Backing up your data is basic digital hygiene. But where most backup guides stop, a privacy-conscious approach begins: your backup provider should never see your unencrypted data. In 2026, the best encrypted backup solutions use client-side encryption — your files are encrypted on your machine before any data leaves it, and only you hold the key. Here’s a breakdown of the top options and how to set them up.
The 3-2-1 Rule with Encryption
The classic 3-2-1 backup strategy — 3 copies, 2 different media, 1 offsite — remains the foundation. Add encryption to every copy:
- Local backup: Encrypted external drive (VeraCrypt container or BitLocker)
- NAS/home server: Encrypted with Restic or Borgbackup
- Cloud backup: Client-side encrypted with Restic, Duplicati, or Cryptomator + cloud storage
Never upload unencrypted files to any cloud provider, regardless of their privacy claims. You want encryption you control — not encryption the provider can reverse.
Restic
Restic is the gold standard for command-line encrypted backup. It uses AES-256-CTR encryption with Poly1305-AES authentication, content-addressed storage (deduplication), and supports dozens of storage backends including local drives, SFTP, S3, Backblaze B2, and Rclone (which adds support for virtually everything else).
Install and Initialize
# Linux/macOS
brew install restic # macOS
sudo apt install restic # Debian/Ubuntu
# Initialize a new repository (local)
restic init --repo /mnt/backup/myrepo
# Initialize on Backblaze B2
restic -r b2:mybucket:restic initYou’ll be prompted to set a repository password — this is the key that encrypts everything. Store it in your password manager.
Running Backups
restic -r /mnt/backup/myrepo backup ~/Documents ~/Projects \
--exclude="*.tmp" \
--exclude="node_modules"Schedule this with cron or systemd timers for automated daily backups.
Restoring Files
# List snapshots
restic -r /mnt/backup/myrepo snapshots
# Restore latest snapshot
restic -r /mnt/backup/myrepo restore latest --target /tmp/restoreWhy Restic is excellent: Fast incremental backups via chunked deduplication, excellent documentation, actively maintained, no vendor lock-in. The only downside is the command-line interface — there’s no native GUI.
Borgbackup + Borgmatic
Borgbackup (Borg) offers similar encryption to Restic (AES-256 + HMAC-SHA256) with the addition of compression (lz4, zstd, zlib choices) and an arguably better deduplication algorithm for many workloads.
Borgmatic is a YAML-configured wrapper around Borg that makes scheduling and management far simpler:
# /etc/borgmatic/config.yaml
location:
source_directories:
- /home/user
- /etc
repositories:
- path: /mnt/backup/borg-repo
label: local
- path: user@remote-server:/backups/borg-repo
label: remote
storage:
encryption_passphrase: "your-strong-passphrase"
compression: auto,zstd
retention:
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
consistency:
checks:
- name: repository
- name: archivesRun manually or via cron:
borgmatic --verbosity 1Borgmatic handles creation, pruning, and integrity checks automatically. Borg + Borgmatic is the preferred choice for self-hosted NAS backups (TrueNAS, Synology) and Linux servers.
Duplicati
Duplicati is the best option for users who want a GUI and cloud storage support without the command line. It’s open source, runs on Windows/macOS/Linux, and backs up directly to:
- Google Drive, OneDrive, Dropbox
- Amazon S3, Backblaze B2, Wasabi
- WebDAV, FTP, SFTP
- Azure Blob Storage
All backups are AES-256 encrypted client-side before upload. Duplicati also supports chunked incremental backups and deduplication.
Setup
Download from duplicati.com. After installation, access the web UI at http://localhost:8200. The setup wizard walks you through:
- Choose destination (e.g., Backblaze B2 — input your Account ID and Application Key)
- Set an encryption passphrase
- Select source folders
- Configure schedule
- Set retention policy
Caveats: Duplicati has historically had some backup database corruption issues. Always verify backups by running a test restore periodically. The Duplicati 2.1 branch (in development as of 2026) addresses many reliability issues.
Cryptomator + Cloud Storage
If you prefer to use your existing cloud storage (iCloud Drive, Google Drive, Dropbox) without trusting the provider, Cryptomator creates an encrypted vault on top of any synced folder:
- Download Cryptomator from cryptomator.org
- Create a new vault inside your cloud sync folder (e.g.,
~/Dropbox/SecureVault) - Set a strong passphrase
- Mount the vault — it appears as a drive letter or mount point
- Drag files into the mounted vault; they’re encrypted before syncing
Cryptomator uses AES-256-GCM per-file encryption. Each file is individually encrypted, so changes to one file don’t re-encrypt the entire vault. The file names are also encrypted.
Limitations: Not suited for full system backups — best for specific document folders. Doesn’t support versioning or deduplication beyond what the cloud provider offers natively.
Backblaze B2: The Best Privacy-Friendly Cloud Backend
For cloud storage backends, Backblaze B2 offers the best combination of price ($6/TB/month), API compatibility with Restic/Borg/Duplicati, and a stronger privacy stance than Amazon, Google, or Microsoft. Combined with client-side encryption from any tool above, B2 is the recommended offsite target.
Create a B2 account, create a bucket, generate Application Keys with read/write access to that bucket, and plug the credentials into your backup tool of choice.
Choosing the Right Tool
| Tool | Best For | GUI | OS | Cloud |
|---|---|---|---|---|
| Restic | Power users, scripts | No (use Resticprofile) | All | Yes |
| Borg + Borgmatic | Linux servers, NAS | No | Linux/macOS | Via SFTP/SSH |
| Duplicati | Windows users, GUI | Yes | All | Yes |
| Cryptomator | Cloud vault layer | Yes | All | Any synced folder |
For a complete encrypted backup strategy in 2026: use Restic to back up to Backblaze B2 (offsite) and a local external drive (local), schedule it with a cron job or Task Scheduler, and verify your restore process every few months. Your data is only as good as your last tested restore.