diff --git a/setup/start.sh b/setup/start.sh
index 20d7965ad..343aad871 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -101,6 +101,10 @@ mkdir -p "${BOX_DATA_DIR}/appicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
 mkdir -p "${BOX_DATA_DIR}/acme" # acme keys
 
+# ensure backups folder exists and is writeable
+mkdir -p /var/backups
+chmod 777 /var/backups
+
 echo "==> Check for old btrfs volumes"
 if mountpoint -q "${OLD_DATA_DIR}"; then
     echo "==> Cleanup btrfs volumes"
diff --git a/src/storage/filesystem.js b/src/storage/filesystem.js
index ab8d40a2f..70005326b 100644
--- a/src/storage/filesystem.js
+++ b/src/storage/filesystem.js
@@ -46,7 +46,7 @@ function backup(apiConfig, backupId, source, callback) {
 
     callback = once(callback);
 
-    // to allow setting 777 for real
+    // to allow setting 776 for real
     var oldUmask = process.umask(0);
     var oldCallback = callback;
     callback = function (error) {
@@ -64,7 +64,7 @@ function backup(apiConfig, backupId, source, callback) {
         var pack = tar.pack(source);
         var gzip = zlib.createGzip({});
         var encrypt = crypto.createCipher('aes-256-cbc', apiConfig.key || '');
-        var fileStream = fs.createWriteStream(backupFilePath, { mode: 0o777 });
+        var fileStream = fs.createWriteStream(backupFilePath, { mode: 0o776 });
 
         pack.on('error', function (error) {
             console.error('[%s] backup: tar stream error.', backupId, error);
@@ -153,22 +153,34 @@ function copyBackup(apiConfig, oldBackupId, newBackupId, callback) {
 
     debug('copyBackup: %s -> %s', oldFilePath, newFilePath);
 
-    var readStream = fs.createReadStream(oldFilePath);
-    var writeStream = fs.createWriteStream(newFilePath);
+    // to allow setting 776 for real
+    var oldUmask = process.umask(0);
+    var oldCallback = callback;
+    callback = function (error) {
+        process.umask(oldUmask);
+        oldCallback(error);
+    };
 
-    readStream.on('error', function (error) {
-        console.error('copyBackup: read stream error.', error);
-        callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
+    mkdirp(path.dirname(newFilePath), { mode: 0o777 }, function (error) {
+        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
+
+        var readStream = fs.createReadStream(oldFilePath);
+        var writeStream = fs.createWriteStream(newFilePath);
+
+        readStream.on('error', function (error) {
+            console.error('copyBackup: read stream error.', error);
+            callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
+        });
+
+        writeStream.on('error', function (error) {
+            console.error('copyBackup: write stream error.', error);
+            callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
+        });
+
+        writeStream.on('close', callback);
+
+        readStream.pipe(writeStream);
     });
-
-    writeStream.on('error', function (error) {
-        console.error('copyBackup: write stream error.', error);
-        callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
-    });
-
-    writeStream.on('close', callback);
-
-    readStream.pipe(writeStream);
 }
 
 function removeBackup(apiConfig, backupId, appBackupIds, callback) {