S3 | Plakar | The Open Standard for Backup and Restore

The S3 integration enables backup and restoration of S3 buckets through S3-compatible APIs. All bucket contents—including objects, metadata, and folder hierarchies—are captured and stored in a Kloset store with encryption and deduplication.

The S3 integration provides three connectors:

Connector type	Description
✅ Source connector	Back up S3 buckets into a Kloset store.
✅ Storage connector	Use S3-compatible storage as a Kloset store backend.
✅ Destination connector	Restore bucket contents from a Kloset store back to S3.

Installation

The S3 package can be installed using pre-built binaries or compiled from source.

Pre-compiled packages are available for common platforms and provide the simplest installation method.

Note: Pre-built packages require Plakar authentication. See Logging in to Plakar for details.

Install the S3 package:

$ plakar pkg add s3

Verify installation:

$ plakar pkg list

Source builds are useful when pre-built packages are unavailable or when customization is required.

Prerequisites:

Go toolchain compatible with your Plakar version

Build the package:

$ plakar pkg build s3

A package archive will be created in the current directory (e.g., s3_v1.0.0_darwin_arm64.ptar).

Install the package:

$ plakar pkg add ./s3_v1.0.0_darwin_arm64.ptar

Verify installation:

$ plakar pkg list

Check if the S3 package is installed:

$ plakar pkg list

To upgrade to the latest available version, remove the existing package and reinstall it:

$ plakar pkg rm s3
$ plakar pkg add s3

Existing configurations (stores, sources, destinations) are preserved during upgrade.

Source connector

The source connector retrieves objects from S3 buckets and stores them in a Kloset store with encryption and deduplication.

flowchart LR subgraph Source[S3 Bucket] fs@{ shape: cloud, label: "Objects" } end subgraph Plakar[Plakar] Connector@{ shape: rect, label: "Retrieve objects via
S3 API" } Transform@{ shape: rect, label: "Encrypt & deduplicate" } Connector --> Transform end Source --> Connector Store@{ shape: cyl, label: "Kloset Store" } Transform --> Store %% Apply classes class Source sourceBox class Plakar brandBox class Store storeBox %% Classes definitions classDef sourceBox fill:#ffe4e6,stroke:#cad5e2,stroke-width:1px classDef brandBox fill:#524cff,color:#ffffff classDef storeBox fill:#dbeafe,stroke:#cad5e2,stroke-width:1px linkStyle default stroke-dasharray: 9,5,stroke-dashoffset: 900,animation: dash 25s linear infinite;

Configuration

Create an S3 source configuration:

plakar source add my-s3-bucket \
  location=s3://<S3_ENDPOINT>/<BUCKET_NAME> \
  access_key=<YOUR_ACCESS_KEY_ID> \
  secret_access_key=<YOUR_SECRET_ACCESS_KEY> \
  use_tls=true

Back up the bucket to a Kloset store:

plakar at /var/backups backup "@my-s3-bucket"

If you don’t want to be prompted for a passphrase interactively (for example, when running automated backups), you can configure the passphrase directly in the store configuration:

plakar source add my-s3-bucket \
  location=s3://<S3_ENDPOINT>/<BUCKET_NAME> \
  access_key=<YOUR_ACCESS_KEY_ID> \
  secret_access_key=<YOUR_SECRET_ACCESS_KEY> \
  passphrase='<YOUR_ENCRYPTION_PASSPHRASE>' \
  use_tls=true

Configuration options

Option	Required	Description
`location`	Yes	S3 endpoint and bucket including region (format: `s3://s3.region.amazonaws.com/bucket`)
`access_key`	Yes	S3 Access Key ID
`secret_access_key`	Yes	S3 Secret Access Key
`passphrase`	No	Encryption passphrase (if not set, Plakar will prompt interactively)
`use_tls`	No	Enable TLS encryption for secure data transfer (recommended: `true` for internet connections)
`tls_insecure_no_verify`	No	Skips TLS certificate verification. It’s set to `false` by default (see warning below)

TLS Certificate Verification

The tls_insecure_no_verify parameter disables TLS certificate verification and should only be used in controlled testing environments.

When set to true, Plakar won’t validate TLS certificates when connecting over HTTPS. This makes your connection vulnerable to man-in-the-middle attacks where an attacker could intercept, read, or modify your backup data.

plakar store add my-internal-s3 \
  location=s3://internal-minio.company.local/backups \
  access_key=<YOUR_ACCESS_KEY_ID> \
  secret_access_key=<YOUR_SECRET_ACCESS_KEY> \
  use_tls=true \
  tls_insecure_no_verify=true

Only use this when:

Connecting to internal S3-compatible services with self-signed certificates in a trusted network
You fully understand the security implications

Never use this when:

Connecting to AWS S3 or any public cloud storage
Transferring data over the internet or untrusted networks
Handling production or sensitive data

For production environments, always use valid TLS certificates instead of disabling verification.

Storage connector

The storage connector uses S3-compatible storage as the backend for a Kloset store. All Plakar data—snapshots, chunks, metadata—is stored as S3 objects.

flowchart LR subgraph Sources[Any Source] fs@{ shape: cloud, label: "Data" } end subgraph Plakar[Plakar] Transform@{ shape: rect, label: "Encrypt & deduplicate" } Connector@{ shape: rect, label: "Store via
S3 API" } Transform --> Connector end Sources --> Transform subgraph Storage[S3 Storage] Store@{ shape: cyl, label: "Kloset Store" } end Connector --> Store %% Apply classes class Sources sourceBox class Plakar brandBox class Storage,Store storeBox %% Classes definitions classDef sourceBox fill:#ffe4e6,stroke:#cad5e2,stroke-width:1px classDef brandBox fill:#524cff,color:#ffffff classDef storeBox fill:#dbeafe,stroke:#cad5e2,stroke-width:1px linkStyle default stroke-dasharray: 9,5,stroke-dashoffset: 900,animation: dash 25s linear infinite;

Create an S3 storage configuration:

plakar store add my-s3-store \
  location=s3://<S3_ENDPOINT>/<BUCKET_NAME> \
  access_key=<YOUR_ACCESS_KEY_ID> \
  secret_access_key=<YOUR_SECRET_ACCESS_KEY> \
  use_tls=true

Initialize the Kloset store:

plakar at "@my-s3-store" create

Back up data from any source:

plakar at "@my-s3-store" backup /var/www

Destination connector

The destination connector restores objects from a Kloset store back to an S3 bucket.

flowchart LR Store@{ shape: cyl, label: "Kloset Store" } subgraph Plakar[Plakar] Transform@{ shape: rect, label: "Decrypt & reconstruct" } Connector@{ shape: rect, label: "Restore via
S3 API" } Transform --> Connector end Store --> Transform subgraph Destination[S3 Bucket] fs@{ shape: cloud, label: "Objects" } end Connector --> Destination %% Apply classes class Destination destinationBox class Plakar brandBox class Store storeBox %% Classes definitions classDef destinationBox fill:#d0fae5,stroke:#cad5e2,stroke-width:1px classDef brandBox fill:#524cff,color:#ffffff classDef storeBox fill:#dbeafe,stroke:#cad5e2,stroke-width:1px linkStyle default stroke-dasharray: 9,5,stroke-dashoffset: 900,animation: dash 25s linear infinite;

Configuration

Create an S3 destination configuration:

plakar destination add my-s3-restore \
  location=s3://<S3_ENDPOINT>/<BUCKET_NAME> \
  access_key=<YOUR_ACCESS_KEY_ID> \
  secret_access_key=<YOUR_SECRET_ACCESS_KEY> \
  use_tls=true

Restore a snapshot:

plakar at /var/backups restore -to "@my-s3-restore" <snapshot_id>