Keep using Photos.app like you always do. Attic quietly backs up your originals and edits to an S3 bucket you control. One-way, append-only. A safety net, not a second photo manager.
brew install tijs/tap/attic
Attic is a command-line tool that backs up your iCloud Photos library to S3-compatible object storage. It exports original and edited files via PhotoKit and uploads them with full metadata. Incremental by default — it only uploads what's new.
Exports both the original and the edited version of your photos and videos. No recompression, no quality loss. What you shot — and what you made of it — gets stored.
Each asset is uploaded alongside a JSON file with EXIF data, dates, location, album membership, dimensions, and file hashes.
A local manifest tracks what's been backed up. Subsequent runs skip known assets and only upload what's changed or new.
A built-in verify command checks S3 objects against the manifest. Run it with --deep to re-check SHA-256 hashes on every file.
Attic is a standalone macOS binary that orchestrates a four-step pipeline. It uses PhotoKit directly to export photos and videos from your library, then uploads them to your S3 bucket.
Reads Photos.sqlite to discover all assets, their types, sizes, and iCloud status.
Compares the database against the local manifest to find assets that haven't been backed up yet.
Uses PhotoKit to export original and edited files to a staging directory.
Uploads each original + metadata JSON to your S3 bucket, then updates the manifest.
S3 access keys are stored in the macOS Keychain. Never in config files, never in environment variables. The config file only holds the endpoint, region, and bucket name.
If a photo or video isn't downloaded locally, Attic requests it from iCloud via PhotoKit. This means it can back up your entire library, not just what's on disk.
Attic uses Photos.sqlite and the macOS Keychain. It runs on any Mac with a Photos library — your daily driver or a dedicated machine.
Install Attic with brew install tijs/tap/attic. It's a standalone binary — no runtime dependencies.
Any S3-compatible provider works. Create a bucket, generate API keys, and run attic init to configure.
Any S3-compatible storage works. If you want your backups in the EU, these are solid options. If you already have AWS, that works too.
Everything runs through the attic command. Set up once, then it's just attic backup and occasionally attic verify.
Got a Mac mini sitting around after your OpenClaw experiments? Sign into iCloud Photos on it and let Attic run daily backups via launchd. See the unattended backups guide for the full setup.