Borg Backup – Encrypt And Deduplicate Your Data

~ Tom's IT Cafe

If you have any data – backups are not optional.
Devices crash. Pendrives disappear. Houses burn down.

Your backups are useful only if you can restore them.

The Strategy

The good old-fashioned 3-2-1 works. No doubt. No arguments.

3 copies of your data:

  • 1 original (the working data)
  • 2 backups

2 different types of storage (for example: disk + external drive).
1 copy stored off-site (not in the same physical location).

The tool can be anything:

  • rsync
  • scp + tar
  • Bacula
  • Borg Backup
  • etc.

Borg is a solid choice.

The Tool

Borg Backup is simple – yet effective.
Written in Python and being open source – it’s easy to audit.

  • 256-bit AES encryption (with authenticated integrity)
  • Data compression
  • Deduplication for storage efficiency
  • Off-site remote backups (via SSH)

Borg is part of many distros – like Debian Trixie.

The Basics

At repository initialization there are two ways to store the secret key:

  1. In the repo, encrypted by the passphrase.
  2. Elsewhere, refer to it with command options.

After initializing a repository you cannot switch between the two strategies.
You have to decide when creating it.

The Repository

The repository is a standard system path.
It can be on the local system or remotely accessible with SSH.

Initialization:

borg init --encryption [repokey-blake2|keyfile-blake2] /path/to/repo
  • repokey-blake2 creates a Blake2 keyfile inside the repository.
  • keyfile-blake2 creates it outside. You have to manage the key.

The keyfile can be protected with a passphrase.
In both modes, a passphrase is strongly recommended.

The Archive

To create an archive in the repository use the:

borg create /path/to/repo::archive-name ~/important/stuff

It creates the archive archive-name in the path/to/repo repository and
backs up ~/important/stuff with all of its contents.

Remote, off-site backups via SSH:

borg create ssh://user@192.168.100.10/path/to/repo::archive

External keyfile can be used (when the repository was initialized with keyfile-blake2):

export BORG_KEY_FILE=/data/keyfiles/notebook-backup.key
borg create ssh://user@backup.example.org/path/to/repo::notebook-2026-01-09 ~/important/stuff

Pruning

Archives are collecting in the repository.
Pruning sets the retention policy.

borg prune -v --list /path/to/repo \
     --keep-daily=7 \
     --keep-weekly=4 \
     --keep-monthly=6

This will keep:

  • 7 days of backups
  • 4 weekly backups
  • 6 monthly backups

All of them sit in the repository, encrypted, deduplicated.

Verify And Restore Data

Option 1: Mount the archive

You can mount and browse the archive like a filesystem to verify files in it:

borg mount /path/to/repo::archive /mountpoint

Option 2: Extract the archive

An archive can be extracted like with tar:

borg extract /path/to/repo::archive /where/to/extract

Your backups are safe.

Leave a comment