Cloudflare R2

Store backups in Cloudflare R2 - S3-compatible object storage with zero egress fees.

Configuration

Credential Profile required

Cloudflare R2 requires a Credential Profile of type ACCESS_KEY. Create one in Settings → Vault → Credentials before saving the destination.

Field	Description	Default	Required
Name	Friendly name for this destination	-	✅
Account ID	Cloudflare Account ID	-	✅
Bucket	R2 bucket name	-	✅
Jurisdiction	Bucket jurisdiction: Standard, EU, or FedRAMP	Standard	❌
Primary Credential	ACCESS_KEY credential profile (R2 API token Access Key ID + Secret)	-	✅
Path Prefix	Folder path within the bucket	-	❌

EU Jurisdiction

Buckets created with the EU jurisdiction use the *.eu.r2.cloudflarestorage.com endpoint. If the jurisdiction setting does not match your bucket's actual location, you will get "Access Denied" or "bucket does not exist" errors.

Setup Guide

1. Create an R2 bucket in the Cloudflare Dashboard → R2 → Create bucket
2. Create an API token: Go to R2 → Manage R2 API Tokens → Create API token
   • Select Object Read & Write permission
   • Scope to your specific bucket (recommended)
   • Copy the Access Key ID and Secret Access Key
3. Create an ACCESS_KEY credential profile in Settings → Vault → Credentials with those keys (guide)
4. Copy your Account ID from the Cloudflare Dashboard sidebar (top-right of any page)
5. Go to Destinations → Add Destination → Cloudflare R2
6. Enter Account ID and Bucket, select the Jurisdiction matching your bucket, then select the credential profile in the Primary Credential picker
7. (Optional) Set a Path Prefix for organizing backups
8. Click Test to verify the connection

Zero Egress Fees

R2 has no egress fees, making it ideal for backups you may need to restore frequently. Unlike AWS S3, downloading your backups is always free.

How It Works

• DBackup connects to the R2 endpoint https://<accountId>.r2.cloudflarestorage.com automatically
• Uses S3-compatible API - uploads via multipart for large files
• All credentials are stored AES-256-GCM encrypted in the database

Troubleshooting

AccessDenied

Access Denied (403)

Solution: Verify the API token has Object Read & Write permission and is scoped to the correct bucket.

InvalidAccessKeyId

The AWS Access Key Id you provided does not exist

Solution: Ensure you're using the R2 API token credentials (not your Cloudflare Global API Key). Regenerate the token if needed.

Wrong Account ID

Could not connect to endpoint

Solution: The Account ID is visible in the Cloudflare Dashboard sidebar. Don't confuse it with the Zone ID.

Next Steps

• Enable Encryption
• Configure Retention
• Storage Explorer