Databasus is a free, open source and self-hosted tool to backup PostgreSQL. Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). With a focus on Point-in-Time Recovery at low RPO/RTO
<a href="#-features">Features</a> •
<a href="#-installation">Installation</a> •
<a href="#-usage">Usage</a> •
<a href="#-license">License</a> •
<a href="#-contributing">Contributing</a>
<a href="https://databasus.com" target="_blank"><strong>🌐 Databasus website</strong></a>
Databasus performs a real restore to confirm backups are usable, not just intact on disk or checksum check.
You have four ways to install Databasus:
You have four ways to install Databasus: automated script (recommended), simple Docker run, or Docker Compose setup.
The installation script will:
sudo apt-get install -y curl && \
sudo curl -sSL https://raw.githubusercontent.com/databasus/databasus/refs/heads/main/install-databasus.sh \
| sudo bash
The easiest way to run Databasus:
docker run -d \
--name databasus \
-p 4005:4005 \
-v ./databasus-data:/databasus-data \
--restart unless-stopped \
databasus/databasus:latest
This single command will:
./databasus-data directoryCreate a docker-compose.yml file with the following configuration:
services:
databasus:
container_name: databasus
image: databasus/databasus:latest
ports:
- "4005:4005"
volumes:
- ./databasus-data:/databasus-data
restart: unless-stopped
healthcheck:
test: ["CMD", "databasus", "healthcheck"]
interval: 30s
timeout: 5s
retries: 3
start_period: 60s
Then run:
docker compose up -d
For Kubernetes deployments, install directly from the OCI registry.
With ClusterIP + port-forward (development/testing):
helm install databasus oci://ghcr.io/databasus/charts/databasus \
-n databasus --create-namespace
kubectl port-forward svc/databasus-service 4005:4005 -n databasus
# Access at http://localhost:4005
With LoadBalancer (cloud environments):
helm install databasus oci://ghcr.io/databasus/charts/databasus \
-n databasus --create-namespace \
--set service.type=LoadBalancer
kubectl get svc databasus-service -n databasus
# Access at http://<EXTERNAL-IP>:4005
With Ingress (domain-based access):
helm install databasus oci://ghcr.io/databasus/charts/databasus \
-n databasus --create-namespace \
--set ingress.enabled=true \
--set ingress.hosts[0].host=backup.example.com
For more options (NodePort, TLS, HTTPRoute for Gateway API), see the Helm chart README.
http://localhost:4005If you need to reset the password, you can use the built-in password reset command:
docker exec -it databasus ./main --new-password="YourNewSecurePassword123" --email="admin"
Replace admin with the actual email address of the user whose password you want to reset.
After installation, it is also recommended to backup your Databasus itself or, at least, to copy secret key used for encryption (30 seconds is needed). So you are able to restore from your encrypted backups if you lose access to the server with Databasus or it is corrupted.
Databasus works with sensitive data, so preventing vulnerabilities, unauthorised access and data leaks is a primary concern. We invest in this on both sides of the system: in the code itself (permission checks, encryption, careful handling of secrets) and in the infrastructure around it (dependency analysis, CVE response, DevSecOps best practices). The pipeline below runs automatically on every commit and PR. No single layer is enough on its own, but together they reduce the chance of vulnerable code, unsafe dependencies, broken images, or non-restorable backups reaching a release.
For static analysis we combine several independent passes. CodeQL scans the full codebase for security issues. CodeRabbit reviews every PR and runs gitleaks for secret scanning and semgrep for security rules inline. Dockerfiles and CI workflows get extra rules of their own (pinned action references, least-privilege permissions, suspicious base images), so insecure patterns are flagged before they ever merge. On top of these per-PR checks, Codex Security from OpenAI runs regular, deeper audits of the whole codebase. It's a separate program that catches architectural and cross-cutting issues narrow PR-time scans can miss.
On the dependency side, Dependabot watches all of our dependencies against the GitHub Advisory Database and surfaces CVEs within minutes of publication. Updates run through a cooldown so newly-published versions get a chance to mature before we adopt them. This is a deliberate defence against compromised-package incidents like supply-chain attack. The Dependency Review Action blocks any PR that introduces a new HIGH or CRITICAL CVE outright.
Container images are scanned with Trivy on every build. A separate Trivy pass on the Dockerfile catches misconfigurations before they make it into an image. All GitHub Actions are pinned to full commit SHAs rather than floating tags like @v4 or @main, which have been an active attack vector in 2025. Workflows default to least-privilege permissions and only elevate per-job when genuinely needed.
Critical paths are covered by both unit and integration tests, run against real database containers for every supported engine and major version. Restore is the path that matters most for a backup tool, so we test it explicitly: every PR runs full backup-then-restore cycles against those same real containers, verifying that backups can actually be restored end-to-end, not just written successfully. The rest of the CI/CD pipeline runs lint, type-check, the full test suite, image smoke tests and multi-architecture builds on every PR. A release only ships if all of it passes.
Found a vulnerability? Report it via the GitHub Security tab. See SECURITY.md. Security reports are the highest-priority work queue. For runtime application security (AES-256-GCM at rest, zero-trust storage, encrypted secrets, read-only DB user by default) see Enterprise-grade security in the Features section above.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details
Contributions are welcome! Read the contributing guide for more details, priorities and rules. If you want to contribute but don't know where to start, message me on Telegram [@rostislav_dugin](ht
$ claude mcp add databasus \
-- python -m otcore.mcp_server <graph>