Skip to main content

Installing Pluton PRO on Linux Servers

This guide covers installing Pluton PRO on headless Linux servers without a desktop environment.

Prerequisites

  • A valid Pluton PRO license key
  • Linux server (x86_64 or arm64 architecture)
  • Minimum GLIBC Version: 2.29+ (check with ldd --version)
  • Root/sudo access
  • systemd (most modern Linux distributions)
  • curl
  • setcap from libcap2-bin/libcap (installed by default on many distributions)

Interactive Installation

curl -sSL "https://dl.usepluton.com/server-pro/scripts/install.sh?license=YOUR_LICENSE_KEY" | sudo bash

Replace YOUR_LICENSE_KEY with your actual Pluton PRO license key. The license key is validated when downloading the installer.

Follow the prompts to configure:

  • License key (for storage and future upgrades)
  • Server port (default: 5173)
  • Max concurrent backups (default: 2)
  • Encryption key (min 12 characters)
  • Admin username
  • Admin password

The installer runs with sudo so it can place binaries, create a systemd service, and set file permissions. The Pluton PRO service itself runs as the dedicated non-root pluton system user.

Non-Interactive Installation

For automated deployments, provide all configuration via command line:

curl -sSL "https://dl.usepluton.com/server-pro/scripts/install.sh?license=YOUR_LICENSE_KEY" | sudo bash -s -- \
    --license "YOUR_LICENSE_KEY" \
    --port 5173 \
    --max-concurrent 2 \
    --encryption-key "your-secure-encryption-key" \
    --user admin \
    --password "your-secure-password" \
    --non-interactive

Installation with Config File

Create a configuration file (e.g., /tmp/pluton.env):

PLUTON_LICENSE_KEY=your-license-key
PLUTON_ENCRYPTION_KEY=your-secure-encryption-key
PLUTON_USER_NAME=admin
PLUTON_USER_PASSWORD=your-secure-password
SERVER_PORT=5173
MAX_CONCURRENT_BACKUPS=2

Then install:

curl -sSL "https://dl.usepluton.com/server-pro/scripts/install.sh?license=YOUR_LICENSE_KEY" | sudo bash -s -- \
    --config /tmp/pluton.env --non-interactive

The installer stores PLUTON_ENCRYPTION_KEY separately in /etc/pluton/pluton.enc.env and writes the license key plus the remaining credentials to /etc/pluton/pluton.env.

Least-Privilege Linux Runtime

Linux server installs use a least-privilege model:

  • The systemd service runs as the dedicated pluton user and group, not as root.
  • Runtime data under /var/lib/pluton/ and sensitive environment files under /etc/pluton/ are owned by pluton with restrictive permissions.
  • /usr/bin/pluton-helper is installed for narrow elevated operations such as privileged restores, root-approved hook scripts, and ReaR rescue backups.
  • Root-only hook scripts and ReaR commands require explicit sudoers opt-in.

Local Backup Destinations

If you store backups in a local mounted path, external drive, or another directory outside /var/lib/pluton, grant the pluton user write access to that destination:

sudo apt update && sudo apt install acl -y
sudo setfacl -R -m u:pluton:rwx,d:u:pluton:rwx /path/to/pluton-backups

Replace /path/to/pluton-backups with your actual local backup destination.

Root Hook Scripts

Normal plan scripts run as the pluton user. If a script needs root privileges, enable root execution in the plan settings and allow only that script through sudoers:

sudo tee /etc/sudoers.d/pluton-helper-scripts >/dev/null <<'EOF'
pluton ALL=(root) NOPASSWD: /usr/bin/pluton-helper run-script /usr/local/libexec/pluton-hooks/pre-backup-root.sh
EOF
sudo chmod 440 /etc/sudoers.d/pluton-helper-scripts
sudo visudo -c -f /etc/sudoers.d/pluton-helper-scripts

Use a root-owned script path, and add one sudoers line per script that should be allowed to run as root.

ReaR Rescue Backups

Full Linux server backups use ReaR and require root access. Add these sudoers rules only on systems where you use bare-metal rescue backups:

sudo tee /etc/sudoers.d/pluton-helper-rear >/dev/null <<'EOF'
pluton ALL=(root) NOPASSWD: /usr/bin/pluton-helper run-rear mkbackup --config /var/lib/pluton/config/rear-config-*.conf --tmpdir *
pluton ALL=(root) NOPASSWD: /usr/bin/pluton-helper run-rear mkbackuponly --config /var/lib/pluton/config/rear-config-*.conf --tmpdir *
pluton ALL=(root) NOPASSWD: /usr/bin/pluton-helper run-rear checklayout --config /var/lib/pluton/config/rear-config-*.conf --tmpdir *
EOF
sudo chmod 440 /etc/sudoers.d/pluton-helper-rear
sudo visudo -c -f /etc/sudoers.d/pluton-helper-rear

Network Configuration

Pluton PRO requires two ports for full functionality:

PortPurpose
5173Web interface (configurable)

Firewall Configuration

# UFW (Ubuntu/Debian)
sudo ufw allow 5173/tcp

# firewalld (RHEL/CentOS/Fedora)
sudo firewall-cmd --permanent --add-port=5173/tcp
sudo firewall-cmd --reload

File Locations

PathDescription
/opt/pluton/Application binaries
/usr/bin/pluton-helperLeast-privilege helper for elevated Linux tasks
/var/lib/pluton/Data directory (database, logs, backups)
/etc/pluton/pluton.envLicense key plus admin username and password (secured, mode 600)
/etc/pluton/pluton.enc.envUser encryption key (secured, mode 600)
/var/lib/pluton/config/config.jsonNon-sensitive configuration
/var/lib/pluton/logs/Application logs

Custom Domain with Reverse Proxy

To access Pluton PRO via a custom domain (e.g., backups.example.com), set up a reverse proxy that forwards traffic to Pluton's local port.

Nginx

First Install Nginx:

sudo apt install nginx   # Debian/Ubuntu
sudo dnf install nginx   # RHEL/Fedora

And then create /etc/nginx/sites-available/pluton:

server {
    listen 80;
    server_name backups.example.com;

    location / {
        proxy_pass http://127.0.0.1:5173;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    client_max_body_size 0;
}

Enable the site and reload:

sudo ln -s /etc/nginx/sites-available/pluton /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

Caddy (Alternative)

Caddy provides automatic HTTPS with no extra configuration.

First install Caddy:

sudo apt install caddy   # Debian/Ubuntu
sudo dnf install caddy   # RHEL/Fedora

Then create /etc/caddy/Caddyfile:

backups.example.com {
   reverse_proxy 127.0.0.1:5173
}

Reload with sudo systemctl reload caddy. Caddy automatically provisions and renews SSL certificates.

Apache (Alternative)

First install Apache:

sudo apt install apache2   # Debian/Ubuntu
sudo dnf install httpd     # RHEL/Fedora

Enable required modules and create /etc/apache2/sites-available/pluton.conf:

sudo a2enmod proxy proxy_http proxy_wstunnel
<VirtualHost *:80>
   ServerName backups.example.com
   ProxyPreserveHost On
   ProxyPass / http://127.0.0.1:5173/
   ProxyPassReverse / http://127.0.0.1:5173/

   RewriteEngine On
   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteRule /(.*) ws://127.0.0.1:5173/$1 [P,L]
</VirtualHost>
sudo a2ensite pluton && sudo systemctl reload apache2

SSL Certificate with Let's Encrypt

If using Caddy, SSL is automatic — no extra steps needed.

For Nginx or Apache, use Certbot:

# Install certbot
sudo apt install certbot python3-certbot-nginx   # Nginx
sudo apt install certbot python3-certbot-apache  # Apache

# Obtain and install certificate
sudo certbot --nginx -d backups.example.com   # Nginx
sudo certbot --apache -d backups.example.com  # Apache

Certbot automatically configures SSL and sets up auto-renewal via a systemd timer. Verify renewal works:

sudo certbot renew --dry-run
tip

Ensure your domain's DNS A record points to your server's public IP address before requesting a certificate.

Uninstalling

curl -sSL https://dl.usepluton.com/server-pro/scripts/uninstall.sh | sudo bash

For automated removal including all data:

curl -sSL https://dl.usepluton.com/server-pro/scripts/uninstall.sh | sudo bash -s -- \
    --remove-data --non-interactive

Or use the local uninstall script:

sudo /opt/pluton/uninstall.sh

Managing the Service

# Check status
sudo systemctl status pluton

# Stop service
sudo systemctl stop pluton

# Start service
sudo systemctl start pluton

# Restart service
sudo systemctl restart pluton

# View logs
sudo journalctl -u pluton -f

Updating

curl -sSL "https://dl.usepluton.com/server-pro/scripts/install.sh?license=YOUR_LICENSE_KEY" | sudo bash -s -- --upgrade

This preserves your credentials, license, and data while updating the binaries.

Upgrading from Pluton (Free)

If you have an existing Pluton installation and want to upgrade to Pluton PRO, see Upgrading to Pluton PRO.