Is there really no Linux incremental backup solution that includes encryption in the way Time Machine does and no I do not want three rsyncs in a trenchcoat thank you

@mjg59 I'm curious: how does Time Machine do it?

(I'm working on an encrypting backup program for Linux, although development isn't going quickly.)

Edited to add: I mean to ask how TM does the encryption part, but I bungled the question.

@mjg59 @liw As far as I know Time Machine is currently "copy changed files to backup disk, then create a snapshot". The actual snapshotting internals, and the encryption, are just APFS filesystem features not tied to Time Machine.

@nicolas17 @mjg59 File system encryption, check. Thanks. That's not going to fit my needs, alas.

@mjg59 what’s wrong with duplicity? Basically rdiff + gpg with your choice of storage backend

@anotherandrew I should really have included "And has nothing to do with gpg" in my list there

@anotherandrew (If I'm backing stuff up I want to be able to recover even in the event of disaster, so how do I back up my private gpg key?)

@mjg59 zfs send | zfs recv, "and now you have two problems". A ZFS snapshot based system WFM though, just don't look at the rsync hiding behind the curtain.

@pndc At this point in my life I don't think there's any way that introducing ZFS results in an improvement

@mjg59 that’s what key servers are for, or at worst a paper copy of the ascii armored password-protected key, no?

(Quite possible I’m not understanding your definition of disaster)

@anotherandrew I need a separate secure storage location for the paper copy because storing it with the backup server defeats the point, and now life is massively more complicated. Just using a decent KDF is fine for this use-case.

@liw @nicolas17 @mjg59 It's not filesystem encryption on network shares. Backups are saved as a bunch of small files (sparse bundle) and those are individually encrypted. This is then mounted as a disk image, but the nework share does not have to be trusted in any way

Locally attached disks do rely on fs encryption though

@mjg59 so I ran at that in two passes, borg/borgmatic for primary backups, and Nextcloud for basically continuous syncing of things. I've been happy with that for several years now

@mjg59 I'd be curious to know what you think of https://flathub.org/apps/org.gnome.DejaDup (based on Duplicity) and https://flathub.org/apps/org.gnome.World.PikaBackup (based on Borg).
Both are incremental, encrypted, and allow browsing through the timeline of snapshots, local and remote…?

@nekohayo @mjg59 Pika is the way.

It has an excellent interface where you don't have to know it's using Borg underneath. It supports network storage & can use local disks too.

You can view snapshots in your file manager and copy individual files out if you want, just like Time Machine. (It does a fuse mount and opens it in your file manager, but you don't have to know that; it does all this in the background.)

Every snapshot is standalone (so you can prune) & it's tons faster than Duplicity.

@garrett @nekohayo The front end UI is a little wordy but this looks promising!

@mjg59 I'm using restic with Backblaze's b2 as the remote storage. Snapshots, incremental, encrypted. It may work for you.

@mjg59 I switched from rsnapshot (rsync in trenchcoats) to Borg. Loving it. I do hourly backups which take a few mins on each machine, to a central backup server over an encrypted connection. WFM YMMV

@mjg59 bupstash https://bupstash.io/ is another option (in beta, cli only)