the same location.
  3. Set concert to run as a service as well:
    nssm install minio-cert c:\minio\concert_windows_amd64.exe
    nssm set minio-cert AppDirectory c:\minio
    nssm set minio-cert AppParameters server --dir "c:\minio\config\certs" ""
  4. Forward tcp 80 to this server to allow it to renew certificates.

Client Configuration:

  1. Install Duplicati.
  2. Add the backup, select s3-compatible. Using the web interface, click Advanced and select “s3-ext-forcepathstyle” while configuring the location 2.
  3. #profit.