Raspberry Pi as Offsite Backup

Use Case

You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home.


You configure your raspberry pi to be reachable from the internet using DynDNS. In the following we assume that it is reachable at offsite.example.com.

Preparing your backup raspberry pi

We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another.

Create an additional user

and change to that user afterwards. You can change service1 to the name of the service that this user should backup.

sudo useradd service1_backup
sudo su service1_backup
cd ~

Create an SSH key for the user

This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated)

$ ssh-keygen -t ed25519

Create your backup directory

mkdir backup && cd backup

If you want to use an external drive you can mount it to this users home directory.

Initialzie the borg repository

borg init --encryption=repokey ./

Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup!

Make sure the user can only access the backup directory

Put the following in ~/.ssh/authorized_keys and make sure everything is in one line. The last values are simply your public key that can be found in ~/.ssh/id_ed25519.pub

command="borg serve --restrict-to-repository /home/<user>/backup",restrict <key type> <key> <key host>

Done with the raspberry pi

Configure your server

In this guide we will use borgmatic to configure and automatically run the backup in the server.

Install borgmatic

sudo pip3 install --user --upgrade borgmatic

Configure borgmatic

The following is a small configuration example. Place it in /etc/borgmatic.d/servic1.yaml. If you need more options check out the full configuration file reference

        - /home/service1/static
        - ssh://service1_backup@offsite1.example.com/./backup
    encryption_passphrase: "ThePassphraseouUsedOnYourRaspi"
    ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key
    # Number of daily archives to keep.
    keep_daily: 7
    # List of one or more shell commands or scripts to execute
    # before creating a backup, run once per configuration file.
        - echo "Starting a backup."
   # List of one or more shell commands or scripts to execute
    # after creating a backup, run once per configuration file.
        - echo "Finished a backup."
        - echo "Completed actions."

        - name: service1
    # mysql_databases:
          # - name: users

Place the private SSH key

The server will need the private SSH key so connect to your raspberry pi

On the raspberry pi use

cat ~/.ssh/id_ed25519

to get the private key and place it on your server in the file /etc/borgmatic.d/service1_backup_key. As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use

chown 600 service1_backup_key

Check if the backup works

Create your backup with

sudo borgmatic create --verbosity 1 --list --stats

Now check out the borgmatic configuration on how to properly set up automated backups


Congrats, you should now have a fully functioning backup configuration!

Student of Medical Informatics, Developer, He/Him