UniFi Cloud Key Gen2 in Rack

Off-site UniFi Protect Backup

Dec 16, 2023

I'm a massive fan of the UniFi Protect eco-system, yes it can get a little pricey compared to real consumer gear but it simply just works and it works well, all while on-site away from prying eyes. The issue with all of this is that a savvy burglar is going to look for your NVR system and take all the footage with them. Unfortunately I've seen a few threads on Reddit of this happening.

Physical Security

The Unifi Cloud Key Gen2 Plus has a security slot so that a Kensington lock can be used to secure the system. Having a look at the other Unifi products suggests that all the other systems that can run the Protect application don't have this which is a little disapointing.

Off-Site Backup

I would have hoped this is a feature that Unifi would build into the Protect application. I did hear rumors many years ago that this was something they were working on, given the number of years that have passed I'm guessing they have given up on this.

There are a few ways to backup you footage off-site:

  • rsync the video directories on the Cloud Key to a separate machine
  • Enable the RTSP to send the video streams off-site
  • Endless janky scripts

I've been using a docker container from Sebastian Goscik - https://github.com/ep1cman/unifi-protect-backup for close to 2 years now and it has effortlessly shipped of all my motion events to S3 as they happen.

Setting up Unifi-Protect-Backup with Docker

We'll be deploying this in Docker, I personally run a Debian VM just for this but a Raspberry Pi will also do the job. You'll want this to be local and likely on the same network as the Unifi Cloud Key.

Unifi-Protect-Backup uses rclone for the backend support meaning a load of Cloud providers and protocols are supported out the box such as:

  • S3
  • Dropbox
  • FTP
  • SFTP
  • SMB
  • WebDAV

Look through there docs and create a rclone.conf config for your cloud provider, I'll be using Scaleway S3 compatible storage. The template for this:

[scaleway]
type = s3
provider = Scaleway
env_auth = false
endpoint = s3.nl-ams.scw.cloud
access_key_id = SCWXXXXXXXXXXXXXX
secret_access_key = 1111111-2222-3333-44444-55555555555555
region = nl-ams
location_constraint =
acl = private
server_side_encryption =
storage_class =

Once your rclone config is sorted we'll generate a Unifi user account for the backups, we can give this just basic view only access.

Docker Compose:

version: '3.1'
services:
  protect-backup-scaleway:
    image: ghcr.io/ep1cman/unifi-protect-backup
    container_name: unifi-protect-backup
    restart: unless-stopped
    environment:
      UFP_USERNAME: <username>
      UFP_PASSWORD: <password>
      UFP_ADDRESS: <Unifi-IP>
      UFP_SSL_VERIFY: 'false'
      RCLONE_DESTINATION: scaleway:<bucket-id/directory>
    volumes:
      - ./data:/data
      - /home/cyberhost/rclone.conf:/root/.config/rclone/rclone.conf:ro

You'll want to set the credentials, Unifi IP and the rclone path in the config.

Start it up: sudo docker compose up -d

You can check the logs with sudo docker compose logs

To prevent your bills going sky high you'll want to setup some lifecycle rules. I have this to move the videos to Glacier storage after 7 days and then delete after 180 days, this reduces my monthly costs to well below £1.

Scaleway Lifecycle Rules

That's it, you'll likely want to check periodically to ensure it is still backing up 😄