Server Management
How to Set Up Encrypted Automated Backups
A backup is only real once you have restored from it. This guide builds practical automated backups with tar and cron, encrypts every archive with age so an attacker who steals the files learns nothing, ships a copy off-server, and tests restores. Aim for the 3-2-1 rule: three copies, on two types of media, with one copy off-site.
Install the Tools
Install rsync for efficient copies and age for modern, simple encryption.
sudo apt update sudo apt install -y rsync age # age = small, modern file-encryption tool
Generate an Encryption Key and Lock It Down
Create an age key pair. The private key must be readable only by root. Store a copy of the private key somewhere safe and OFF the server, or you will never decrypt your backups.
sudo mkdir -p /etc/backup sudo age-keygen -o /etc/backup/age.key # prints the PUBLIC key (starts with age1...) to the terminal sudo chmod 600 /etc/backup/age.key # private key readable only by root sudo chmod 700 /etc/backup # Copy the printed public key; you encrypt TO it. Keep the private key backed up off-server.
Write the Backup Script
The script tars your data, encrypts it to your public key, and prunes archives older than seven days. Replace the public key with the one printed above.
sudo nano /usr/local/bin/backup.sh # Paste: #!/bin/bash set -euo pipefail # fail fast on any error BACKUP_DIR="/backup" SOURCE_DIR="/var/www" PUBKEY="age1exampleyourpublickeyhere" # your age PUBLIC key DATE=$(date +%Y-%m-%d) mkdir -p "$BACKUP_DIR" # tar the source, then encrypt the stream so the archive at rest is unreadable without the private key tar -czf - "$SOURCE_DIR" | age -r "$PUBKEY" -o "$BACKUP_DIR/backup-$DATE.tar.gz.age" # Keep only the last 7 days of encrypted archives find "$BACKUP_DIR" -name 'backup-*.tar.gz.age' -mtime +7 -delete
Restrict Permissions and Make It Executable
Backups often contain secrets, so keep the directory and script tight.
sudo chmod 700 /usr/local/bin/backup.sh # only root can run/read the script sudo mkdir -p /backup && sudo chmod 700 /backup # only root can read the archives
Copy Backups Off-Server
A backup on the same machine dies with the machine. Push the encrypted archive to a remote host or object store over SSH. Because it is already encrypted, the destination never sees your plaintext.
# Append to backup.sh, after the tar|age line: # rsync over SSH to an off-site host (key-based auth, no password) rsync -avz --delete "$BACKUP_DIR/" backupuser@offsite-host:/srv/backups/$(hostname)/
Schedule with Cron
Run the backup nightly at 2 AM.
sudo crontab -e # Add: 0 2 * * * /usr/local/bin/backup.sh
Test a Real Restore (Do This Regularly)
Decrypt an archive with your private key and extract it to a scratch directory. If this fails, your backups are worthless, so schedule this test monthly.
# Decrypt then extract to a temp dir to confirm the backup is intact and your key works sudo age -d -i /etc/backup/age.key /backup/backup-2026-06-07.tar.gz.age | tar -tzf - | head # To fully restore: ... | tar -xzf - -C /tmp/restore-test
You now have nightly tar backups that are encrypted with age before they ever touch disk, copied off-server, and locked to root-only permissions. Keep the age private key safe and off the server, follow the 3-2-1 rule, and test a restore on a schedule, because an untested backup is only a hope.