6d ago

Encrypted backups to the cloud

How would or do you backup your home server? I don't have enough physical storage (for now) at home to store some backups, so I want to upload it to the cloud. Of course I want the backup to be encrypted, but I don't want to enter the password every time by server does a backup. I am currently using borg on my PC and do it manually. How do I create a encrypted backup without entering the key manually? Do I hardcode it somewhere? Don't really like that. I am also fine with trying other backup software.

30 comments

Borg or the like with 'hardcoded' plaintext/regularly full-disk-encrypted key is acceptable. Someone that has your unencrypted private key sitting on your server has almost certainly already obtained access to the entire set of data you're backing up, with the backup key itself only meaningfully guarding access to older backups.
The more important thing is to securely keep extra copies in case the server fails. I keep mine in a group in my password manager, one per repo.

In terms of pricing, I find Hetzner is best for under 1TB, Backblaze for over 1TB. Both have great documentation for setting up any number of backup methods (SFTP, SSH, Rsync, Rclone, Borg, etc).
Rsync, Rclone, and Borg are all good options and some may be built into your choice of OS if you use a dedicated NAS system. Choose whatever is easiest for you.
The backups are gonna be encrypted in transit regardless of method, and Im pretty sure most backup providers encrypt data on their servers so you dont have to manage that I dont think.
When you commit to backups, IMO you should do them daily - Most backup clients have options for "sync" options which will ignore unchanged files and only upload changes, so a daily backup is not only more up-to-date but also more efficient once the first backup completes.
- most backup providers encrypt data on their servers so you dont have to manage that I dont think.
  That's something you should manage yourself, so the provider isn't the one with the keys, by encrypting the backup locally before sending it. Most solutions you mention let you do that.
  
  Good point!

I use Borgbackup, with borgmatic to configure and periodically run it. I have two storage VPSes "in the cloud", and back up to both of them. My main storage VPS is a HostHatch one with 10TB space for $10/month. I got it during Black Friday sales in 2021.
If you do back up to multiple destinations, Borgbackup's devs recommend configuring two separate backups, rather than doing a backup to one server then syncing it to the second one. This is to handle the case where one of the backups becomes corrupted.
Hetzner have decent deals on their "storage boxes". You don't get root access, but they support Borgbackup, restic and rclone in addition to the regular protocols (SFTP, FTPS, WebDAV, SMB).
Make sure you configure the SSH key to only allow it to run borgbackup in "append only" mode, so that malware/ransomware on the client system can't delete the backups. This is a common issue with other backup solutions like rsync - the client has full access to the server, so a malicious user/code could delete the whole backup.

You have basically two options.
Symmetric Encryption. That means you use the same password/key for writing the Backup and for reading the backup. Here you have to write the password somewhere, depending on the OS there are options like keychains or similar that can hold the password so that the password is only available once you are loged in or have unlocked the keychain.
Asymmetric Encryption. That means you have different passwords/keys to read and write the backup. PGP is an example here. Here you can just simply use one key to write the backup, this key can become public and you do not have to worry about your backup since it will only be readable with the 2. key.
I personally use Restic with a password that is only readable by the system root user stored on the filesystem. Since I use Full Disk Encryption i do not have to worry too much about when the secret is available in clear text at runtime.
- +1 for restic. I have additionally started using autorestic with it and have been happy how it operates.

I run proxmox, and proxmox backup server in a vm. PBS backup is encrypted locally, and I upload the backup to backblaze b2 using rclone in a cron job. I store the decryption key elsewhere
It has worked ok for me. I also upload a heartbeat file, it is just a empty file with todays date (touch heartbeat), so that I can easily check when the last upload happened

I use backblaze b2 and https://github.com/garethgeorge/backrest
Backrest is by far the best restic manager I've found, easy webUI, with built in support for healthchecks.

How many tb? It may be cheaper even within a year to just purchase another hard drive
- An extra hard drive doesn't save you from something like your house burning down. Off-site backups are important!
  
  Send it to your parents and work is what I do :)

Restic to BackBlaze. B2 support is built in to restic, so all you need is an account and credentials.
Most of my home data - servers, PCs - I back up to HD and B2. I have a few VPS I only back up to B2.

I use Kopia to backup to Backblaze B2. I also use the Kopia UI since I can't be bothered to figure out the cli for it. I have it running constantly in the background so it automatically takes care of everything.
- This. 100% me. I have been using Kopia+BB and I am happily surprised.
- Kopia doesn't get enough love, it's awesome

I have a storagebox at hetzner. My script does:
Mount the storagebox over sshfs with public key file
Mount a gocryptfs folder, with supplied key on local file
Rsync my stuff to the encrypted folder
Unmounts in reverse order
I can access the storagebox by password, too. So this is my disaster recovery in case my house burns down with all my devices. I'll just buy another laptop the next day, and me and the Mrs can admire all my code and our wedding videos within a few hours.

For servers autorestic just worked. It's a wrapper for restic. I sent data to backlaze B2 and StorJ. Now that I have a couple proxmox hosts in a colo, I have an off-site PBS running in ZFS.rent.
First VMs back up to local PBS , then nightly that's synced to ZFS.rent. I have PVE set to do encrypted backups to PBS so it's all encrypted.

It'll cost you more storing it in cloud than just buying more drives. If you're already in a spot where that's a problem, this is not a solution for you.
- Yes, but I use the cloud for other purposes too and have enough storage for a backup, also even if I were to buy another drive, I would like to store one copy offsite without having to buy two drives
  
  I'd calculate your total cost then, and figure out ingress and egress costs depending on the provider. Cloudflare with R2 is the only "cloud" storage service I'm aware of that doesn't charge for either right now. They may in the future so check out your costs.
  
  If you want I can hit you up with a couple TB S3 compatible block storage against a small compensation covering electricity. I've got about 30TB available of my 64TB that are just doing nothing right now, it's a shame really. I'm running a TrueNAS homelab in a RaidZ2 with battery backup and proper Firewall and IDS/IPS protection (but I'm not a professional). If that's fine DM me.

I use a cryptomator mount and sync that to whichever cloud i want, but the un/mounting is manual.
If you need full disk encryption look at ZFS and snapshots.
Do you need to backup everything on the disk?

Check Borg documentation. Somewhere there there’s a way to pass the password as an environmental variable.

GoodSync can encrypt files during upload

Duplicati, has many cloud providers as destination. Encryption. Basic backup tools functionalities. I use Onedrive family plan which has a total of 6 TB for my backups. Other solid option is rclone , it does the same even more, but is more focused on sync than backup. Also many cloud providers supported. Both are Foss
- I had constant problems with duplicati and switched to kopia with backblaze and it has been problem free, so I would tread very carefully with it. The database would work for a while and then get into a state that required a reset and would not have permitted a successful backup to be restored.
  
  I had constant problems with duplicati
  Yes i know, i had them too, and serious ones. It needs to always have an eye on it. I choose it because the large amount of cloud storage supported natively, and not have to configure and deal with rclone or even + restic to do a backup in home products like Onedrive. For me that's more noise and issues.
- Backrest (restic) is what I use after constant duplicati problems. Kopia is also a good option.
  Duplicati is ok with tiny backup sets, but give it multiple TB of data and it chokes and constantly has errors requiring expensive rebuilds.

30 comments