Installing BorgBackup on Raspberry Pi 4


In this tutorial we’ll prepare a RPi4 to use as a BorgBackup server. It’ll contain a single (for now) USB hard drive to use as data storage with the option of adding move storage space in the future. I used the following hardware for this guide:

There are 2 computers being used for this process, the Raspberry Pi running Borg serve will be called borg1 and the computer with the original files to backup will be called source

Installing Raspberry Pi OS Lite

Download and install the latest release of Raspberry Pi OS Lite(64-bit)

From a terminal you can use the dd command as root to copy the image to a micro SD card.

$ dd if=2022-04-04-raspios-bullseye-arm64-lite.img of=/dev/sdc bs=1M

Move the SD card to the RPi (borg1) and boot and run the following to get the system to your liking and update:

$ sudo raspi-config
$ sudo apt update
$ sudo apt upgrade -y

Enabling Argon ONE power button (optional)

This step is optional as most configurations will not have an Argon ONE case as I do. In my case I ran the following to configure the fan and button.

 $ curl | bash 
 $ sudo argonone-config

Installing BorgBackup

Installing BorgBackup is actually quite easy.

$ sudo apt install borgbackup

It won’t really do anything at this point until you start using it.

Storage Location

We’re going to store our backups to /mnt/data but any other path will work. This configuration will use LVM but if you plan on using a basic disk partition then you can just mount it to that mount point and skip ahead.

LVM Configuration

Setting up LVM can be its own tutorial so I’m simply documenting what I configured for setup. My storage is a multi-disk USB enclosure but I’m currenly just going to configure 1 drive and as more get added, LVM can help expand the storage across more drives. The setup will not provide any redundancy but in this case I consider it fine since its one of a few backups.

$ sudo apt install lvm2

Next, I using cfdisk to create a new partition using ‘Linux LVM’ as the type.

$ sudo pvcreate /dev/sda1
$ sudo vgcreate vg_data /dev/sda1
$ sudo lvcreate -l +100%FREE vg_data -n data

# create filesystem
$ sudo mkfs.ext4 /dev/mapper/vg_data-data

$ sudo mkdir /mnt/data

Then update /etc/fstab to mount the logical volume:

/dev/mapper/vg_data-data /mnt/data ext4 defaults 0 0

Mount it manually to make sure it works before rebooting to make sure it “sticks”.

Update: I modified this a bit to use an encryption on LVM

Create borg user

Now we’ll create a borg user to run borg as and prepare storage for the backups.

$ sudo adduser --disabled-password borg
$ sudo mkdir /mnt/data/borg
$ sudo chown -R borg:borg /mnt/data/borg

Since we created the borg user with password disabled, you’ll have to switch users using a command similar to this:

$ sudo su - borg

Prepare remote access

As the borg user, create an ~/.ssh folder and in there a file named authorized_keys that we’ll use to handle the borg serve commands:

$ sudo su - borg
borg$ mkdir ~/.ssh
borg$ vi ~/.ssh/authorized_keys

In this file, we’ll enable passwordless login but also run the borg serve command. For this, we’ll get the key of the user that will run the backup on the source machine. If the user needs access to system files then you may end up using root but an unpriveleged user is preferred. In my case, we’ll use the root user’s keys. We’ll manually copy the contents of /root/.ssh/ from the source computer.

Sample in source:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaK+95Zf8s7kv/YlRkbS61w5HG...JUAM= root@vmbox

Paste the contents to ~borg/.ssh/authorized_keys

command="borg serve --storage-quota 10G --restrict-to-repository /mnt/data/borg",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaK+95Zf8s7kv/YlRkbS61w5HG...JUAM= root@vmbox

Note that the public keys were truncated for readability and you should keep your keys intact. You can do this for multiple users from multiple computers if you wish to host backups for multiple computers.

Initialize Borg

On the source computer, run the borg init command using this:

root@source$ borg init -e repokey-blake2 borg@borg1:/mnt/data/borg

It will ask for a passphrase and confirmation. Save these as you’ll need them.

You only need to run the borg init command once per repository.

To verify things are working, you can run list and info commands against borg from the source computer:

root@source$ borg info borg@borg1:/mnt/data/borg
Enter passphrase for key ssh://borg@borg1/mnt/data/borg: 
Repository ID: 9a5931c3f3e0a3e6c68ae603265c1b139faeabbbf1f002291bfbc71d798f8f89
Location: ssh://borg@backupi2.local/mnt/data/borg
Encrypted: Yes (repokey BLAKE2b)
Cache: /root/.cache/borg/9a5931c3f3e0a3e6c68ae603265c1b139faeabbbf1f002291bfbc71d798f8f89
Security dir: /root/.config/borg/security/9a5931c3f3e0a3e6c68ae603265c1b139faeabbbf1f002291bfbc71d798f8f89
                       Original size      Compressed size    Deduplicated size
All archives:                    0 B                  0 B                  0 B

                       Unique chunks         Total chunks
Chunk index:                       0                    0


Install Borgmatic on your source computer then run generate-borgmatic-config to create the config. Run it as the user you will run your backups as – in my case root but an unprivileged user may be more appropriate for some.

You can override the destination config file if you want to have a separate config by using the -d parameter.

root@source$ generate-borgmatic-config

Then edit the config file at /etc/borgmatic/config.yaml (by default) to your liking. For this simple example I’m using the following config file:

root@source$ cat /etc/borgmatic/config.yaml |grep -v '#' | sed '/^$/d'
        - /home
        - /etc
        - borg@borg1:/mnt/data/borg
    encryption_passphrase: "passphrase"
    retries: 3
    retry_wait: 30
    lock_wait: 5
    keep_daily: 7
    keep_weekly: 4
    keep_monthly: 6

Then try running your first backup. This will take some time so consider using a temporary source_directories value.

root@source$ borgmatic -v 1