Backing up multiple PCs and Macs to AWS with Arq
With CrashPlan discontinuing their home options, many people are left looking for a good, cost effective way to backup multiple home computers at a decent price.
This post will help you back up your systems to AWS, using Arq.
Goals:
- It has to be somewhat cost effective.
- It must be encrypted on the client side, before being uploaded.
- It has to enforce “least privilege”, meaning no system should be able to access the backups of other systems directly, to ensure a compromised system won’t be able to reach the data from all of your machines.
Not goals: Being the simplest, most user-friendly solution, or even the cheapest solution. Being the easiest way to use AWS with Arq. Being the most secure and granular way to use AWS with Arq.
Pre-requisites:
- An AWS Account. I recommend creating one with an email address dedicated for AWS, not using your Amazon shopping account, but both work. Turn on 2FA no matter what.
- An evaluation copy of Arq, installed on a Mac or Windows.
Getting started
- Create a storage bucket for the first computer you will back up.
Navigate to the S3 Management Console. Make sure you select the region you actually want to use.
Click Create Bucket.

Give the bucket a name. Remember, you are creating one bucket for one computer. Make the name as precise as you need to remember that it is for one computer, not all of them. Select your preferred region again.
Click Next.

For beginners, do not enable any of those. Arq will manage retention itself. For more experienced AWS users, feel free to experiment with Versioning, to prevent against accidental backup deletion or overwriting, and feel free to enable bucket logging for security monitoring and investigation purposes.
Click Next.

Ensure that only your “owner” User ID has permissions, and that public and system permissions are not granted.
Click Next, review your settings, then click Create Bucket.
2. Create a IAM user for our backups to use on the first machine.
To ensure our machine can back up to that bucket, we need to create an account with AWS keys, that can only access that bucket.

First, create the user by going to the IAM Console. Make sure you grant it Programmatic Access but no Management Console Access.

Click Attach existing policies directly, then click Create Policy. Then, Select Create your own policy.
The first policy we will create will be called ListGlacierVaults. This policy will grant this user access to list all your Glacier Vaults. If you are using an AWS environment that is heavily used for other reasons, you may want to make this more granular.
Paste this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"glacier:ListVaults"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Hit Validate Policy to ensure no JSON errors are present.
Go back to the user creation tab you still have open.

Select your ListGlacierVaults policy. Click Create Policy again. Repeat the same process, for a policy called RW_BucketName. In the policy itself, replace “bucketname” with the actual name of your bucket, like so. Again, this policy is a bit too broad, allowing the account to list all your S3 buckets. For most home users this is not an issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
Create the policy, go back to your user creation screen, select the two policies we have just created, and click Next.

Ensure the user is created with programmatic access only, and that the two managed policies are linked.
Click Create User.

You now have access to the Access Key ID, as well as the Secret that goes with it. This will basically be the username and password Arq will use to back this machine up. You do not need to store these for recovery — if you ever lost them, they can be re-generated, unlike encryption keys, as long as you retain administrative access to your AWS account.
3. Install Arq
Download and install Arq. I won’t cover this as it is very straightforward.
4. Configure Arq to back up to AWS
The screenshots in this section are of the Windows version because that was the easiest VM to spin up for me for testing, but the Mac UI is almost identical.
Quite simply, when running Arq for the first time, select Amazon S3 and Glacier as a destination. Paste the AWS Access Key ID and Secret Access Key for the user we previously created.
You’ll see the “Use existing bucket” pulldown menu will contain all of your buckets, due to the policy we create. This account, however, can only write to one! Select the right bucket, and click add.
Select Glacier Storage class, so Arq will offload data to the Glacier class to reduce back up cost (note: it could increase restoration cost — AWS pricing is sometimes hard to predict until you enter actual numbers in their calculator).
The last step is to pick a very long, unique encryption password. If this password is lost, recovery will not be possible, so store it safely and securely. Use different ones for every computer. This is what will protect your data if the permissions to access it fail you, if there was a security issue with AWS, or if you accidentally granted access to the S3 bucket.






What is left is selecting what you want to back up, and customizing some of the options. Personally, I configure the budget option to about 10–15$ per computer. Remember, since we are using individual IAM accounts, each instance of Arq is unable to see the other backups, so this is per machine.
You will now see the backup process, and if you browse to the S3 Console, you can see objects are being uploaded to it.
5. What’s next?
Simply repeat every step, for every computer you want to back up. You can keep the same policy used to grant access to list all the vaults, since it is not customized.
You now have every computer, backing up to one AWS account, in separate buckets, with separate IAM credentials, and separate encryption keys.
One that is setup, you can now easily create new buckets and even provide a destination for relatives to back up to.
Remember that Arq keeps at least 1 backup, even if it goes above budget.
Once you are more familiar with AWS, you can start playing with Archiving, S3 replication to ensure your data is in more than one location, and much more.
6. TEST RESTORING
After this has been running for a few days, attempt to recover data from a completely different machine. As we all know, untested backups are not backups.
To do this, I would recommend installing Arq, changing the secret access key, recovering the encryption key and performing a restore. You will then need to reconfigure the access key on the actual machine being backed up. Alternatively you could create a restore IAM account with access to the same bucket and then delete it.
