๐ก๏ธ Backup Manager
๐ฆ Classic profiles โ backup to external drive, network share, SSH server, or S3 cloud storage.๐ Anti-Ransomware profiles โ backup to Amazon AWS S3 with Object Lock, the technology used in banking . Your data becomes impossible to delete , even by ransomware.
โ
100 % automatic โ daily backups, email alerts, integrity checks
โ
No AWS knowledge needed โ the wizard creates and locks everything
โ
Free and open-source โ no subscription, no account
โ
Windows 10 / 11 โ one-click MSI installer
Two modes
Classic Anti-Ransomware (anti-ransomware)Destination USB / network share / SFTP / S3 Amazon AWS S3 with Object Lock Setup 3 steps 11 guided steps โ AWS signup and bucket done for you Protection Encryption + integrity checks Classic + backups that cannot be deleted before their retention date For whom You already have a drive or NAS You want to survive a full ransomware attack
What Anti-Ransomware does once the wizard finishes
๐
Monthly full + daily differential (only changed files)
๐ Each backup locked on S3 for your chosen duration โ even you cannot delete it
โ
SHA-256 integrity check after every upload
๐ง Optional email on success / failure
๐งน Old backups past their lock date auto-deleted by S3 Lifecycle
๐ Missed a run? Catches up on next startup. Retries on failure.
Retention
Duration Use 4 months (default)Ransomware dwell time is ~3 months โ this covers it with margin. 13 months Rolling one-year protection. 7 years Regulatory archives. Custom 2 to 20 years.
Cost shown in the wizard before you commit (10 GB โ 800 GB, based on AWS S3 Glacier IR pricing). AWS bills you directly.
Key features
S3 Object Lock Compliance Ransomware-proof, Anti-Ransomware mode 4 storage backends Local / USB, network share, SFTP, S3 +2 mirror copies Independent, per-destination encryption AES-256-GCM streaming Nothing written in plaintext GFS rotation (classic mode)Daily / weekly / monthly SHA-256 integrity Pre, post, and periodic checks DPAPI password storage Windows user-bound Adaptive bandwidth Throttling for slow links (Starlink-tested)
Storage backends
Destination Description Local / USB Any local drive, external HDD, or removable USB. Auto-detection by hardware serial so drive-letter changes do not break the profile. Network (UNC) Windows shared folder (\\server\share) with username / password. Credentials go through Windows Credential Manager. SFTP (SSH) Password or private key (Ed25519, ECDSA, RSA). Server-side tar-stream when the remote allows an exec channel. Amazon AWS S3 With optional Object Lock for the Anti-Ransomware mode. S3-compatible Scaleway, Wasabi, OVH, DigitalOcean, Cloudflare R2, Backblaze B2, MinIO.
Main interface
Tab Description Run Launch a backup, watch progress and logs General Mode, profile name, source folders, exclusions, bandwidth Storage / Mirror 1 / Mirror 2 Primary and up to 2 mirror destinations Encryption AES-256-GCM toggle per destination Schedule Frequency, time, auto-retry, periodic verification Protection Object Lock status, retention, bucket (Anti-Ransomware) Retention GFS policy (classic mode) Email SMTP with provider presets and test button Recovery Restore from local or remote (SFTP, S3, network) Verify On-demand integrity verification History Past backup logs with status column
Security architecture
Defense in depth โ independent layers, each designed to fail safely.
S3 Object Lock (Anti-Ransomware mode)
Layer Mechanism Deletion resistance S3 Object Lock Compliance โ the bucket rejects delete and overwrite requests until the per-object retention date Full backups Locked for retention + 30 days so the last full outlives its dependent differentials Differential backups Locked for the retention period Cleanup S3 Lifecycle removes objects after the lock expires No app-side delete Backup Manager never issues a delete against a locked bucket
Encryption at rest โ .tar.wbenc streaming format
No plaintext data is ever written to disk:
Header (37 B):
[4B magic "WBEC"] [1B version] [16B salt] [16B reserved]
Body (repeating chunks):
[4B plaintext length] [12B nonce] [ciphertext + 16B GCM tag]
EOF sentinel:
[4B zeros]Cipher and key derivation
Parameter Value Rationale Cipher AES-256-GCM NIST-approved authenticated encryption Key size 256 bits Largest AES key length Nonce 12 B sequential counter Unique per chunk, never reused Auth tag 16 B (128 bit) Detects tampering and corruption KDF PBKDF2-HMAC-SHA256 Standard password-based KDF Iterations 600 000 OWASP 2024 guidance Salt 16 B os.urandom() Per-backup, prevents rainbow tables
Password storage
Platform Method Details Windows DPAPI (CryptProtectData) Tied to the current Windows user account Fallback AES-256-GCM with a DPAPI-wrapped 32-byte machine key Used if DPAPI is unavailable
Summary
Layer Mechanism Ransomware resistance S3 Object Lock Compliance (Anti-Ransomware mode) Data at rest AES-256-GCM streaming (.tar.wbenc) Key derivation PBKDF2-HMAC-SHA256, 600 000 iterations, random salt Password storage Windows DPAPI + AES-256-GCM fallback Integrity SHA-256 manifest + post-write verify + GCM auth tag Transport SSH / HTTPS / SMB Memory Explicit buffer zeroing on sensitive paths Path safety Traversal-proof remote path validation Logging No secrets in any log output Bug reports Dual HMAC + Ed25519 signed diagnostics, injection-proof Build Nuitka native C compilation (no extractable bytecode)
Testing
pytest # full suite
pytest --cov=src --cov-report=term-missing # with coverageCurrent status: 1429 tests, 85 % coverage, 0 failures.
CI (GitHub Actions, every push): Black formatting, Ruff linting (Ubuntu), full pytest with coverage enforcement (Windows, Python 3.12 + 3.13).
Build from source
Prerequisites
Python 3.11+ (tested on 3.12 and 3.13)
Nuitka (Python โ C compiler)MSVC Build Tools
WiX Toolset v3.14 (MSI only)
Commands
git clone https://github.com/loicata/backup-manager.git
cd backup-manager
pip install -r requirements.txt
python -m src # dev run
python build_nuitka.py # -> dist/BackupManager/BackupManager.exe
python build_msi.py # -> dist/BackupManager-x.y.z.msiProject structure
backup-manager/
โโโ src/
โ โโโ core/ # Backup engine, scheduler, config, pipeline
โ โ โโโ backup_engine.py # Main orchestrator (11-phase pipeline)
โ โ โโโ config.py # Profile dataclasses + JSON persistence
โ โ โโโ events.py # Thread-safe event bus for UI updates
โ โ โโโ bandwidth_tester.py # Adaptive bandwidth measurement
โ โ โโโ integrity_verifier.py # Periodic integrity verification
โ โ โโโ scheduler.py # In-app scheduler + auto-start
โ โ โโโ phases/ # Pipeline phases
โ โ โโโ collector.py # File collection + exclusion filtering
โ โ โโโ filter.py # Differential change detection
โ โ โโโ encryptor.py # Streaming tar encryption
โ โ โโโ writer.py # Write dispatcher (local / remote)
โ โ โโโ verifier.py # Post-write integrity verification
โ โ โโโ mirror.py # Mirror replication orchestrator
โ โ โโโ rotator.py # GFS retention rotation
โ โโโ storage/ # Storage backends
โ โ โโโ local.py # Local / USB with drive-serial detection
โ โ โโโ network.py # SMB / CIFS network shares
โ โ โโโ sftp.py # SSH with tar-stream
โ โ โโโ s3.py # S3 + Object Lock
โ โ โโโ s3_setup.py # Bucket provisioning + cost simulation
โ โ โโโ base.py # Abstract backend + retry + throttling
โ โโโ security/ # Encryption, DPAPI, secure memory
โ โโโ notifications/ # SMTP email with HTML reports
โ โโโ ui/ # Tkinter GUI (Sun Valley theme)
โ โโโ wizard.py # Classic (3 steps) + Pro (11 steps) wizard
โ โโโ app.py # Main window with mode selector
โ โโโ tabs/ # Tab implementations
โโโ tests/ # 1429 tests (unit + integration)
โโโ CHANGELOG.md
โโโ requirements.txt
โโโ pyproject.tomlRequirements
Requirement Version OS Windows 10 / 11 Python 3.11+ (dev only โ end users install the MSI) cryptography >= 43.0.0 paramiko >= 3.0.0 boto3 >= 1.35.0 Pillow >= 10.0.0 pystray >= 0.19.0 sv_ttk >= 2.6.0
License โ GPL v3.0 โ ยฉ 2026 Loic Ader โ loicata.com
Issues / PRs โ welcome on GitHub . Open an issue first for anything significant.
