bkpdb

What's actually inside your Postgres data directory

Tue, 12 May 2026 00:00:00 +0000

When you install Postgres, run initdb, and start it up, all of your data lives inside one directory. The Postgres documentation calls it “the data directory.” The environment variable points at it: PGDATA. On Debian it’s at /var/lib/postgresql/16/main. On macOS via Homebrew it’s /opt/homebrew/var/postgresql@16. Inside a Docker image it’s wherever the volume is mounted. Wherever you find it, the contents look about the same: a couple of dozen short, cryptic directory names, a handful of config files, and a little file called PG_VERSION that’s there to keep you honest.

v0.5.3

Sat, 09 May 2026 00:00:00 +0000

v0.5.2

Wed, 22 Apr 2026 00:00:00 +0000

Why we restore every backup, every week

Wed, 22 Apr 2026 00:00:00 +0000

Editor’s note. Verified restores are a roadmap feature, not a shipped one. The agent and storage pipeline exist; the scheduled verifier on the control plane does not yet. This essay is the working principle that shapes how we are building it.

For the first six months of bkpdb’s development, we had a perfectly respectable backup pipeline that nobody had ever asked to give anything back. Files appeared in a bucket on schedule. The control plane recorded their sizes and their checksums. The dashboard showed a calm row of green ticks. By every measure we had bothered to define, the product worked.

v0.5.1

Wed, 25 Mar 2026 00:00:00 +0000

v0.5.0

Thu, 26 Feb 2026 00:00:00 +0000

v0.4.1

Thu, 22 Jan 2026 00:00:00 +0000

v0.4.0

Thu, 18 Dec 2025 00:00:00 +0000

v0.3.0

Tue, 25 Nov 2025 00:00:00 +0000

v0.2.0

Mon, 20 Oct 2025 00:00:00 +0000

v0.1.0

Mon, 15 Sep 2025 00:00:00 +0000

Privacy

Mon, 01 Jan 0001 00:00:00 +0000

Effective. 12 May 2026.
Form. This notice is written to be read by people, in the order in which they tend to want to know things. The structural clauses are at the end, where they belong.

❦1. The shape of the promise❦

Most privacy notices read like a confession dressed as a disclosure. This one is set up the other way around: we begin with what we have built the product so that we cannot see, and only then describe what we hold.

Security

Mon, 01 Jan 0001 00:00:00 +0000

Effective. 12 May 2026.
Status. bkpdb is in beta. The threat model and the cryptography below describe the architecture as it ships today; the operational maturity is still being built out. Where the two diverge, this page says so.

❦1. The defining principle❦

A managed-backup company is only as trustworthy as the worst thing one of its engineers can do at 3 a.m. after a bad week. We took that observation seriously when we drew the architecture, and the result is a system in which the bkpdb company (including its own database, its own engineers, and its own infrastructure) cannot read a customer’s backup contents using its own resources.

Terms of Service

Mon, 01 Jan 0001 00:00:00 +0000

Effective. 12 May 2026.
Status. bkpdb is in beta. These terms apply to that beta. They will be revised on general availability. The substantive promises here will not get less protective of you between now and then; what we may add are the structural pieces a v1.0 contract needs (registered legal entity, governing jurisdiction, dispute mechanics).

❦1. What this is❦

These Terms of Service (“Terms”) govern your access to and use of the bkpdb product: the agent binary, the control plane (the dashboard and APIs at bkpdb.com and its subdomains), the documentation, and anything else we publish under the bkpdb name. By using any of it, you agree to these Terms. If you do not, do not use the service.

What bkpdb backs up today, and what is next

Mon, 01 Jan 0001 00:00:00 +0000

❦Supported today❦

PostgreSQL

13 · 14 · 15 · 16 · 17 · 18

Logical backups via pg_dump, custom format. The agent fetches a matching dump binary for the server’s major version on demand, from a signed registry, so you do not have to install anything alongside it.

Available|Self-hosted Postgres|Logical, v1

❦Next for Postgres❦

Point-in-time recovery

base backup + WAL

Continuous WAL streaming on top of the scheduled base backup. Recover to a specific second by picking a base and replaying WAL up to a timestamp or LSN. Target RPO is measured in seconds, set by how aggressively WAL is shipped, not by the daily schedule. Lands after verified restores.

What bkpdb does, in detail

Mon, 01 Jan 0001 00:00:00 +0000

❦The Agent❦

Plate I. A small static binary that lives on the database host. It listens on no ports. It speaks outbound mTLS to the control plane for heartbeats and configuration, talks to the database it tends, and to your storage destination. It does nothing else, and it requires no root and no system service to run.

The agent in situFig. 1

                    ┌─ database host ─────────────────────────────┐
                    │                                             │
   ╔══════════╗     │   ┌──────────┐         ┌─────────────────┐  │
   ║ control  ║◀──mTLS──│  agent   │────────▶│   PostgreSQL    │  │
   ║  plane   ║     │   │          │         │   (read role)   │  │
   ╚══════════╝     │   └────┬─────┘         └─────────────────┘  │
                    │        │                                    │
                    │        │ stream:  pg_dump → zstd → encrypt  │
                    │        ▼                                    │
                    │   ┌──────────┐                              │
                    │   │  upload  │──────▶ your bucket / SFTP    │
                    │   └──────────┘                              │
                    │                                             │
                    └─────────────────────────────────────────────┘

         no inbound ports         no plaintext on disk        no shared keys

The agent listens on no ports. The control plane never sees backup plaintext.