Can anyone recommend a secure, open source, offsite backup setup with client-side encryption? The way I’m set up now, I have certain folders on my QNAP NAS automatically backup to Backblaze. Which is fine, except that the QNAP encryption scheme is proprietary and Backblaze is also proprietary (I’ve had a good experience with the latter, tho). I find the QNAP in general kind of hard to use, but it’s what I’ve got at the moment. I was contemplating using Cryptomator, either with BB or something else, though I’m not exactly sure how to set it up. So what do people think? Would another setup be slightly better? If it ain’t broke . . . ?
restic. I’ve been using it for years, and specifically with B2 for at least 2.
- Client-side encryption, by default
- Single executable
- Stable format
- Backups are incremental by default
- Backups are mountable (via fuse), so it’s easy to grab specific files from a snapshot
It really is a fantastic, free, OSS program.
For any of those curious, it seems to use the crypto/aes package in restic/crypto.go.
We switched to it for backups at work about a couple years ago too, and agree on the assessment
By it you mean Cryptomator, yes?
I wasn’t happy with any off the shelf services a while ago so I ended up writing a cron job that gpg encrypted every file I needed backed up nightly and then rsync’d it to an s3 mount point. It worked without any issue for just enough time that I forgot about it and now it doesn’t work, so … I maybe wouldn’t follow that route, but also maybe I would if I had enough energy to unfuck that side project up.
Out of curiosity I looked at it again, and I’m kind of half-impressed, half-disgusted that I wrote that script. I had some thoughts of sharing it as a starting point but now I’m pretty sure I should just kick it back into the closet and shut the door and ignore it like it never happened
Duplicati, Syncthing with encryption explicitly enabled, borgmatic/borgbackup, restic.
See also: https://github.com/awesome-foss/awesome-sysadmin#backups