Most "encrypted" backup services hold the key alongside your data. ServerCrate doesn't. Your files are encrypted on your machine before they leave it, with a key only you possess. We store ciphertext we cannot decrypt - not by policy, by mathematics. If we get subpoenaed, breached, or acquired, your data stays unreadable.
Built for Restic from day one. Borg works too, but Restic is the default voice. BorgBase is Borg-first. We're the inverse.
Every vault sits on ZFS with checksumming and snapshots. Bit rot on a 3-year-old archive gets caught. Most providers won't tell you their backend.
Single Los Angeles datacenter. Low latency for North American users. BorgBase is EU-only. rsync.net is multi-region but priced for it.
When a backup service says your data is "encrypted," it usually means one of two things: the data is encrypted in transit (TLS), or the data is encrypted at rest on their servers using a key they manage. In both cases, the service provider can decrypt your data - either while it's in transit or by using the key they control.
This is sometimes called "server-side encryption" and it provides almost no meaningful privacy protection. It protects against a disk being stolen from a data center, but not against the company reading your data, responding to subpoenas, or a breach of their key management systems.
True encrypted backup requires that the encryption key never leaves your machine - often called "zero-knowledge" or "client-side" encryption. ServerCrate uses Restic, which implements this correctly.
When you run a Restic backup to ServerCrate, the following happens entirely on your machine before any data is transmitted:
The repository password (your encryption key) is never sent to ServerCrate. It never appears in any log, request, or storage on our infrastructure. Even if ServerCrate were fully compromised, your data would remain inaccessible to an attacker.
Zero-knowledge is a precise technical term. A zero-knowledge encrypted backup service is one where the service provider has zero knowledge of the contents of your backups - not zero knowledge as a marketing claim, but as a mathematical property of the system.
ServerCrate achieves this through Restic's encryption model. The encryption key is derived from your repository password using PBKDF2. The master key is then used to encrypt a randomly generated encryption key that protects your data. This key is stored encrypted in the repository itself - only your password can unlock it.
This means we could hand over every byte of your vault storage to any third party and it would be useless without your password. That is not a policy promise - it is a cryptographic fact.
Run Restic from a cron job or systemd timer to back up /home, /etc, /var, application data, and database dumps. Every backup run creates an encrypted snapshot. Restore specific files, directories, or entire snapshots without egress charges.
Back up VM configs, Docker volumes NAS data, and critical scripts to an encrypted offsite vault. ZFS-backed storage means your backup repository stays consistent over time. See the homelab backup guide for specific workflows.
Restic runs on macOS and Windows as well as Linux. Back up your development environment, project files, dotfiles, and local databases to an encrypted offsite vault. Restore to a new machine in minutes.
Photos, documents, financial records, and anything you want to keep private. Client-side encryption means your data stays private regardless of what happens on the server side. No scanning, no indexing, no analysis.
When evaluating encrypted backup services, the key question is: who holds the encryption key? Here is a quick breakdown:
ServerCrate and BorgBase are the two services that provide genuine zero-knowledge encrypted offsite backup for technical users. The primary differences are in pricing structure, storage infrastructure, and target workflow. See the ServerCrate vs BorgBase comparison.
ServerCrate uses flat monthly pricing with no egress fees. You pay one price and restore your encrypted backups as many times as you need.
This is what happens when you run restic backup against a ServerCrate vault. Every step is engineered to give us zero visibility into your actual data.
data/ab/cdef1234... - opaque content-addressed blobs. We can see that you're storing data. We can't see what. File sizes are randomized within Restic's chunk size range, so even size-based inference attacks are limited.The term gets marketed loosely. Here's what it means concretely for ServerCrate:
The data is AES-256 encrypted before it leaves your machine. Without your password, the stored bytes are mathematically useless. Not "legally protected" or "policy-restricted" - actually impossible.
Filenames live inside Restic's encrypted metadata trees, not as filesystem objects. We see content-addressed blobs on disk, nothing that reveals "user has a file called resume-final-v3.pdf in their Documents folder."
This is the critical tradeoff. Real zero-knowledge means no server-side key escrow. If you lose your Restic repository password, your data is cryptographically lost. That's the same promise that makes the system secure against us.
Mitigation: Store your password in a real password manager (1Password, Bitwarden, KeePassXC) and ensure someone you trust has recovery access. Don't tattoo it on your forearm, but treat it with that level of seriousness.
Billing and monitoring require metadata. We see bytes stored, vault activity timestamps, and connection source IPs. We do NOT see file counts, specific filenames, or file timing patterns that would leak intelligence about what's in your backups.
Zero-knowledge encryption is one layer. For a complete setup, also:
restic mount or restic restore --target /tmp/test every 3 months to verify everything still works.Restic encrypts your data locally using a key derived from your password. The encrypted chunks are then transmitted to your ServerCrate vault. We store only ciphertext.
Free plan includes 10 GB. No credit card. Vault provisions in seconds after email verification.
Bitcoin-friendly: We accept on-chain BTC and Lightning via self-hosted BTCPay. See Restic backup paid with Bitcoin for the full breakdown.