It was one of the easiest to setup and it works flawlessly. I’m a bit paranoid about losing my data even with the backups… Any recommendation?
It was one of the easiest to setup and it works flawlessly. I’m a bit paranoid about losing my data even with the backups… Any recommendation?
For backups, I have two storage VPSes (one in Los Angeles and one with a completely different provider in Canada), and have an individual backup to each one. I’m using Borgbackup for that.
Borg lets you enable an “append only” mode for particular clients such that even if an attacker were to gain access to your client system, they couldn’t delete your backups. This is a common issue with rsync/rclone solutions.
Borg dedupes across all backups, so you can have months of daily backups without using a lot more disk space. Neither rsync nor rclone can do this.
Don’t forget to test your backups by doing a data recovery run - act as if your data was lost, and try to set everything up again, maybe on a VM or something. If the backups aren’t tested, you don’t really have backups :)
I use both too for all my stuff, didn’t know of an append mode.
Do you perhaps have a good solution for backing up backups on another system? I’d like to store the repo of my vps on my Homeserver.
I currently have set up a cromjib that downloads the newest backup repo every week using SFTP, then deletes the old one if everything is fine.
I should do some testing that goes beyond just looking at files in my backup through.
You could probably just run Borg on your home server too? Whatever is creating the backups would then back up to both the VPS and the home server.
The Borg team recommends against using tools like rsync and SFTP to create copies of Borg repos, instead preferring separate repos: https://borgbackup.readthedocs.io/en/stable/faq.html#can-i-copy-or-synchronize-my-repo-to-another-location
My homeserver runs borg, but how would I go about backing the remote server up? I read somewhere that sshfs would be an option, but that involves opening my ssh for root login, which sounds a bit sketchy IMO.
Borgbackup runs via SSH, so you just need the client to be able to reach the server via SSH. You don’t need root login, and in fact I’d recommend a separate user per system being backed up so that one client can’t access another client’s backups.
I haven’t automated setup of backup repos yet, so I’ve copied a part of my personal “new server setup” document below: (
alice
is the name of the client system andbob
is the name of the server system)ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "root@alice.example.com"
adduser backup-alice --disabled-password mkdir /data/backup/alice chown backup-alice:backup-alice /data/backup/alice chmod 0700 /data/backup/alice mkdir ~backup-alice/.ssh
authorized_keys
for the user (in~backup-alice/.ssh/authorized_keys
), containing the public key you generated in step 1:command="borg serve --append-only --restrict-to-path /data/backup/alice",restrict ssh-ed25519 AAAAC3Nz....... root@alice.example.com
(
--append-only
enables append-only mode.--restrict-to-path
means the user is only allowed to access that one repo. The,restrict
after the command but before the SSH key means the user is only allowed to run borg, nothing else, so for example the same credentials can’t be used to SSH in for an interactive session)borg init --encryption=keyfile-blake2 backup-alice@bob.example.com:/data/backup/alice
(it’ll prompt for an encryption passphrase. Make it long and keep a copy in safe place)
borg key export backup-alice@bob.example.com:/data/backup/alice key cat key # copy and paste it somewhere safe rm key