DigitalOcean Spaces Setup
This tutorial guides you through setting up DigitalOcean Spaces as a storage destination for your FireBackup backups. Spaces offers S3-compatible object storage with a simple pricing model and built-in CDN.
What You'll Learn
- Create and configure a DigitalOcean Space
- Generate API credentials with appropriate permissions
- Configure CORS and lifecycle policies
- Enable CDN for faster restores (optional)
- Connect Spaces to FireBackup
Prerequisites
- A DigitalOcean account
- Access to FireBackup dashboard as an organization admin
doctlCLI installed (optional but helpful)
Time Required
Approximately 15-20 minutes
Step 1: Create a Space
Using DigitalOcean Console
-
Log in to DigitalOcean
-
Navigate to Spaces Object Storage in the left sidebar
-
Click Create a Space
-
Configure your Space:
Setting Recommended Value Datacenter region Choose closest to your users CDN Enable (optional, for faster restores) File Listing Restrict (private) Space name your-company-firebackup
- Click Create a Space
Available Regions
| Region | Location | Endpoint |
|---|---|---|
| nyc3 | New York | nyc3.digitaloceanspaces.com |
| sfo3 | San Francisco | sfo3.digitaloceanspaces.com |
| ams3 | Amsterdam | ams3.digitaloceanspaces.com |
| sgp1 | Singapore | sgp1.digitaloceanspaces.com |
| fra1 | Frankfurt | fra1.digitaloceanspaces.com |
| syd1 | Sydney | syd1.digitaloceanspaces.com |
Using doctl CLI
# Install doctl if not already installed
brew install doctl # macOS
# or
snap install doctl # Linux
# Authenticate
doctl auth init
# Create a Space (not directly supported, use API)
curl -X POST "https://api.digitalocean.com/v2/spaces" \
-H "Authorization: Bearer $DO_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "your-company-firebackup",
"region": "nyc3"
}'
Step 2: Generate Spaces Access Keys
Spaces uses separate API keys from your main DigitalOcean account.
Create Spaces Keys
-
Navigate to API in the left sidebar
-
Scroll to Spaces access keys
-
Click Generate New Key
-
Enter a name:
firebackup-access -
Click Create Access Key
-
Save both keys immediately!
- Access Key: Displayed on screen
- Secret Key: Only shown once!
The Secret Key is only displayed once. Save it securely before leaving the page.
Key Format
Your keys will look like:
- Access Key:
DO00XXXXXXXXXXXXXX - Secret Key:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Step 3: Configure CORS (Optional)
If you need browser-based access for restore previews, configure CORS.
Using the Console
-
Go to your Space → Settings
-
Scroll to CORS Configurations
-
Click Add
-
Configure:
Origin: https://app.firebackup.io
Allowed Methods: GET, PUT
Allowed Headers: *
Max Age: 3600
Using s3cmd
First, install and configure s3cmd:
# Install s3cmd
pip install s3cmd
# Configure for DigitalOcean Spaces
s3cmd --configure
When prompted, enter:
| Setting | Value |
|---|---|
| Access Key | Your Spaces access key |
| Secret Key | Your Spaces secret key |
| Default Region | US (doesn't matter for DO) |
| S3 Endpoint | nyc3.digitaloceanspaces.com |
| DNS-style bucket+hostname | %(bucket)s.nyc3.digitaloceanspaces.com |
Create a CORS configuration file cors.xml:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>https://app.firebackup.io</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
<MaxAgeSeconds>3600</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>
Apply CORS:
s3cmd setcors cors.xml s3://your-company-firebackup
Step 4: Configure Lifecycle Rules
Set up lifecycle rules to automatically delete old backups and control costs.
Using the Console
-
Go to your Space → Settings
-
Scroll to Lifecycle Rules
-
Click Add Rule
-
Configure the rule:
Setting Value Prefix Leave empty for all objects Action Delete after X days Days Based on your retention policy
Example Rules:
| Prefix | Days | Purpose |
|---|---|---|
daily/ | 30 | Delete daily backups after 30 days |
weekly/ | 90 | Delete weekly backups after 90 days |
monthly/ | 365 | Delete monthly backups after 1 year |
Using s3cmd
Create lifecycle configuration lifecycle.xml:
<?xml version="1.0" encoding="UTF-8"?>
<LifecycleConfiguration>
<Rule>
<ID>DeleteDailyBackups</ID>
<Prefix>daily/</Prefix>
<Status>Enabled</Status>
<Expiration>
<Days>30</Days>
</Expiration>
</Rule>
<Rule>
<ID>DeleteWeeklyBackups</ID>
<Prefix>weekly/</Prefix>
<Status>Enabled</Status>
<Expiration>
<Days>90</Days>
</Expiration>
</Rule>
<Rule>
<ID>CleanupIncomplete</ID>
<Prefix></Prefix>
<Status>Enabled</Status>
<AbortIncompleteMultipartUpload>
<DaysAfterInitiation>7</DaysAfterInitiation>
</AbortIncompleteMultipartUpload>
</Rule>
</LifecycleConfiguration>
Apply lifecycle rules:
s3cmd setlifecycle lifecycle.xml s3://your-company-firebackup
Step 5: Enable CDN (Optional)
Enable CDN for faster backup downloads during restores.
Using the Console
-
Go to your Space
-
Click Settings
-
Under CDN, toggle Enable CDN
-
Configure:
- CDN Endpoint: Auto-generated (e.g.,
your-company-firebackup.nyc3.cdn.digitaloceanspaces.com) - TTL: 3600 seconds (1 hour)
- Custom Domain: Optional (e.g.,
backups.yourcompany.com)
- CDN Endpoint: Auto-generated (e.g.,
Custom Domain with SSL
- Add a CNAME record in your DNS:
backups.yourcompany.com → your-company-firebackup.nyc3.cdn.digitaloceanspaces.com
- DigitalOcean automatically provisions an SSL certificate via Let's Encrypt
Step 6: Connect to FireBackup
Using the Dashboard
-
Log in to FireBackup
-
Navigate to Settings → Storage
-
Click Add Storage Destination
-
Select DigitalOcean Spaces
-
Enter configuration:
Field Value Name Production Spaces Endpoint nyc3.digitaloceanspaces.com Bucket your-company-firebackup Access Key DO00XXXXXXXXXXXXXX Secret Key Your secret key Path Prefix backups/ (optional) -
Click Test Connection
-
Click Save
Using the API
curl -X POST https://api.firebackup.io/api/v1/storage \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Spaces",
"type": "spaces",
"config": {
"endpoint": "nyc3.digitaloceanspaces.com",
"bucket": "your-company-firebackup",
"accessKey": "DO00XXXXXXXXXXXXXX",
"secretKey": "your-secret-key",
"prefix": "backups/"
}
}'
Alternative: S3-Compatible Configuration
Since Spaces is S3-compatible, you can also use the S3 storage type:
curl -X POST https://api.firebackup.io/api/v1/storage \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Spaces (S3)",
"type": "s3",
"config": {
"bucket": "your-company-firebackup",
"region": "nyc3",
"endpoint": "https://nyc3.digitaloceanspaces.com",
"accessKeyId": "DO00XXXXXXXXXXXXXX",
"secretAccessKey": "your-secret-key",
"forcePathStyle": false,
"prefix": "backups/"
}
}'
Step 7: Verify the Setup
Run a Test Backup
-
Go to Projects in FireBackup
-
Select a project
-
Click Run Backup Now
-
Select your Spaces storage destination
-
Monitor the backup progress
Verify in Spaces Console
-
Go to your Space in DigitalOcean
-
Navigate to the backups folder
-
Verify the backup file exists
Using s3cmd
# List backups
s3cmd ls s3://your-company-firebackup/backups/ --recursive
# Check file details
s3cmd info s3://your-company-firebackup/backups/proj_abc123/2024-01-15/backup.enc
Expected output:
2024-01-15 10:30 1048576 s3://your-company-firebackup/backups/proj_abc123/2024-01-15/backup_full_1705312245.enc
Pricing Overview
DigitalOcean Spaces has simple, predictable pricing:
| Resource | Price |
|---|---|
| Storage | $5/month for 250 GB |
| Outbound Transfer | $5/month for 1 TB |
| Additional Storage | $0.02/GB/month |
| Additional Transfer | $0.01/GB |
Cost Example:
| Usage | Monthly Cost |
|---|---|
| 100 GB storage | $5 (included) |
| 200 GB storage | $5 (included) |
| 300 GB storage | $6 ($5 base + $1) |
| 500 GB transfer | $5 (included) |
Spaces is significantly cheaper than AWS S3 for most backup workloads, especially for storage-heavy use cases.
Troubleshooting
"Access Denied" Error
Cause: Incorrect Spaces access keys
Solution:
- Verify you're using Spaces keys, not API tokens
- Check the keys haven't been revoked
- Regenerate keys if needed
"Bucket Not Found" Error
Cause: Wrong Space name or region endpoint
Solution:
# Verify the Space exists
s3cmd ls
# Check the endpoint matches the region
# nyc3 → nyc3.digitaloceanspaces.com
# sfo3 → sfo3.digitaloceanspaces.com
"SignatureDoesNotMatch" Error
Cause: Incorrect secret key or endpoint format
Solution:
- Double-check the secret key (no extra spaces)
- Ensure endpoint uses HTTPS
- Verify region in endpoint matches Space region
Slow Upload Speeds
Cause: Region mismatch or large files
Solution:
- Choose a region closer to your FireBackup deployment
- Enable multipart uploads (automatic for files > 5MB)
- Check network connectivity
Security Best Practices
Restrict File Listing
By default, new Spaces have file listing restricted. Verify this setting:
- Go to Space Settings
- Ensure File Listing is set to Restrict
Enable Encryption
Spaces encrypts all data at rest by default using AES-256. No additional configuration needed.
Access Key Rotation
Regularly rotate your Spaces access keys:
- Generate a new key pair
- Update FireBackup with new credentials
- Test that backups work
- Revoke the old key
IP Allowlisting (Enterprise)
For enterprise deployments, consider using a firewall to restrict access:
# Add firewall rule to Droplet/App running FireBackup
doctl compute firewall create \
--name firebackup-spaces \
--inbound-rules "protocol:tcp,ports:443,address:your-spaces-endpoint"
Comparison with Other Providers
| Feature | DO Spaces | AWS S3 | GCS |
|---|---|---|---|
| Pricing Model | Flat + overage | Pay per GB | Pay per GB |
| Free Tier | 250 GB + 1 TB | 5 GB (12 months) | 5 GB |
| Regions | 6 | 30+ | 30+ |
| Storage Classes | 1 | 6 | 4 |
| Lifecycle Rules | Basic | Advanced | Advanced |
| CDN | Built-in | CloudFront (extra) | Cloud CDN (extra) |
Next Steps
- Configure backup schedules for automatic backups
- Set up webhooks for backup notifications
- Enable PITR for point-in-time recovery
Related
- AWS S3 Setup - Alternative with more features
- GCS Setup - Google Cloud option
- Storage API Reference - API documentation