A Special Report
Most database backups are write-only, until the day they aren’t.
dbcrate runs your scheduled backups, encrypts them on the host to a key you own, and uploads them straight to storage you control. Beginning, as all good things do, with PostgreSQL.
Engines today
1
On the roadmap
3
Storage
S3 / SFTP
Encryption
E2E
-
Scheduled, encrypted backups
A small agent runs on the host, streams the dump through compression and encryption, and uploads it straight to storage. Nothing of size is ever written to local disk.
-
End-to-end encrypted
Backups are encrypted on the host to your organisation’s public key. The control plane never sees plaintext during a backup; the only path through which it would ever decrypt is the future verify-restore loop, and only when you ask it to.
-
Storage you own
Backups go to your S3-compatible bucket or SFTP destination: AWS, Cloudflare R2, Backblaze, Wasabi, Hetzner, MinIO, or anything that speaks the protocol. We never hold the bytes.
-
Dashboard-driven restore
Pick a backup in the dashboard, point it at a target connection, and the agent does the rest.
-
Centralised retention
Retention lives in the control plane. The agent never decides, on its own initiative, what to delete.
-
A real audit log
Every backup, restore, configuration change, and credential access is recorded, append-only, with sensitive fields redacted on write.
┌────────────────── customer host ──────────────────┐
│ │
│ ┌──────────┐ ┌─────────────────────────┐ │
│ │ Postgres │ <─── │ dbcrate agent │ │
│ └──────────┘ libpq │ pg_dump → zstd → E2E │ │
│ │ → storage upload │ │
│ └────────────┬────────────┘ │
│ │ S3 API │
│ ▼ │
│ ┌─────────────────┐ │
│ │ object storage │ │
│ │ (your bucket) │ │
│ └─────────────────┘ │
└──────────────────────┬────────────────────────────┘
│ mTLS (heartbeats, config,
│ commands, status)
▼
┌──────────────────┐
│ control plane │
│ (no backup data │
│ ever touches │
│ this box) │
└──────────────────┘
-
Verified restores
Scheduled restores into a clean Postgres of the matching major version, with integrity checks and your validation queries. A paid feature when it lands.
-
Point-in-time recovery (Postgres)
Continuous WAL streaming on top of the scheduled base backup. Recover to a specific second, not just the last snapshot. Target RPO measured in seconds. Lands after verified restores.
-
Alerts
Slack, Discord, email, and webhooks on backup failure, missed schedules, and disconnected agents.
-
More engines
MySQL / MariaDB, MongoDB, Redis on the same agent. No dates — we’d rather ship one engine well than promise four.
-
2026-04-22
Why we restore every backup, every week
A schedule that completes is not a backup that works. What we found when we started actually trying the snapshots we had been quietly producing for months.
Early development. Not yet for production.
dbcrate is being built by a small team. APIs and configuration formats are subject to change without warning, and we are not, in good conscience, asking anyone to trust us with real backups until v1.0. v1.0 ships when we have earned it, and not before.
The site is here so the shape of the work can be read in advance of any commitment. We will write when there is something worth showing, and not a moment sooner.