How would or do you backup your home server? I don’t have enough physical storage (for now) at home to store some backups, so I want to upload it to the cloud. Of course I want the backup to be encrypted, but I don’t want to enter the password every time by server does a backup. I am currently using borg on my PC and do it manually. How do I create a encrypted backup without entering the key manually? Do I hardcode it somewhere? Don’t really like that. I am also fine with trying other backup software.
In terms of pricing, I find Hetzner is best for under 1TB, Backblaze for over 1TB. Both have great documentation for setting up any number of backup methods (SFTP, SSH, Rsync, Rclone, Borg, etc).
Rsync, Rclone, and Borg are all good options and some may be built into your choice of OS if you use a dedicated NAS system. Choose whatever is easiest for you.
The backups are gonna be encrypted in transit regardless of method, and Im pretty sure most backup providers encrypt data on their servers so you dont have to manage that I dont think.
When you commit to backups, IMO you should do them daily - Most backup clients have options for “sync” options which will ignore unchanged files and only upload changes, so a daily backup is not only more up-to-date but also more efficient once the first backup completes.
I have a storagebox at hetzner. My script does:
- Mount the storagebox over sshfs with public key file
- Mount a gocryptfs folder, with supplied key on local file
- Rsync my stuff to the encrypted folder
- Unmounts in reverse order
I can access the storagebox by password, too. So this is my disaster recovery in case my house burns down with all my devices. I’ll just buy another laptop the next day, and me and the Mrs can admire all my code and our wedding videos within a few hours.
I run proxmox, and proxmox backup server in a vm. PBS backup is encrypted locally, and I upload the backup to backblaze b2 using rclone in a cron job. I store the decryption key elsewhere
It has worked ok for me. I also upload a heartbeat file, it is just a empty file with todays date (
touch heartbeat
), so that I can easily check when the last upload happenedI use Borgbackup, with borgmatic to configure and periodically run it. I have two storage VPSes “in the cloud”, and back up to both of them. My main storage VPS is a HostHatch one with 10TB space for $10/month. I got it during Black Friday sales in 2021.
If you do back up to multiple destinations, Borgbackup’s devs recommend configuring two separate backups, rather than doing a backup to one server then syncing it to the second one. This is to handle the case where one of the backups becomes corrupted.
Hetzner have decent deals on their “storage boxes”. You don’t get root access, but they support Borgbackup, restic and rclone in addition to the regular protocols (SFTP, FTPS, WebDAV, SMB).
Make sure you configure the SSH key to only allow it to run borgbackup in “append only” mode, so that malware/ransomware on the client system can’t delete the backups. This is a common issue with other backup solutions like rsync - the client has full access to the server, so a malicious user/code could delete the whole backup.
For servers autorestic just worked. It’s a wrapper for restic. I sent data to backlaze B2 and StorJ. Now that I have a couple proxmox hosts in a colo, I have an off-site PBS running in ZFS.rent.
First VMs back up to local PBS , then nightly that’s synced to ZFS.rent. I have PVE set to do encrypted backups to PBS so it’s all encrypted.
Borg or the like with ‘hardcoded’ plaintext/regularly full-disk-encrypted key is acceptable. Someone that has your unencrypted private key sitting on your server has almost certainly already obtained access to the entire set of data you’re backing up, with the backup key itself only meaningfully guarding access to older backups.
The more important thing is to securely keep extra copies in case the server fails. I keep mine in a group in my password manager, one per repo.
Restic to BackBlaze. B2 support is built in to restic, so all you need is an account and credentials.
Most of my home data - servers, PCs - I back up to HD and B2. I have a few VPS I only back up to B2.
You have basically two options.
-
Symmetric Encryption. That means you use the same password/key for writing the Backup and for reading the backup. Here you have to write the password somewhere, depending on the OS there are options like keychains or similar that can hold the password so that the password is only available once you are loged in or have unlocked the keychain.
-
Asymmetric Encryption. That means you have different passwords/keys to read and write the backup. PGP is an example here. Here you can just simply use one key to write the backup, this key can become public and you do not have to worry about your backup since it will only be readable with the 2. key.
I personally use Restic with a password that is only readable by the system root user stored on the filesystem. Since I use Full Disk Encryption i do not have to worry too much about when the secret is available in clear text at runtime.
+1 for restic. I have additionally started using autorestic with it and have been happy how it operates.
-
How many tb? It may be cheaper even within a year to just purchase another hard drive
I use Kopia to backup to Backblaze B2. I also use the Kopia UI since I can’t be bothered to figure out the cli for it. I have it running constantly in the background so it automatically takes care of everything.
This. 100% me. I have been using Kopia+BB and I am happily surprised.
It’ll cost you more storing it in cloud than just buying more drives. If you’re already in a spot where that’s a problem, this is not a solution for you.
Yes, but I use the cloud for other purposes too and have enough storage for a backup, also even if I were to buy another drive, I would like to store one copy offsite without having to buy two drives
I’d calculate your total cost then, and figure out ingress and egress costs depending on the provider. Cloudflare with R2 is the only “cloud” storage service I’m aware of that doesn’t charge for either right now. They may in the future so check out your costs.
is the only “cloud” storage service I’m aware of that doesn’t charge for either right now
Hetzner doesn’t either for their storage boxes. They support Borgbackup, restic, rclone, SFTP, FTPS, WebDAV and SMB.
Most storage VPSes will include a decent amount of traffic per month.
If you want I can hit you up with a couple TB S3 compatible block storage against a small compensation covering electricity. I’ve got about 30TB available of my 64TB that are just doing nothing right now, it’s a shame really. I’m running a TrueNAS homelab in a RaidZ2 with battery backup and proper Firewall and IDS/IPS protection (but I’m not a professional). If that’s fine DM me.
Check Borg documentation. Somewhere there there’s a way to pass the password as an environmental variable.
GoodSync can encrypt files during upload