Restic vs Borg in terms of security


I’m working on the most suitable tool for my personal backups on cloud. My first priority is security. I’m considering Restic and Borg (I didn’t dig in other approaches like Knoxite).

I really appreciate that Filippo Valsorda ( analyzed deep Restic with a good scoring.

I’m not able to find an equivalent analysis on Borg… but I think, reading the way it works, that basically the encryption approach is similar…

Am I right?

Since I’ll backup to a local disk, Cloud provider integrations are not key for me. I’m looking for deduplication and compression, but both are not so useful in my case since my data is photo and video… therefore … no big gains on dedup neither on compression…


1 Like

I’m not aware how the crypto in borg exactly works, so maybe somebody else can explain? Or point us to the docs for borg?

I don’t really know much about anything, really, but there are differences between Borg encryption and Restic. Mainly, Borg is written in Python and if I understand well, they use libcrypt from OpenSSL for encryption. Here’s a link from their web page:

I was reading about how Borg manages keys and you can export your key but if the repository is encrypted, the key is already there so there is no point in exporting your key for me. I don’t know what is the reason for this. Maybe it can help in case of corruption but I don’t really know.

I don’t know if you can export your keys in Restic, nor if there is any benefit in it. What I would like is to have an option for a passwordless key and if you can store that key in a USB or something like that, it would be great because then the key would not be inside the repo, so I think it gives a little more security when your key is outside the backup. Of course, if you lose that key then you’ll never be able to restore anything on your backups, but in terms of security, I think it would be more secure because even when an attacker have all your backups, theoretically they won’t be able to do anything unless they manage to somehow crack the encryption but I don’t really know about that. I think I’m just making up stuff right now. I don’t know about encryption.

I use it both: Borg for local backups because lz4 compression really help me out because of my limited local storage and Restic for online backups because I’m just backing up on online storage documents and that doesn’t require me right now a ton of storage.

Borg doesn’t support cloud storage unless is an ssh server or an online service like that uses ssh.

What I would really like to see in Restic is the compression option along with some more stats like Borg; Borg shows you the size of all your data, Compressed size and De-duplicated Size. It would be awesome to have those features. There are some people suggesting more options borg-like but I think all the options in Restic makes it really simple and easy to use. The default configurations are just right. One just need a cron job and a sh script and you have automated secure backups whenever and wherever you want.

Great job with Restic!