Astrari Vault · backup add-on
Recovery intelligence,
not just backups.
Off-host, append-only, encrypted backups for the Linux servers and websites Astrari already watches. Built for the case backup tools rarely plan for: the host you're trying to recover from is itself the attacker. Ransomware on a Vaulted server can encrypt the live data — it cannot reach back to delete the backups.
Vault is in early access. Phase 1 — file backups for bare Linux, scheduled + on-demand, with sandbox restore from the dashboard — is shipping now. cPanel/Plesk per-account orchestration, database streaming and in-place restore are next; see the roadmap below.
£0.05 per GB stored / month · no per-server fee · 10 GB free restore egress / month
Why a security team should care
Append-only by design
The agent's B2 key can write new snapshots and list existing ones — but cannot delete. A host compromise can encrypt your live data, but it cannot wipe your backup history. Pruning runs from Astrari infrastructure with a separate full-permission key the host never sees.
Encrypted before it leaves the server
Backups are encrypted with restic on the server using a passphrase Astrari generates and shows you once. We hold an escrow copy wrapped with a separate key, so neither we nor Backblaze can read your backup contents — but we can still help you restore on a clean host when you've lost the original.
Same outbound posture as the agent
Vault uses the existing outbound HTTPS channel. No new inbound ports. No SSH from Astrari to your server. The same security model that lets the Astrari agent live on your edge servers covers backup too.
Recovery score, not just uptime
Every Vaulted asset gets a 0–100 recovery score combining backup recency, success rate, integrity-check pass rate, and verified-restore. Alert on it like any other security finding — a stale backup is a security finding.
vs. a typical backup add-on
Most "backup" plans bolted onto a security product give you a copy of your files in a bucket. That solves user error. It doesn't solve a hostile host. Here's where Vault is different.
| What matters | Astrari Vault | Typical backup add-on |
|---|---|---|
| Backups a compromised host can't delete | Yes — append-only B2 credentials on the agent | Usually no — host can wipe its own history |
| Recoverable after ransomware on the host | Yes — backup history survives the host | Backups often share storage with the live data |
| Off-host storage by default | Yes — Backblaze B2 (EU/Amsterdam default) | Often local first, off-host as add-on |
| Linux server file backups (not just WP) | Yes — paths-based, any server | WordPress-only on most security plugins |
| Integrated with security findings | Yes — restore suggested when malware/integrity finding lands | Backup tool and security tool live separately |
| Encryption key holder | Customer-controlled, Astrari holds escrow copy | Vendor holds the key (or no encryption) |
| Verified restorability | Periodic restore-to-sandbox + recovery score | "Backup ran" only, no restore proof |
Recovery after ransomware
What happens if a Vaulted host is hit
A ransomware operator with root on the host has the same B2 credentials the agent does. Those credentials can write new files and read old ones — they cannot delete or overwrite. The attacker can encrypt every byte of the live filesystem; they cannot encrypt what's already in the backup bucket.
Recovery is then a straightforward operation: rebuild on a clean host, run restic restore against the same B2 bucket using the encrypted escrow passphrase Astrari generated when you provisioned the target. Pruning — the only delete-capable operation on the bucket — runs from Astrari's infrastructure, not from the customer host, so the deletion key is never present where ransomware can steal it.
An honest line on residual risk: Vault relies on Astrari's infrastructure to keep the pruner key safe. We're working on storage-layer immutability (B2 Object Lock) so backups are protected even from a compromise of Astrari itself, within a fixed retention window. That ships in a future release; today's guarantee is "safe from a compromise of your host."
How it works
- 1
Configure on a server you already monitor
Open the server in your Astrari dashboard, click "Configure backups". Provide an Astrari-generated B2 bucket (or your own) and choose what paths to back up.
- 2
The agent runs restic under nice/ionice
On a schedule you set (default 03:00 UTC), the agent runs restic with B2 as the backend. nice -n 19 and ionice -c 3 keep CPU and disk pressure off your live workload.
- 3
Snapshots land in B2 with an append-only key
The agent's key can write new snapshots and list existing ones — that's it. A compromised host cannot delete your backup history. Pruning runs from Astrari infrastructure with a separate key.
- 4
Astrari tracks the recovery story, not just the run
Every snapshot reports back. The dashboard rolls up a recovery score per asset, alerts on failures and stale backups, and runs periodic restore tests to a sandbox path on the host — so the score reflects something more than "the file made it to the bucket".
Where the data lives
- ▸ EU (Amsterdam) by default for UK and EU customers — keeps data inside the relevant jurisdiction without you having to ask.
- ▸ US-West and US-East selectable for customers who want them.
- ▸ Encrypted client-side via restic before upload — Backblaze sees opaque blobs, we see opaque blobs.
- ▸ Backblaze B2 is listed in the trust centre as an opt-in sub-processor — only invoked when you configure a Vault target.
What's coming next
Phase 1 is files-only and self-provisioning. The next two phases are scoped and queued:
- ▸ Database streaming (mariadb-dump → restic --stdin, no disk staging)
- ▸ cPanel / WHM and Plesk per-account backup orchestration
- ▸ Per-site and per-database restore scopes
- ▸ Side-by-side restore (default) and 2FA-gated in-place restore
- ▸ Cross-server disaster restore (insurance against host loss)
- ▸ Periodic restore-to-sandbox verification + restorability attestation in monthly reports
Want early access?
Vault is rolling out to existing Astrari customers first. If you're already on the platform, the panel is on your server detail pages now. If you're new, start with the free Starter plan — Vault attaches to any server you add later.