Kubernetes Backup and Disaster Recovery: Velero, Kasten, Trilio Compared

Kubernetes clusters fail. etcd gets corrupted, nodes disappear, someone runs kubectl delete namespace production without thinking twice. If you don’t have a tested backup and recovery strategy before any of those moments, you’re in for a very long night.

The good news: the Kubernetes backup ecosystem has matured significantly. You now have serious choices ranging from free, community-driven open source tools all the way to enterprise platforms with policy engines, multi-cloud mobility, and ransomware-hardened immutable storage. This guide cuts through the noise and helps you pick the right tool for your actual situation.

What Kubernetes Backup Actually Means

Kubernetes backup is more complex than traditional VM or file backup. A healthy Kubernetes backup strategy needs to capture three distinct layers:

1. Cluster state: Namespaces, RBAC, CustomResourceDefinitions, ConfigMaps, Secrets, and everything in etcd
2. Persistent volume data: The actual bytes inside your PVCs (databases, uploaded files, message queues)
3. Application-aware consistency: Quiescing databases before snapshotting so you don’t capture a torn write

Backup without all three means your restored cluster will be broken in interesting and unpredictable ways. Keep that framing in mind as we walk through the tools.

Velero: The Open Source Standard

Velero (maintained by VMware under the CNCF umbrella, available at velero.io) is where most teams start, and for good reason. It’s free, battle-tested, and integrates cleanly with every major cloud provider.

The latest stable release as of early 2026 is Velero 1.18, which introduced concurrent backup processing and incremental backup size tracking, making it meaningfully faster for large clusters.

Getting Started Fast

Install Velero against an AWS-backed cluster in under five minutes:

# Create your S3 bucket
BUCKET=my-velero-backups
REGION=us-east-1
aws s3api create-bucket --bucket $BUCKET --region $REGION

# Install Velero with the AWS plugin
velero install \
  --provider aws \
  --plugins velero/velero-plugin-for-aws:v1.10.0 \
  --bucket $BUCKET \
  --backup-location-config region=$REGION \
  --secret-file ./credentials-velero \
  --use-node-agent \
  --wait

Once installed, taking a cluster backup is a single command:

# Back up everything
velero backup create full-cluster-backup --include-namespaces '*'

# Back up a specific namespace on a schedule
velero schedule create nightly-production \
  --schedule="0 2 * * *" \
  --include-namespaces production \
  --ttl 720h

Velero uses either Restic or Kopia (your choice via --uploader-type) for file system-level backups of PVC data when CSI snapshots are not available. For most clusters on EKS, GKE, or AKS with CSI drivers, you can skip file system backup entirely and use native volume snapshots.

Velero Pros and Cons

Pros: Free, open source, huge community, works with any Kubernetes distribution, excellent plugin ecosystem (AWS, GCP, Azure, MinIO, Ceph), supports GitOps-style declarative backup policies.

Cons: Velero does not have a built-in UI, policy management for large multi-cluster environments requires significant YAML overhead, and application-aware hooks require manual configuration per workload. Large-scale enterprise deployments tend to outgrow Velero’s operational model quickly.

Veeam Kasten (K10): The Policy-First Enterprise Platform

Kasten K10, now branded as Veeam Kasten, takes a fundamentally different approach. Where Velero is a CLI tool you wire together yourself, Kasten is a fully integrated data management platform with a web UI, policy engine, and multi-cluster dashboard.

Kasten installs as a set of Kubernetes-native services into your cluster:

helm repo add kasten https://charts.kasten.io/
helm repo update

helm install k10 kasten/k10 \
  --namespace kasten-io \
  --create-namespace \
  --set auth.basicAuth.enabled=true \
  --set auth.basicAuth.htpasswd='admin:$apr1$...'

After installation, access the UI at http://localhost:8080/k10/#/ via kubectl --namespace kasten-io port-forward service/gateway 8080:80.

Kasten’s key differentiator is application-awareness out of the box. It automatically discovers workloads, understands stateful application patterns (including databases via pre/post backup hooks), and lets you set recovery point objectives through a policy UI rather than hand-crafting YAML.

Kasten Pricing

Veeam Kasten offers a free trial covering up to 500 nodes for 60 days. Beyond that, pricing is node-based and requires contacting sales. It’s available through direct licensing and via AWS, Azure, Red Hat, and SUSE marketplaces, which can simplify procurement for teams with existing cloud spend commitments.

Kasten Pros and Cons

Pros: Best-in-class UI and operational workflow, policy-driven automation, excellent multi-cluster support, strong ransomware protection with immutable backups, application blueprints for databases like PostgreSQL and MongoDB.

Cons: Commercial product with opaque pricing, heavier resource footprint than Velero, not suitable for teams that prefer a GitOps-only workflow.

TrilioVault: Application-Centric and CSI-Native

Trilio for Kubernetes (TrilioVault, maintained by trilio.io) positions itself around application-centric recovery: instead of backing up namespaces and hoping for the best, Trilio captures entire applications as atomic units, including all associated Kubernetes objects, PVC data, and metadata.

Trilio is Kubernetes-native in the truest sense: it uses the CSI framework and core Kubernetes APIs rather than running agents outside the cluster lifecycle.

Key capabilities that stand out:

• Immutable backups with granular, per-application immutability policies, encryption keys stored as Kubernetes Secrets
• Selective restore: recover specific containers or namespaces without restoring an entire backup
• Multi-cloud targets: AWS S3, Azure Blob, GCS, IBM Cloud, and NFS/CSI backends
• Available on AWS Marketplace, Azure Marketplace, IBM Cloud, and DigitalOcean Marketplace

Install via Helm:

helm repo add trilio https://charts.trilio.io/trilio
helm repo update
helm install triliovault-operator trilio/triliovault-operator \
  --namespace trilio-system \
  --create-namespace

Then define a BackupPlan as a CRD:

apiVersion: triliovault.trilio.io/v1
kind: BackupPlan
metadata:
  name: production-app-backup
  namespace: production
spec:
  backupNamespace: production
  backupConfig:
    target:
      name: s3-target
      namespace: trilio-system
    scheduleConfig:
      schedule:
        - "0 3 * * *"
    retentionConfig:
      latest: 7

Trilio’s pricing is annual and node/VM based; specific figures require contacting sales, but it’s available through major cloud marketplaces where you can apply existing credits.

Trilio Pros and Cons

Pros: Strongest application-consistency story, immutable backup support, good for regulated industries requiring audit trails, CSI-native design integrates cleanly with modern Kubernetes storage.

Cons: Smaller community than Velero, commercial pricing, documentation can lag behind feature releases.

Longhorn: Built-In Storage-Layer Backup

Longhorn (longhorn.io), maintained by SUSE and a CNCF graduated project, is primarily a distributed block storage solution. However, it includes built-in snapshot and backup capabilities that are worth understanding for teams already running Longhorn for storage.

Longhorn stores snapshots locally within each volume’s replica set, while backups go to an external S3-compatible store or NFS. This is not a full cluster backup solution (it does not capture Kubernetes object state), but for persistent volume data protection on bare-metal or edge clusters where you want a single solution for storage and basic backup, it’s compelling.

# Install via Helm
helm repo add longhorn https://charts.longhorn.io
helm repo update
helm install longhorn longhorn/longhorn \
  --namespace longhorn-system \
  --create-namespace

# Configure backup target in the UI or via settings:
kubectl -n longhorn-system edit settings backup-target
# Set to: s3://my-bucket@us-east-1/

Longhorn is 100% free and open source. Pair it with Velero for full cluster backup coverage.

KubeStash: Stash 2.0 by AppsCode

KubeStash (kubestash.com), the rebranded Stash 2.0 from AppsCode, takes a CRD-centric approach to Kubernetes backup. The latest release as of early 2026 is version 2026.2.26. AppsCode has committed to supporting the prior Stash codebase through December 2027, making this a viable choice for teams already invested in the ecosystem.

KubeStash supports a wide array of backends (AWS S3, GCS, Azure, DigitalOcean Spaces, Backblaze B2, MinIO) and encrypts all backup data with AES-256. It’s particularly strong for database backup: native addons for PostgreSQL, MySQL, MongoDB, Redis, and Elasticsearch allow application-consistent backups without manual hook configuration.

apiVersion: core.kubestash.com/v1alpha1
kind: BackupConfiguration
metadata:
  name: postgres-backup
  namespace: production
spec:
  target:
    apiGroup: apps
    kind: StatefulSet
    name: postgres
  backends:
  - name: s3-backend
    storageRef:
      name: s3-storage
      namespace: kubestash
  sessions:
  - name: nightly
    scheduler:
      schedule: "0 2 * * *"
    repositories:
    - name: postgres-repo
      backend: s3-backend
      encryptionSecret:
        name: encryption-secret
        namespace: kubestash

The core is open source; enterprise addons and support require a commercial license.

Comparison Table

Choosing the Right Tool

Best for startups and small teams

Start with Velero. It’s free, the community is massive, and you can be backing up to S3 within 30 minutes. Add a nightly scheduled backup, document your restore procedure, and test it monthly. That covers 95% of the scenarios you’ll actually face.

Best for mid-size teams with multiple clusters

Veeam Kasten or KubeStash depending on your philosophy. Kasten wins on operational polish and the UI makes it easy to onboard non-Kubernetes-experts to recovery workflows. KubeStash wins if your team prefers fully declarative, GitOps-compatible configuration.

Best for enterprises in regulated industries

TrilioVault for its immutability model and audit trail capabilities, or Veeam Kasten for its enterprise support infrastructure and ransomware hardening. Both can satisfy financial and healthcare compliance requirements around data protection.

Best for bare-metal and edge clusters

Longhorn for storage-layer snapshots combined with Velero for cluster-level backup. This combination covers both PV data and Kubernetes object state without requiring cloud storage dependencies.

Best for database-first workloads

KubeStash gives you native addons for every major open source database, handling quiescing and consistency automatically. This removes the most error-prone part of Kubernetes backup: making sure your database is in a recoverable state when the snapshot fires.

One Thing All Tools Require: Tested Restores

Whatever tool you pick, schedule a restore drill. At minimum: delete a test namespace and recover it from backup on a monthly cadence. The worst possible time to discover your restore procedure doesn’t work is during an actual incident.

A backup that hasn’t been restored is not a backup. It’s a hope.

The tools above give you everything you need to build real resilience. Pick one, get it running, and then prove it works by restoring from it.

🔍 Free tool: .env Security Scanner — detect exposed API keys, passwords, and tokens in your .env files. Client-side only.