Skip to content
4m Read

Encrypted Backups to Block Storage with Borg

Get an AI summary

TL;DR: Back up a VM to a Synteq block storage volume: attach the volume, init an encrypted Borg repo on it, and run borg create

from cron. Borg handles encryption and dedup so recurring backups stay small, and the detachable volume lets you restore on any other box.


Backups belong on a separate volume, not the instance's own disk. A block storage volume is cheap per TB and detaches when you need the data somewhere else. This guide sets up Borg on a block storage volume, and schedules backups with cron.


Prerequisites


A VM with data to back up, a Synteq block storage volume created and attached, and Borg installed:

1sudo apt install borgbackup


Debian / Ubuntu

TypeScript
1sudo apt install borgbackup


Rocky / AlmaLinux

TypeScript
1sudo dnf install borgbackup


Step 1: Attach the volume and find its device name


Create and attach a block storage volume in the dashboard. Find the device name with `lsblk`. The rest of this guide uses `/dev/vdb`; swap in whatever yours is.


Step 2: Format and mount the volume


Format the volume and mount it:


TypeScript
1sudo mkfs.ext4 /dev/vdb
2sudo mkdir -p /mnt/backup
3sudo mount /dev/vdb /mnt/backup


Add it to `/etc/fstab` by UUID to survive reboots. Get the UUID with `sudo blkid /dev/vdb`, then add a line:


```

UUID=your-volume-uuid /mnt/backup ext4 defaults,noatime 0 2

```


Step 3: Initialize the Borg repository


Create the repo with encryption:


```

sudo borg repo-create --encryption=repokey /mnt/backup/borg-repo

```


Assumes Borg 2.x. Distro packages may still ship Borg 1.x, where `borg repo-create` is `borg init`.


Borg prompts for a passphrase. Save it outside the box. Borg can't recover it for you, and neither can Synteq.


Step 4: Create your first backup


```

sudo borg create --stats --compression zstd /mnt/backup/borg-repo::{hostname}-{now} /var/www /etc

```


Back up `/etc` for the configs you'd need to rebuild the box, and your app data (here `/var/www`). `{hostname}-{now}` is a Borg placeholder that names the archive by host and timestamp, which can be useful when you're picking one to restore from. The first backup copies everything; after that, Borg stores only what changed.


Add `--exclude` for caches and anything you don't need:


```

sudo borg create --stats --compression zstd \

--exclude '/var/www/*/cache/*' \

/mnt/backup/borg-repo::{hostname}-{now} /var/www /etc

```


Borg caches chunk hashes in `~/.cache/borg`. If that cache is lost, the next backup re-reads every file.


Step 5: Schedule it with cron


Store the passphrase in a root-only file:


```

echo 'your-passphrase' | sudo tee /root/.borg-passphrase

sudo chmod 600 /root/.borg-passphrase

```


Open root's crontab with `sudo crontab -e` and add a nightly backup at 2am:


```

0 2 * * * BORG_PASSCOMMAND='cat /root/.borg-passphrase' borg create --compression zstd /mnt/backup/borg-repo::{hostname}-{now} /var/www /etc >> /var/log/borg-backup.log 2>&1

```


`BORG_PASSCOMMAND` pulls the passphrase from that file at runtime, keeping it out of the cron spool. Run it by hand once before relying on the schedule. Borg expands `{hostname}` and `{now}` itself; there's no `%` to escape.


Step 6: Keep a retention window


Without pruning, the repo keeps every archive forever. Dedup keeps the growth small, but old archives still pile up. Prune to a retention window, then compact to reclaim the space:


```

sudo borg prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 /mnt/backup/borg-repo

sudo borg compact /mnt/backup/borg-repo

```


That keeps the last week of dailies, plus four weekly and six monthly.


Step 7: Verify integrity


A backup can fail silently. `borg check` verifies the repo's integrity and cryptographic consistency:


```

sudo borg check /mnt/backup/borg-repo

```


Step 8: Restore


List archives and extract the one you want:


```

sudo borg repo-list /mnt/backup/borg-repo

sudo borg extract /mnt/backup/borg-repo::hostname-2025-06-27T02:00:00

```


Or mount the repo as a filesystem and browse it like directories:


```

sudo borg mount /mnt/backup/borg-repo /mnt/borg-restore

ls /mnt/borg-restore

```


Detach the volume and attach it to a different VM to restore there: mount, then `borg extract`. The volume stays on Synteq's internal storage, and reattaching it points the new instance at the same data. Nothing leaves the local network.


Optional: append-only mode


Append-only stops Borg itself from deleting history. Enable it with `borg config /mnt/backup/borg-repo append_only 1`. A root attacker can still `rm -rf` the repo directly, and it blocks pruning; you'd rely on dedup alone for growth. For tamper-resistance against a compromised host, push the repo to a separate host the box can't reach as root.


Why block storage for backups


Block storage is a separate, HDD-based volume: inexpensive per TB for large backups, and isolated from the instance you're backing up. It detaches and reattaches to any other VM; a restore is just attaching the volume there.


FAQ

Is Borg backup encrypted?

Yes. With `--encryption=repokey` the archive data is encrypted and the key is stored in the repo, protected by your passphrase. Keep the passphrase somewhere off the box.


How much disk do recurring backups use?

Far less than the raw data. Borg deduplicates at the chunk level; after the first full backup, later runs store only the changed chunks.


How do I keep the repo from growing forever?

Prune to a retention window with `borg prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6`, then `borg compact` to reclaim the space.

Why not just rsync to the volume?

rsync makes plain copies with no dedup and no encryption. Borg deduplicates, encrypts, and verifies each archive.

How do I restore to a different server?

Detach the volume in the dashboard, attach it to the new VM, mount it, and run `borg extract` or `borg mount`. Nothing leaves the local network.


What does append-only protect against?

It stops the box from deleting its own history through Borg. It doesn't stop a root attacker from destroying the repo files directly, since the repo is on a volume attached to the same box.


---


*Encrypted, deduplicated backups on detachable block storage. Set up Borg on a Synteq volume at synteqhpc.com.*