Selfhosted

In terms of pricing, I find Hetzner is best for under 1TB, Backblaze for over 1TB. Both have great documentation for setting up any number of backup methods (SFTP, SSH, Rsync, Rclone, Borg, etc).

Rsync, Rclone, and Borg are all good options and some may be built into your choice of OS if you use a dedicated NAS system. Choose whatever is easiest for you.

The backups are gonna be encrypted in transit regardless of method, and Im pretty sure most backup providers encrypt data on their servers so you dont have to manage that I dont think.

When you commit to backups, IMO you should do them daily - Most backup clients have options for "sync" options which will ignore unchanged files and only upload changes, so a daily backup is not only more up-to-date but also more efficient once the first backup completes.

Borg or the like with 'hardcoded' plaintext/regularly full-disk-encrypted key is acceptable. Someone that has your unencrypted private key sitting on your server has almost certainly already obtained access to the entire set of data you're backing up, with the backup key itself only meaningfully guarding access to older backups.

The more important thing is to securely keep extra copies in case the server fails. I keep mine in a group in my password manager, one per repo.

I use backblaze b2 and https://github.com/garethgeorge/backrest

Backrest is by far the best restic manager I've found, easy webUI, with built in support for healthchecks.

I use Borgbackup, with borgmatic to configure and periodically run it. I have two storage VPSes "in the cloud", and back up to both of them. My main storage VPS is a HostHatch one with 10TB space for $10/month. I got it during Black Friday sales in 2021.

If you do back up to multiple destinations, Borgbackup's devs recommend configuring two separate backups, rather than doing a backup to one server then syncing it to the second one. This is to handle the case where one of the backups becomes corrupted.

Hetzner have decent deals on their "storage boxes". You don't get root access, but they support Borgbackup, restic and rclone in addition to the regular protocols (SFTP, FTPS, WebDAV, SMB).

Make sure you configure the SSH key to only allow it to run borgbackup in "append only" mode, so that malware/ransomware on the client system can't delete the backups. This is a common issue with other backup solutions like rsync - the client has full access to the server, so a malicious user/code could delete the whole backup.

You have basically two options.

1. Symmetric Encryption. That means you use the same password/key for writing the Backup and for reading the backup. Here you have to write the password somewhere, depending on the OS there are options like keychains or similar that can hold the password so that the password is only available once you are loged in or have unlocked the keychain.

2. Asymmetric Encryption. That means you have different passwords/keys to read and write the backup. PGP is an example here. Here you can just simply use one key to write the backup, this key can become public and you do not have to worry about your backup since it will only be readable with the 2. key.

I personally use Restic with a password that is only readable by the system root user stored on the filesystem. Since I use Full Disk Encryption i do not have to worry too much about when the secret is available in clear text at runtime.

I run proxmox, and proxmox backup server in a vm. PBS backup is encrypted locally, and I upload the backup to backblaze b2 using rclone in a cron job. I store the decryption key elsewhere

It has worked ok for me. I also upload a heartbeat file, it is just a empty file with todays date (touch heartbeat), so that I can easily check when the last upload happened

How many tb? It may be cheaper even within a year to just purchase another hard drive

Restic to BackBlaze. B2 support is built in to restic, so all you need is an account and credentials.

Most of my home data - servers, PCs - I back up to HD and B2. I have a few VPS I only back up to B2.

I have a storagebox at hetzner. My script does:

• Mount the storagebox over sshfs with public key file
• Mount a gocryptfs folder, with supplied key on local file
• Rsync my stuff to the encrypted folder
• Unmounts in reverse order

I can access the storagebox by password, too. So this is my disaster recovery in case my house burns down with all my devices. I'll just buy another laptop the next day, and me and the Mrs can admire all my code and our wedding videos within a few hours.

I use Kopia to backup to Backblaze B2. I also use the Kopia UI since I can't be bothered to figure out the cli for it. I have it running constantly in the background so it automatically takes care of everything.

For servers autorestic just worked. It's a wrapper for restic. I sent data to backlaze B2 and StorJ. Now that I have a couple proxmox hosts in a colo, I have an off-site PBS running in ZFS.rent.

First VMs back up to local PBS , then nightly that's synced to ZFS.rent. I have PVE set to do encrypted backups to PBS so it's all encrypted.

I use a cryptomator mount and sync that to whichever cloud i want, but the un/mounting is manual.
If you need full disk encryption look at ZFS and snapshots.
Do you need to backup everything on the disk?

It'll cost you more storing it in cloud than just buying more drives. If you're already in a spot where that's a problem, this is not a solution for you.

Check Borg documentation. Somewhere there there’s a way to pass the password as an environmental variable.

GoodSync can encrypt files during upload

Duplicati, has many cloud providers as destination. Encryption. Basic backup tools functionalities. I use Onedrive family plan which has a total of 6 TB for my backups. Other solid option is rclone , it does the same even more, but is more focused on sync than backup. Also many cloud providers supported. Both are Foss