Encrypted Backup Approach


I was wondering what kind of approaches you guys have to encrypted backups. I have a veracrypt container that is large and i currently backup the contents into another encrypted container. This is mostly because I fear having to transfer a 500GB+ file over the network every time I perform a backup.



I have several different ones but the simplest is to use borg to take an encrypted backup. It is automatically deduplicated and space efficient.

I currently use borg to backup to my local NAS but my backup process is a bit crazy.

  • Decrypt Origin Disk
  • Use borg for encrypted backup

Most of this is because i fear having to move a huge container file around all the time.



Do you backup with Borg the entire container file?

Do you need the target container for something in this scenario? Can’t you just open the source container and take an encrypted backup of the contents? Borg deduplicates so it shouldn’t only backup changed data to the target backup.

In my scenario, there is no container to begin with.

I guess you are right. I could decrypt my regular drive and backup from there. However, is there no way to backup ,without just copying the container, the encrypted container itself?(not having to decrypt the container in the first place)


Sure, you could backup the container file itself with borg. Borg deduplicates at the chunk level. Depending on how veracrypt writes data you might end up with huge backups though.

I really think you should look at your data backup and security more holistically and determine if there is a way to avoid having a veracrypt container altogether. i.e. Would FDE be sufficient for your risk profile. If not, should the source data be encrypted instead of using an encrypted container, etc, etc.