Backups with Borg to a Hetzner Storage Box

Tutorial: encrypted server backups with BorgBackup to a Hetzner Storage Box, secured by an append-only sub-account.

2026-04-27

I run a personal server at home that stores some data and runs a few services. After reading up on backups, I want to share how I back up my server to a Hetzner Storage Box.

First I created a Hetzner account and booked a Storage Box. In the Hetzner control panel you have to set a new password — click “Create new password” in the “Storage Box Data” tab.

Creating a sub-account

To create a “sub-account” you first have to create a subdirectory, because the account is always tied to a subdirectory and cannot exist without one.

Create the directory like this:

ssh -p 23 uxxxxxx@uxxxxxx.your-storagebox.de mkdir unteraccount

SSH normally runs on port 22, but Hetzner uses port 23.

After entering the password the directory is created. Then you can create the user under the “Sub-Account” tab. The username and password for logging into the sub-account are shown there.

Generating an SSH key

For secure backups you need an SSH key on the machine that performs the backups. Generate it with:

ssh-keygen -f path/to/key -t ED25519

Now the public key has to be transferred to the Storage Box. Normally you would use ssh-copy-id, but that would let the user run arbitrary commands — for example, deleting all backups. If someone takes over your server in the worst case, they could wipe the backups. To prevent that, the user is restricted to the single command borg serve --append-only. This starts the Borg repository service in append-only mode, meaning it cannot delete data — data can only be appended or marked as deleted. So even if someone takes over your server, they can mark everything as deleted but cannot actually wipe the data.

To restrict the commands, the authorized_keys file has to be created on the Storage Box. Build it locally first:

echo "command=\"borg serve --append-only\" $(cat path/to/key.pub)" > authorized_keys

Then create the matching directory and upload the file:

ssh -p 23 subuser@subuser.your-storagebox.de mkdir .ssh
scp -P 23 authorized_keys subuser@subuser.your-storagebox.de:.ssh/authorized_keys

Initializing the repository

Once the key is in place, pick a passphrase for encrypting the backup. The passphrase is critical — without it the backup cannot be restored.

export BORG_RSH='ssh -i path/to/key'
export BORG_PASSPHRASE="secret-passphrase"
borg init --encryption=repokey --make-parent-dirs ssh://subuser@subuser.your-storagebox.de:23/./backups/repo-name

First backup

You can use the following script to create a backup:

#!/usr/bin/env bash

##
## Set environment variables
##

## If you are not using the default SSH key, set the path
## to your private key here.
export BORG_RSH='ssh -i path/to/key'

## So the repository password does not have to be entered manually,
## set it via environment variable.
export BORG_PASSPHRASE="secret-passphrase"

##
## Set variables
##

LOG='/var/log/borg/backup.log'
export BACKUP_USER='user'
export REPOSITORY_DIR='repo-name'

## Note: when using a Backup Account instead of a Storage Box,
## change 'your-storagebox.de' to 'your-backup.de'.

export REPOSITORY="ssh://${BACKUP_USER}@${BACKUP_USER}.your-storagebox.de:23/./backups/${REPOSITORY_DIR}"

##
## Write output to a log file
##

exec > >(tee -i ${LOG})
exec 2>&1

echo "###### Backup started: $(date) ######"

##
## You can run pre-transfer tasks here, e.g.
##
## - dump the list of installed packages
## - create a database dump
##

##
## Transfer files to the repository
## This example backs up /home/user and two extra mount points.
## Add excludes here if needed.
##

echo "Transferring files ..."
borg create -v --stats                   \
    $REPOSITORY::'{now:%Y-%m-%d_%H:%M}'  \
    /home/user \
    /mnt/disk1 \
    /mnt/disk2

echo "###### Backup finished: $(date) ######"

For the very first backup you can append --progress to the borg create command. Also create the log directory (mkdir /var/log/borg) and add a cron job. On my server I run a backup once a week, on Mondays at 03:00.

0 3  *   *   1   /root/backup.sh

Edit with crontab -e.

If cron syntax is not your friend, this site is very useful: https://crontab.guru/

Inspecting a backup

To inspect a backup, mount the repository like this:

borg mount ssh://subuser@subuser.your-storagebox.de:23/./backups/repo-name /mnt/backup
ls -la /mnt/backup