Ho we set up a Borg backup client and server

For example we have a backup server named backup-server.net and a client server named myserver (which is not a domain name, just an account name on the backup server).

On the client:

$ sudo apt install borgbackup
$ sudo ssh-keygen -t rsa

When asked for a passphrase, leave it empty because this key will be used by a cron job. The key will be saved to /root/.ssh/id_rsa.

On the server, install borgbackup, create user myserver:

$ sudo apt install borgbackup
$ sudo adduser --disabled-password myserver
$ sudo su - myserver
$ mkdir backups
$ mkdir .ssh && chmod 700 .ssh
$ touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
$ cat >> .ssh/authorized_keys

Paste the client’s public key to the terminal. Press ENTER to add at least one newline. Press Ctrl+D to say you’re finished with pasting content.

Back on the client:

Create a file /usr/local/bin/backup2borg.sh with this content:

set -e  # exit on error

# Inspired from https://borgbackup.readthedocs.io/en/stable/quickstart.html#automating-backups

export BORG_REPO=myserver@backup-server.net:/home/myserver/backups
export BORG_PASSPHRASE=`cat /root/backup2borg_passwd`

echo "Stop supervisor and make snapshots"
service supervisor stop

echo "Start backup"
borg create                         \
    --filter AME                    \
    --compression lz4               \
    --exclude-caches                \
    --exclude '/home/*/.cache/*'    \
    --exclude '/var/cache/*'        \
    --exclude '/var/tmp/*'          \
    --exclude '/var/backups/*'      \
    ::'{hostname}-{now}'            \
    /etc                            \
    /home                           \
    /root                           \
    /usr/local                      \
    /var                            \

echo "Restart supervisor"
service supervisor start

echo "Remove old backups"
borg prune                          \
    --prefix '{hostname}-'          \
    --keep-daily    7               \
    --keep-weekly   4               \
    --keep-monthly  6               \

Write your Borg passphrase into a file named /root/backup2borg_passwd and make the file readable only by root:

$ sudo nano /root/backup2borg_passwd
$ sudo chmod go-r /root/backup2borg_passwd

Create the Borg repository:

$ sudo su
# export BORG_REPO=myserver@backup-server.net:/home/myserver/backups
# export BORG_PASSPHRASE=`cat /root/backup2borg_passwd`
# borg init --encryption=repokey-blake2

Hit Ctrl+D to terminate the sudo session and to remove the environment variables. Make a manual backup to see whether it works:

$ sudo /usr/local/bin/backup2borg.sh

Check whether your backup worked:

$ sudo borg mount myserver@backup-server.net:/home/myserver/backups ~/myserver

This should ask you interactively for your passphrase (the one you stored in your /root/backup2borg_passwd).

To make it run automatically every day, create a file /etc/cron.daily/backup2borg with this content:

/usr/local/bin/backup2borg.sh > /dev/null

Restoring a backup to another machine

Now imagine that your original server, myserver no longer exists. The ssh key is gone, nobody will every log in as myserver to your backup server. Of course you can login as root, and you know the passphrase.

$ sudo su # borg mount root@backup-server.net:/home/myserver/backups ~/myserver


The first time ssh will ask you to confirm that IP address and server name are correct:

The authenticity of host 'backup-server.net (backup-server.net)' can't be established.
ECDSA key fingerprint is SHA256:/xxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'backup-server.net' (ECDSA) to the list of known hosts.

You can also log in manually:

$ sudo ssh myserver@backup-server.net