Encrypted backups with Borg

BorgBackup (Borg) performs deduplicated, encrypted backups — ideal for protecting /etc, websites, and databases on a HolyCloud Linux VPS before migration or incident. This guide installs Borg, initializes a local or remote repository (SSH, BorgBase-compatible), schedules archives, and verifies restore.

Prerequisites

• HolyCloud VPS Ubuntu/Debian, sudo access
• Sufficient disk space for the repository (local or remote)
• For BorgBase or another host: account, repository created, SSH key registered
• Borg secret passphrase stored in a password manager — without it, data is unrecoverable

Tip: Test borg extract on an isolated file before relying on Borg alone in production.

Step 1: Installation

sudo apt update
sudo apt install -y borgbackup
borg --version

Step 2: Initialize a local repository (test)

sudo mkdir -p /var/borg/repos
sudo borg init --encryption=repokey /var/borg/repos/vps-holycloud

Choose a strong passphrase. Export the key (store off the VPS):

sudo borg key export /var/borg/repos/vps-holycloud /root/borg-key-backup.txt
sudo chmod 600 /root/borg-key-backup.txt

Step 3: First archive

sudo borg create --verbose --stats --progress \
  /var/borg/repos/vps-holycloud::'{hostname}-{now:%Y-%m-%d}' \
  /etc \
  /var/www \
  /home \
  --exclude '/var/www/*/cache' \
  --exclude '*.tmp'

List:

sudo borg list /var/borg/repos/vps-holycloud
sudo borg info /var/borg/repos/vps-holycloud

Step 4: Remote repository via SSH (BorgBase or other server)

On the VPS, dedicated key:

ssh-keygen -t ed25519 -f ~/.ssh/borg_remote -N ""
cat ~/.ssh/borg_remote.pub

Add the public key on BorgBase (web interface) or in authorized_keys on the backup server.

~/.ssh/config:

Host borgbase
    HostName repo.borgbase.com
    User VOTRE_ID_BORGBASE
    IdentityFile ~/.ssh/borg_remote
    IdentitiesOnly yes

Remote initialization:

borg init --encryption=repokey borgbase:./repo-vps

First remote archive:

borg create --verbose --stats \
  borgbase:./repo-vps::'{hostname}-{now:%Y-%m-%d}' \
  /etc /var/www /home

Step 5: Retention policy (prune)

sudo borg prune --list --keep-daily 7 --keep-weekly 4 --keep-monthly 6 \
  /var/borg/repos/vps-holycloud

Combined create + prune script:

sudo nano /opt/scripts/borg-backup.sh

#!/bin/bash
set -euo pipefail
export BORG_PASSPHRASE='VOTRE_PASSPHRASE'
REPO=/var/borg/repos/vps-holycloud
ARCHIVE="$(hostname)-$(date +%Y-%m-%d_%H%M)"
borg create "$REPO::$ARCHIVE" /etc /var/www /home \
  --exclude '/var/www/*/cache'
borg prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 "$REPO"
borg compact "$REPO"

sudo chmod 700 /opt/scripts/borg-backup.sh

Prefer a /root/.borg-passphrase file with mode 600 rather than a plaintext passphrase in the script.

Step 6: cron

0 3 * * * root /opt/scripts/borg-backup.sh >> /var/log/borg-backup.log 2>&1

Step 7: Restore (test)

List contents of an archive:

sudo borg list /var/borg/repos/vps-holycloud::hostname-2026-06-22
sudo borg extract --dry-run /var/borg/repos/vps-holycloud::hostname-2026-06-22 etc/hostname

Extract a file:

sudo mkdir -p /tmp/borg-restore
cd /tmp/borg-restore
sudo borg extract /var/borg/repos/vps-holycloud::hostname-2026-06-22 etc/passwd
ls -la etc/passwd

Explore with mount (FUSE):

sudo apt install -y python3-borgbackup 2>/dev/null || true
mkdir -p /mnt/borg
sudo borg mount /var/borg/repos/vps-holycloud::hostname-2026-06-22 /mnt/borg
ls /mnt/borg
sudo borg umount /mnt/borg

Verification

sudo borg check /var/borg/repos/vps-holycloud
sudo borg list /var/borg/repos/vps-holycloud | tail -5
df -h /var/borg
tail -20 /var/log/borg-backup.log

borg check with no errors; the latest archive is dated as expected.

HolyCloud support

• Incorrect passphrase: no recovery without key export + passphrase
• Locked repository: borg break-lock REPO
• Disk space: borg compact, increase HolyCloud volume or more aggressive prune
• HolyCloud support: repository type (local/SSH), borg check output, disk space df -h