Cloud storage is convenient, but it is not always the best fit for large backups, privacy-focused environments, or labs where you want full control. A practical alternative is running your own S3-compatible object storage. In this tutorial, you will set up MinIO (an S3-compatible object storage server) on Ubuntu Server, secure it with a firewall, and then use rclone to sync backups to your new storage. The result is a modern backup target that works with many tools that already support Amazon S3.
What you will build
You will install MinIO as a system service, create a dedicated data directory, enable the MinIO web console, and harden access. Then you will configure rclone to push a local folder (your backups) into a bucket. This approach is useful for home labs, small businesses, and IT teams that want S3-style APIs without paying per-GB cloud fees.
Prerequisites
You need an Ubuntu Server (20.04/22.04/24.04 are fine), a user with sudo privileges, and at least one disk with enough space for your backup data. For best performance and safety, use a separate disk or mount point (for example, /mnt/minio). You should also know the server’s IP address and have SSH access.
Step 1: Create a MinIO user and storage path
First, create a dedicated system user and a directory for your objects. Keeping MinIO isolated makes permissions and troubleshooting much easier.
Commands:
sudo useradd --system --home /etc/minio --shell /sbin/nologin minio
sudo mkdir -p /mnt/minio
sudo chown -R minio:minio /mnt/minio
Step 2: Install the MinIO server binary
MinIO distributes a single binary. Download it, place it in /usr/local/bin, and make it executable.
cd /tmp
curl -LO https://dl.min.io/server/minio/release/linux-amd64/minio
sudo install minio /usr/local/bin/minio
Step 3: Create a configuration file
MinIO reads environment variables from a config file. Create /etc/default/minio and define your storage path, console port, and admin credentials. Use a strong password and store it safely.
sudo nano /etc/default/minio
Example configuration:
MINIO_VOLUMES="/mnt/minio"
MINIO_OPTS="--console-address :9001 --address :9000"
MINIO_ROOT_USER="minioadmin"
MINIO_ROOT_PASSWORD="CHANGE_THIS_TO_A_LONG_RANDOM_PASSWORD"
Then lock down permissions so regular users cannot read secrets.
sudo chown root:root /etc/default/minio
sudo chmod 600 /etc/default/minio
Step 4: Install a systemd service for MinIO
Running MinIO under systemd gives you automatic restarts and clean startup on boot.
sudo nano /etc/systemd/system/minio.service
Paste this service file:
[Unit]
Description=MinIO
After=network-online.target
Wants=network-online.target
[Service]
User=minio
Group=minio
EnvironmentFile=-/etc/default/minio
ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES
Restart=always
LimitNOFILE=65536
TasksMax=infinity
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable --now minio
sudo systemctl status minio --no-pager
Step 5: Open firewall ports (or restrict them)
MinIO uses port 9000 for the S3 API and 9001 for the web console. If you use UFW, open only what you need. If this server is internal-only, restrict access to a management subnet.
sudo ufw allow 9000/tcp
sudo ufw allow 9001/tcp
sudo ufw enable
After this, the console should be reachable at http://SERVER_IP:9001. Log in with the root user and password you set earlier.
Step 6: Create a bucket for backups
Inside the MinIO console, create a bucket such as backups. Buckets are like top-level containers. You can also create separate buckets for endpoints like workstations, servers, or projects.
Step 7: Install and configure rclone on a client
Now install rclone on the machine that will send backups (this can be the same server or a different system). rclone supports S3-compatible endpoints, so it works well with MinIO.
sudo apt update
sudo apt install -y rclone
Run the configuration wizard:
rclone config
Create a new remote, choose s3, then set these key options:
Provider: Minio
Endpoint: http://SERVER_IP:9000
Access key ID / Secret access key: use credentials from MinIO (preferably a dedicated user, not the root account)
Region:
Step 8: Sync a local backup folder to MinIO
Assume your backups are stored in /srv/backups and your bucket is backups. Use sync to mirror the folder to object storage. If you want safer behavior, start with copy first.
rclone sync /srv/backups minio-remote:backups --progress --transfers 8
For ongoing operations, add logging and run it on a schedule with cron or a systemd timer. A simple cron example (daily at 01:30):
crontab -e
30 1 * * * rclone sync /srv/backups minio-remote:backups --log-file=/var/log/rclone-minio.log --log-level INFO
Troubleshooting tips
Console not reachable: verify MinIO is listening on ports 9000/9001 with ss -tulpn | grep 900 and confirm firewall rules.
Access denied from rclone: use a dedicated MinIO user and policy, confirm the access key/secret, and ensure the bucket name matches.
Slow performance: check disk throughput, avoid storing data on the OS disk, and consider using faster NICs or enabling multi-disk MinIO setups for scale.
Next steps
Once the basics work, consider adding HTTPS behind a reverse proxy (Nginx or Caddy), creating separate users and policies per team, and enabling bucket versioning for accidental deletion protection. With MinIO plus rclone, you get a flexible, modern backup target that speaks S3 while staying under your control.
Comments
Post a Comment