Borg Backup Server

BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.

The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.

This is how to setup a Borg Backup Server on a Synology DiskStation, so it can be used by Borg Backup clients as backup storage location.

Prerequisites

A Synology Software Package for BorgBackup is available from the third-party source SynoCommunity

  1. Login to DSM as administrator with your web browser.
  2. Open the Package Center app.
  3. Click on the Settings button.
  4. In the General tab, set the Trust Level to Any publisher.
  5. Click on the Package Sources tab.
  6. Click the Add button.
  7. Add a Name like SynoCommunity and the Location https://packages.synocommunity.com/
  8. Click the OK button.

After successful validation, a new section Community is available on the available packages list.

Installation

  1. Login to DSM as administrator with your web browser.
  2. Open the Package Center app.
  3. Find the Borg package in the Community section.
  4. Click the Install button.

Configuration

Login into DSM with your administration user and open the “control panel” app.

Create a group called borg-backup

Create a user called borg-backup

Create a shared folder BorgBackup

Allow “full control” for borg-backup user and group to the shared folder.

Open a SSH terminal session with the root user:

$ ssh root@nas.lan

Create the directory for SSH public keys in the “borg-backup” home folder and adjust permissions to allow password-less logins:

$ mkdir -p /var/services/homes/borg-backup/.ssh
$ touch /var/services/homes/borg-backup/.ssh/authorized_keys
$ chown -R borg-backup:borg-backup /var/services/homes/borg-backup
$ chmod 0700 /var/services/homes/borg-backup
$ chmod 0700 /var/services/homes/borg-backup/.ssh
$ chmod 0600 /var/services/homes/borg-backup/.ssh/*

Client Setup

After SSH public keys are obtained from BorgBackup clients, they need to be setup using ssh forced commands to point to this clients repository as follows:

command="/usr/local/bin/borg serve --restrict-to-path /volume1/BorgBackup/" ssh-ed25519 AAAAC3...

This way any client-connection authenticated with this SSH key is only allowed to issue the borg server command. /usr/local/bin/borg serve --restrict-to-path /volume1/BorgBackup/ and nothing else.