Bulletproof Disaster Recovery: Automating Encrypted Backups Using BorgBackup on Linux

A common misconception in server management is that RAID constitutes a backup. It does not. RAID protects against hardware drive failure, but it will seamlessly and instantly replicate accidental file deletions, corrupted database tables, or ransomware encryption across all your mirrored drives.

For true disaster recovery, you need an isolated, versioned, and encrypted backup strategy.

Enter BorgBackup (Borg). Borg is an open-source, deduplicating backup program that offers authenticated encryption. It only stores the changes made since your last backup, saving massive amounts of disk space, and encrypts everything client-side before it is stored.

Here is how to set up automated, bulletproof encrypted backups on your Linux bare-metal server.

Step 1: Install BorgBackup

Borg is available in the default repositories of almost all major Linux distributions. For this guide, we are using Ubuntu 24.04 LTS.

Run the following command as root:

apt update
apt install -y borgbackup
                            

Verify the installation:

borg --version
                            

Step 2: Initialize the Encrypted Repository

A "repository" is the destination folder where Borg will store your backup archives. This can be a local folder, a mounted external drive, or ideally, a remote storage server accessed via SSH.

For this tutorial, we will create a local repository at /backup/borg-repo.

mkdir -p /backup/borg-repo
borg init --encryption=repokey /backup/borg-repo
                            

You will be prompted to enter a passphrase. Do not lose this passphrase. Because the encryption is absolute, losing the passphrase means losing all your backup data forever.

Step 3: Running Your First Backup

Now that the repository is initialized, you can create your first backup archive. Let's say we want to back up the /var/www/html directory (your website files) and /etc (your server configurations).

We will name the archive using the current date and time.

borg create --stats --progress \
    /backup/borg-repo::"Backup-{now:%Y-%m-%d_%H:%M}" \
    /var/www/html /etc
                            

The --stats flag will show you the deduplication in action. If you run this exact command again tomorrow, it will complete in seconds, as Borg only copies the files that have changed.

Step 4: Automating Backups with a Bash Script & Cron

Manual backups are easily forgotten. Let's automate the process so it runs every night at 2:00 AM.

Create a bash script:

nano /usr/local/bin/borg-backup.sh
                            

Paste the following script. Make sure to replace YOUR_SUPER_SECRET_PASSPHRASE with the actual password you created in Step 2:

#!/bin/bash

# Export the passphrase so Borg doesn't prompt for it
export BORG_PASSPHRASE="YOUR_SUPER_SECRET_PASSPHRASE"

REPOSITORY="/backup/borg-repo"
LOG="/var/log/borg-backup.log"

echo "Starting backup: $(date)" >> $LOG

# Create a new backup archive
borg create --stats \
    $REPOSITORY::"Auto-Backup-{now:%Y-%m-%d_%H:%M}" \
    /var/www/html /etc >> $LOG 2>&1

# Prune old backups (Keep daily backups for 7 days, weekly for 4 weeks)
borg prune --list --keep-daily=7 --keep-weekly=4 $REPOSITORY >> $LOG 2>&1

echo "Backup finished: $(date)" >> $LOG
echo "-----------------------------------" >> $LOG
                            

Make the script executable:

chmod +x /usr/local/bin/borg-backup.sh
                            

Now, add it to your root crontab:

crontab -e
                            

Add the following line to run the script every day at 2:00 AM:

0 2 * * * /usr/local/bin/borg-backup.sh
                            

Step 5: How to Restore Your Data

A backup is useless if you cannot restore it. If disaster strikes, here is how you extract your files.

First, list all available backup archives in your repository:

borg list /backup/borg-repo
                            

You will see an output like: Auto-Backup-2026-06-01_02:00. To restore files from this specific archive, navigate to the directory where you want to extract the files (e.g., a temporary recovery folder), and run:

mkdir /tmp/recovery && cd /tmp/recovery
borg extract /backup/borg-repo::"Auto-Backup-2026-06-01_02:00"
                            

Borg will ask for your passphrase and then extract the exact folder structure (/var/www/html and /etc) into your current directory.

Conclusion: Off-Site Backups are the Ultimate Safety Net

While backing up data to a local drive on your server protects against accidental file deletion, it will not save you if the entire server suffers a catastrophic hardware failure or a complete data centre outage.

The golden rule of disaster recovery is the 3-2-1 backup strategy—and that requires off-site storage.

By provisioning a secondary eServers Bare Metal Dedicated Server, you can securely push your Borg backups over SSH to an entirely different UK data centre. Thanks to eServers' unmetered 10Gbps networking, your encrypted off-site backups will transfer instantly without incurring any hidden cloud egress fees.