Table of Contents [expand]
Last updated October 14, 2024
The Eppalock add-on is currently in beta.
Eppalock is an add-on for simple and secure offsite backups of your Postgres database. Offsite backups are critical for data resiliency and required for following best practices of data redundancy. Whether your users ask for it, your compliance demands it, your certification outlines it, or you prioritize it internally, offsite database backups are important for successful, sustainable, and secure software businesses.
Benefits
Heroku does a great job at backing up databases. Depending on your Postgres plan, you can schedule backups or create manual backups on demand. Standard-tier and higher databases offer rollback, so you can restore your database back to a previous point. Eppalock adds onto Heroku’s native backup capabilities by providing:
- Offsite backups: Heroku stores backups on Heroku-owned infrastructure. Offsite backups offer the greatest defense against losing access to your Heroku account or your Heroku backups themselves. Having a backup that isn’t tied to your Heroku account or infrastructure means you can respond quickly when something goes wrong.
- Scheduled backups: To set and view scheduled backups on Heroku, you must use the CLI. Eppalock offers a simple UI where you can schedule your backups in a single click. You have more control over backup intervals with options to schedule hourly, daily, weekly, or monthly backups.
- Data retention: Heroku retains daily backups for up to a week. With Eppalock, you can keep your backups for weeks, months, or years. We can also automatically delete your backups when they’re a day, a week, or a month old.
- Notifications: When a scheduled backup fails on Heroku, you don’t receive a notification. Eppalock sends a notification when a scheduled backup fails, so you don’t have to manually verify if a backup was successful.
How Eppalock Works
Eppalock executes backups via one-off dynos that count towards your monthly usage.
We engineered Eppalock to be as secure as possible while still being a user-friendly and native experience. Other database backup add-ons require you to install and run separate apps on your Heroku account, which can be confusing and costly. With Eppalock, you install the add-on, follow a simple configuration process, and you’re done.
While ease of use is a priority, a secure and robust process is the main focus of Eppalock. To ensure integrity and a minimal surface of exposure, the backup and encryption process happens on a Heroku dyno and not our servers.
Creating a backup with Eppalock happens in these steps:
- Eppalock creates a secure one-off dyno on Heroku.
- Eppalock creates the backup of your Postgres database.
- Eppalock encrypts the backup.
- Eppalock sends the backup to your AWS S3 bucket.
- You get a notification when your backup is stored in your S3 bucket.
Provisioning the Add-on
Reference the Eppalock Elements Page for a list of available plans and regions.
Web Interface
To provision Eppalock from the Heroku Add-ons marketplace, click the Install Eppalock
button.
Command-Line Interface (CLI)
Attach Eppalock to a Heroku application via the CLI:
Heroku Dashboard
You can install Eppalock via the Resources tab
of your Heroku app.
Local Setup
Configuration
The first time you open the dashboard you must configure Eppalock for backups:
We don’t store your connection string and encryption key on Eppalock’s servers. When you update them via the dashboard, we send them to Heroku for safe keeping.
Connection String
Eppalock is structured so it doesn’t have automatic access to your database URL, commonly DATABASE_URL
on your app. You must provide a Postgres connection string for read-only access to your database. Eppalock doesn’t need write access. You must create a credential and give it the required read-only permissions.
Encryption Key
Each backup is encrypted with AES-256-CBC using a unique encryption key for each database. During initial configuration, we provide a generated key you can use or you can provide your own. Keep note of the encryption key to decrypt any backups.
Schedule
You can configure Eppalock to run backups hourly, daily, weekly, or monthly depending on your Eppalock plan. You can also enable backup deletion to delete backups older than an hour, day, week, or month depending on your plan. Eppalock only deletes files in the storage location that it created. Other files remain untouched regardless of their age.
Storage Credentials
Eppalock currently supports sending backups offsite to Amazon’s S3 service. You must generate an access key and secret key. You must also provide the bucket name where to send the backups and the AWS region that bucket is in. We recommend following the instructions to generate an access and a secret key just for Eppalock.
Usage
Dashboard
You can view your backup history and configure Eppalock via the dashboard. To access the dashboard, click the Eppalock
add-on on the Overview
tab of your Heroku app.
Alternatively, you can open the dashboard from the Heroku CLI:
$ heroku addons:open eppalock -a example-app
Opening https://addons-sso.heroku.com/apps/6...
Migrating Between Plans
Application owners must carefully manage the migration timing to ensure proper application function during the migration process.
Use the heroku addons:upgrade
command to migrate to a new plan.
$ heroku addons:upgrade eppalock:pro
-----> Upgrading eppalock:pro to example-app.. done ($20/mo)
Your plan has been updated to: eppalock:pro
Removing the Add-on
You can still access your backups on your S3 instance when you remove the add-on.
Remove Eppalock via the CLI:
This action destroys all associated data and you can’t undo it!
$ heroku addons:destroy eppalock
-----> Removing eppalock from example-app... done, v20 (free)
Support
Submit all Eppalock support and runtime issues via one of the Heroku Support channels. Any non-support-related issues or product feedback is welcome at help@eppalock.com.