I have a restic rest-server that receives backups from multiple clients on the network. For additional data security, I would like to clone the repository to an offsite location.
Can I just
rclone the whole repository folder including the keys etc. folder? Or is the receiving end then able to decrypt my backups?
Yes, you can definitely rclone the entire repository to some other machine or service.
As usual you have to verify that the storage you put the repository on is one you trust.
You can only see what’s in the repository if you open it with the password - as long as you keep this to yourself, there isn’t much you can do else. As in: the cloud is just someone else’s computer.
So in short: you would need to rclone the entire content of the repository. Not just parts. It is only unlocked with the password.
so just to be extra sure: a strong repository password protects my data also on someone else’s computer (“the cloud”), no additional layer of encryption should be needed?
Yes, exactly. It would not make any sense to encrypt the already encrypted restic repository.
So a strong repository password is the only way to make sure that nobody gets access to your data.
For example I do the same thing. I have my main computer where I do a backup of the data on a spare ssd inside the computer. If I need to restore a file or multiple files fast I can access the repo on the ssd.
Every once a week I rclone this repository to my NAS to have a copy of the latest data in case the SSD repo dies. And then also two weeks I rclone the entire repo or the diffs of it to B2 where I have an offsite backup.
You could create a crypt remote in rclone and upload the restic repository there for additional safety
Be sure to backup the crypt passwords and rclone config file safely
That’s entirely unnecessary. Encryption is already built-in to restic. Adding another layer of encryption doesn’t help protect you. In fact, it means there’s an additional opportunity to lose your data by adding an extra required key you might lose.
Like @cdhowie said it does not make any sense to encrypt the already encrypted file blobs again.