I want to set up an easy backup system for my files, both locally and remotely.

Here is how I’ve set it up.

1. Requirements

I want to be able to make regular backups on a different host with the following requirements:

  • transparently send the backup to the destination host

  • the backup should not take any space on my main computer

  • de-duplicated data: do not send data to backup if it’s already there in a previous backup

  • encrypted and authenticated, so that it can be hosted on a remote host with no privacy concern

  • run in the background without interactions

  • backup program must be open source

2. Preparing the backup destination

I have a local NAS with 2 disks in mirror mode.

I’ve enabled the ssh server on it, and I’ve fixed the IP address of the NAS in my router to, because that’s an easy IP to remember.

Because I do not want to have to be there to authenticate the ssh connection, I’m sending my ssh public key to it:

ssh-copy-id user@

To check, let’s ssh into it: ssh user@, and the password should not required.

We can now mount this host locally thanks to sshfs so that the remote directory appears local:

mkdir ~/NAS && sshfs user@ ~/NAS

Now let’s ask systemd to auto mount it when my user is connected: let’s create a file named ~/.config/systemd/user/home-user-NAS.mount with the following content:

Description=Mount the NAS fs via sshfs



And give it a try:

systemctl --user daemon-reload
systemctl --user start home-user-NAS.mount
systemctl --user status home-user-NAS.mount
systemctl --user enable home-user-NAS.mount

We now have a remote SSH server automatically mounted when login in.

3. Initializing the backup

Borg fills in all the requirements.

First, let’s tell Borg where to store the backup, and what the encryption password is via a backup_init.sh:


export BORG_REPO=~/NAS/Backup/borg
export BORG_PASSPHRASE='strong_passphrase'

borg init --encryption=repokey "$BORG_REPO"

Then ask Borg to give you the encryption key used:

borg key export --paper ~/NAS/Backup/borg

Now store both the passphrase and the key in your password manager.

Let’s tell borg what to backup: ~/Documents and ~/Pictures in my case. Create a backup_run.sh:


# Setting this, so the repo does not need to be given on the commandline:
export BORG_REPO=~/NAS/Backup/borg

# See the section "Passphrase notes" for more infos.
export BORG_PASSPHRASE='strong_passphrase'

# some helpers and error handling:
info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM

info "Starting backup"

# Backup the most important directories into an archive named after
# the machine this script is currently running on:

borg create                         \
    --verbose                       \
    --filter AME                    \
    --list                          \
    --stats                         \
    --show-rc                       \
    --compression zstd,10           \
    --exclude-caches                \
    --exclude '/home/*/.cache/*'    \
    --exclude '/var/tmp/*'          \
    ::'{hostname}-{now}'            \
    /home/user/Documents            \


info "Pruning repository"

# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
# archives of THIS machine. The '{hostname}-' prefix is very important to
# limit prune's operation to this machine's archives and not apply to
# other machines' archives also:

borg prune                          \
    --list                          \
    --prefix '{hostname}-'          \
    --show-rc                       \
    --keep-daily    7               \
    --keep-weekly   4               \
    --keep-monthly  6               \


# use highest exit code as global exit code
global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))

if [ ${global_exit} -eq 0 ]; then
    info "Backup and Prune finished successfully"
elif [ ${global_exit} -eq 1 ]; then
    info "Backup and/or Prune finished with warnings"
    info "Backup and/or Prune finished with errors"

exit ${global_exit}

And run it once to check if it works: chmod +x backup_run.sh && ./backup_run.sh.

4. Backup schedule

Now that our backup command works, let’s schedule it to run every hour.

We can use systemd again for that.

First, let’s create the service to run only if the NAS was correctly mounted (~/.config/systemd/user/backup.service`) with the following content:

Description=Run Borg backup



And then let’s run it once to see if it works: systemctl --user start backup and systemctl --user status backup.

Now create the timer (~/.config/systemd/user/backup.timer`) with the following content:

Description=Schedule Borg Backup every 1 hour

# Execute job if it missed a run due to machine being off
# Run 30 minutes after boot for the first time
# Run on every hour thereafter
OnCalendar=*-*-* *:00:00
# File describing job to execute


Enable both the service and the timer:

systemctl --user enable backup.service
systemctl --user enable backup.timer
systemctl --user start backup.timer

5. Off site copy

My NAS allows me to sync a local directory to different cloud storage providers. So this part really depends on your possibilities.

6. Conclusion

Borg allows a relatively simple and well encrypted backup system. Paired with systemd timers, it makes having backup relatively simple for a Linux system.