Self-Hosted Backup Destinations on Windows

Self-hosting your backup destination means the only people who ever touch your data are you and whoever runs your VPS. No Backblaze, no Carbonite, no Acronis cloud sitting between you and your files. BackupKit treats NextCloud, ownCloud, Seafile, plain SFTP, and WebDAV as first-class destinations — same wizard, same encryption, same retention policies, just pointed at a server you own.

Who self-hosts backups

• Privacy-conscious users who don’t want a third-party cloud holding their data, encrypted or not.
• Developers and homelabbers who already run a VPS or home server and have spare disk.
• Small businesses with compliance requirements that make “data lives on our hardware” the simpler answer.
• People in regions where US-based cloud providers are slow, expensive, or politically awkward.

Supported self-hosted destinations

Setting it up with NextCloud (worked example)

1. Create a dedicated backup user in NextCloud. Settings → Users → New user. Give it a quota matching the storage you want to allocate.
2. Generate an app password for that user (Settings → Security → Devices & sessions). Use the app password, not the login password — safer if BackupKit’s credentials ever leak.
3. Find the WebDAV URL. NextCloud shows it at the bottom of the Files settings: https://your-cloud/remote.php/dav/files/USERNAME/
4. Add the WebDAV account in BackupKit. Paste the URL, username, app password. BackupKit verifies and lists the root folder.
5. Create the backup job. Source = local folder. Destination = the WebDAV account, optionally a subfolder like Backups/laptop/.
6. Configure encryption, schedule, retention, notifications. Save and activate.

Plain SFTP: even simpler

If you already have a VPS with SSH access, skip NextCloud entirely:

1. SSH into the VPS, create a user with a home directory on the volume you want to use, and grant SFTP access.
2. Optionally chroot the user to its home directory (ForceCommand internal-sftp + ChrootDirectory in sshd_config) so it can’t wander the filesystem.
3. In BackupKit, add the SFTP account: hostname, port (22), username, password (or SSH key).
4. Create the backup job pointed at that account.

No backup-server software to maintain, no NextCloud upgrades to track. Just files in a directory.

Why client-side encryption still matters

NextCloud has server-side encryption. Seafile encrypts libraries server-side. Both are useful for protecting against drive theft, but neither is end-to-end — the server holds keys. Client-side AES-256 in BackupKit means the archive is ciphertext from the moment it leaves your PC. Even a fully compromised NextCloud server reveals nothing.

This matters more for self-hosted backups than for cloud backups, because self-hosted servers often run with less hardening than commercial clouds — one missed security update, one weak admin password, and the host is compromised. AES-256 makes that compromise non-catastrophic.

Hardening tips

• Don’t share the user with anything else. Dedicated NextCloud account or SFTP user, scoped to one directory.
• Use app passwords or SSH keys rather than the main account credentials.
• Fail2ban on the server to throttle brute-force attempts.
• fail-closed firewall: only allow SFTP/HTTPS from your IPs if you have static addresses, otherwise rely on strong passwords + rate limiting.
• Off-site copy. Your self-hosted server is the off-site copy only if it’s actually in a different location than your PC. If both live in the same room, add a second cloud destination as well.

Common questions

Related

• All 14 supported storage destinations
• AES-256 client-side encryption feature
• Automated encrypted cloud backups (overview)
• Back up Windows to a NAS — on-prem alternative.
• Back up Windows to Amazon S3 — for an off-site cloud pair.