Backing up MIAB via SFTP

Sorry my linux skills are very limited i’m running into an issue where i use WinSCP to manually backup files and auto FTP Manager to automate the backup of the files but everytime i try to backup the files i’m getting file permission error and can’t download the file/folder. i’m using the standard setup of /home/user-data/backup/encrypted to backup

What is the user you are connecting to MIAB with?

Should probably be root.

I’m using the default login i created at setup, but not using the username root. i though its good to leave that account disabled by default? should i re-enable it?

1 Like

I think that you cannot login using root on a Ubuntu based system. That means that you have to make WinSCP do a sudo. There is some info on this here:

I toyed with this earlier this week but could not make it work right away. Not by re-owning the backup files to my default user, and not by making sudo work with WinSCP. Then I managed to make backup via rsync to my NAS working, so I did not pursue this any longer. But I still would be interested in a way to WinSCP to MAIB, for one of these days these backup files might need to be transferred back to the mailserver :slight_smile:

Kind regards,


@Woody and @MattF
Depending on the flavor of Ubuntu (Digital Ocean, Linode, Amazon, etc.) the default user is either “ubuntu” or “root”

MIAB doesn’t create another user and so the user you used to log in to the machine to initially install MIAB is the only user you will ever be able to log into the machine with unless you explicitly add another linux user.

The backup directory on a fresh MIAB installation is owned by root. How to configure WinSCP is beyond me though.

I use my own hardware on which I installed Ubuntu from scratch. You then end up with a non-root user that has the rights to sudo to root with the same password as that user. I could not figure out how to get WinSCP (or Syncovery, the automated backup program I use for the rest of my data) to log in as the non-root user and then perform a sudo to get access to the backup files.

Taking into account that these files are encrypted they probably could safely be put into a less closed-off directory to make it simpler to get them off the server using tools like WinSCP. But as stated, I solved the problem another way :slight_smile:

This is a legitimate question imho. Using SFTP/WinSCP does not work to download the backup folder due to permission issues. Although it is mentioned in the maintenance description: “Copy that file onto your new box. Any SFTP program like FileZilla can help you with that. (SFTP is like SSH, so you will use the same login credentials as you use with SSH.)”.
@JoshData is changing the permission of the folder an option? … guess not due to security reasons.

SFTP should allow you to sudo to root and then copy folder…

while it should be possible to start SFTP with sudo, it is hard to find a GUI client that supports that. :neutral_face:

This looks promising for your needs:

Another option is to enable root, which can be done easily in Ubuntu 14.04, however make sure you create a secure password. You will also have to give root the ability to SSH. Let me know if you would like to know how to do that.

Use pubkey auth, not a password with root.

1 Like

Yes, that is a much better way to use root.

WinSCP works on linux, but scp is also a linux and Mac tool.

An old thread but came up when I did a search re backups and sftp and haven’t seen much else around so will post my solution here, maybe helpful for others.

I recently did a clean MIAB install on the latest Ubuntu 18.04. I’m looking to pull backups off the server rather than push them from the server to another location.

Having poked around a bit I found the files in /home/user-data/backup/encrypted around owned by user-data and belong to the root group. Not keen on opening root or changing the permissions of those files so I had a look at the user-data user and it was simple enough to add an authorized_keys entry and remotely login via the key. Then I switched my backuppc rsync to use user-data rather than root and job done.

In a simple summary on the client you need to generate a key, if don’t already have one:


Copy the generated key to the MIAB server using any method you like. The contents of the copied file need to end up in:


If this is a new install you’ll likely find the last directory and file don’t exist so you can create the directory and rename your file, otherwise you can append the contents of your new key to the existing file.

Plenty of detailed instructions out there like this one cover the key setup and transfer.

I locked mine down to IP address as well using the from="x.x.x.x" format but again better write ups of the authorized_keys features for restrictions already exist such as these