diff --git a/src/backups.js b/src/backups.js
index 122512bb4..3ab2c5bf0 100644
--- a/src/backups.js
+++ b/src/backups.js
@@ -109,18 +109,16 @@ function getBackupUrl(appBackupIds, callback) {
         api(backupConfig.provider).getBackupUrl(backupConfig, filename, function (error, result) {
             if (error) return callback(error);
 
-            var obj = {
-                id: result.id,
-                url: result.url,
-                backupKey: backupConfig.key
-            };
+            result.id = filename;
+            result.s3Url = 's3://' + backupConfig.bucket + '/' + backupConfig.prefix + '/' + filename;
+            result.backupKey = backupConfig.key;
 
-            debug('getBackupUrl: id:%s url:%s backupKey:%s', obj.id, obj.url, obj.backupKey);
+            debug('getBackupUrl: %j', result);
 
             backupdb.add({ id: result.id, version: config.version(), type: backupdb.BACKUP_TYPE_BOX, dependsOn: appBackupIds }, function (error) {
                 if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
 
-                callback(null, obj);
+                callback(null, result);
             });
         });
     });
diff --git a/src/cloudron.js b/src/cloudron.js
index 08a607c74..6a7e021f5 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -682,16 +682,16 @@ function backupBoxWithAppBackupIds(appBackupIds, callback) {
         if (error && error.reason === BackupsError.EXTERNAL_ERROR) return callback(new CloudronError(CloudronError.EXTERNAL_ERROR, error.message));
         if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
 
-        debug('backup: url %s', result.url);
+        debug('backupBoxWithAppBackupIds:  %j', result);
 
         async.series([
             ignoreError(shell.sudo.bind(null, 'mountSwap', [ BACKUP_SWAP_CMD, '--on' ])),
-            shell.sudo.bind(null, 'backupBox', [ BACKUP_BOX_CMD, result.url, result.backupKey ]),
+            shell.sudo.bind(null, 'backupBox', [ BACKUP_BOX_CMD, result.s3Url, result.accessKeyId, result.secretAccessKey, result.sessionToken, result.region, result.backupKey ]),
             ignoreError(shell.sudo.bind(null, 'unmountSwap', [ BACKUP_SWAP_CMD, '--off' ])),
         ], function (error) {
             if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
 
-            debug('backup: successful');
+            debug('backupBoxWithAppBackupIds: success');
 
             webhooks.backupDone(result.id, null /* app */, appBackupIds, function (error) {
                 if (error) return callback(error);
diff --git a/src/scripts/backupbox.sh b/src/scripts/backupbox.sh
index f4d201b12..fc5355562 100755
--- a/src/scripts/backupbox.sh
+++ b/src/scripts/backupbox.sh
@@ -12,13 +12,18 @@ if [[ $# == 1 && "$1" == "--check" ]]; then
     exit 0
 fi
 
-if [ $# -lt 2 ]; then
-    echo "Usage: backupbox.sh <url> <key>"
+if [ $# -lt 6 ]; then
+    echo "Usage: backupbox.sh <s3 url> <access key id> <access key> <session token> <region> <password>"
     exit 1
 fi
 
-backup_url="$1"
-backup_key="$2"
+# env vars used by the awscli
+s3_url="$1"
+export AWS_ACCESS_KEY_ID="$2"
+export AWS_SECRET_ACCESS_KEY="$3"
+export AWS_SESSION_TOKEN="$4"
+export AWS_DEFAULT_REGION="$5"
+password="$6"
 now=$(date "+%Y-%m-%dT%H:%M:%S")
 BOX_DATA_DIR="${HOME}/data/box"
 box_snapshot_dir="${HOME}/data/snapshots/box-${now}"
@@ -30,14 +35,14 @@ echo "Snapshoting backup as backup-${now}"
 btrfs subvolume snapshot -r "${BOX_DATA_DIR}" "${box_snapshot_dir}"
 
 for try in `seq 1 5`; do
-    echo "Uploading backup to ${backup_url} (try ${try})"
+    echo "Uploading backup to ${s3_url} (try ${try})"
     error_log=$(mktemp)
 
-    headers=("-H" "Content-Type:")
-
+    # use aws instead of curl because curl will always read entire stream memory to set Content-Length
+    # aws will do multipart upload
     if tar -cvzf - -C "${box_snapshot_dir}" . \
-           | openssl aes-256-cbc -e -pass "pass:${backup_key}" \
-           | curl --fail -X PUT ${headers[@]} --data-binary @- "${backup_url}" 2>"${error_log}"; then
+           | openssl aes-256-cbc -e -pass "pass:${password}" \
+           | aws s3 cp - "${s3_url}" 2>"${error_log}"; then
         break
     fi
     cat "${error_log}" && rm "${error_log}"
diff --git a/src/storage/caas.js b/src/storage/caas.js
index b7e2c1b5f..d752cac91 100644
--- a/src/storage/caas.js
+++ b/src/storage/caas.js
@@ -67,17 +67,7 @@ function getBackupUrl(apiConfig, filename, callback) {
     getBackupCredentials(apiConfig, function (error, credentials) {
         if (error) return callback(error);
 
-        var s3 = new AWS.S3(credentials);
-
-        var params = {
-            Bucket: apiConfig.bucket,
-            Key: apiConfig.prefix + '/' + filename,
-            Expires: 60 * 60 /* 60 minutes */
-        };
-
-        var url = s3.getSignedUrl('putObject', params);
-
-        callback(null, { url: url, id: filename });
+        callback(null, credentials);
     });
 }