It was one of the easiest to setup and it works flawlessly. I’m a bit paranoid about losing my data even with the backups… Any recommendation?
It was one of the easiest to setup and it works flawlessly. I’m a bit paranoid about losing my data even with the backups… Any recommendation?
Borgbackup runs via SSH, so you just need the client to be able to reach the server via SSH. You don’t need root login, and in fact I’d recommend a separate user per system being backed up so that one client can’t access another client’s backups.
I haven’t automated setup of backup repos yet, so I’ve copied a part of my personal “new server setup” document below: (
alice
is the name of the client system andbob
is the name of the server system)ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "root@alice.example.com"
adduser backup-alice --disabled-password mkdir /data/backup/alice chown backup-alice:backup-alice /data/backup/alice chmod 0700 /data/backup/alice mkdir ~backup-alice/.ssh
authorized_keys
for the user (in~backup-alice/.ssh/authorized_keys
), containing the public key you generated in step 1:command="borg serve --append-only --restrict-to-path /data/backup/alice",restrict ssh-ed25519 AAAAC3Nz....... root@alice.example.com
(
--append-only
enables append-only mode.--restrict-to-path
means the user is only allowed to access that one repo. The,restrict
after the command but before the SSH key means the user is only allowed to run borg, nothing else, so for example the same credentials can’t be used to SSH in for an interactive session)borg init --encryption=keyfile-blake2 backup-alice@bob.example.com:/data/backup/alice
(it’ll prompt for an encryption passphrase. Make it long and keep a copy in safe place)
borg key export backup-alice@bob.example.com:/data/backup/alice key cat key # copy and paste it somewhere safe rm key