Most backup services claim to encrypt your data. ServerCrate uses zero-knowledge client-side encryption - your files are encrypted on your device using a key only you hold, before anything leaves your machine. We store only ciphertext we mathematically cannot decrypt.
When a backup service says your data is "encrypted," it usually means one of two things: the data is encrypted in transit (TLS), or the data is encrypted at rest on their servers using a key they manage. In both cases, the service provider can decrypt your data - either while it's in transit or by using the key they control.
This is sometimes called "server-side encryption" and it provides almost no meaningful privacy protection. It protects against a disk being stolen from a data center, but not against the company reading your data, responding to subpoenas, or a breach of their key management systems.
True encrypted backup requires that the encryption key never leaves your machine - often called "zero-knowledge" or "client-side" encryption. ServerCrate uses Restic, which implements this correctly.
When you run a Restic backup to ServerCrate, the following happens entirely on your machine before any data is transmitted:
The repository password (your encryption key) is never sent to ServerCrate. It never appears in any log, request, or storage on our infrastructure. Even if ServerCrate were fully compromised, your data would remain inaccessible to an attacker.
Zero-knowledge is a precise technical term. A zero-knowledge encrypted backup service is one where the service provider has zero knowledge of the contents of your backups - not zero knowledge as a marketing claim, but as a mathematical property of the system.
ServerCrate achieves this through Restic's encryption model. The encryption key is derived from your repository password using PBKDF2. The master key is then used to encrypt a randomly generated encryption key that protects your data. This key is stored encrypted in the repository itself - only your password can unlock it.
This means we could hand over every byte of your vault storage to any third party and it would be useless without your password. That is not a policy promise - it is a cryptographic fact.
Run Restic from a cron job or systemd timer to back up /home, /etc, /var, application data, and database dumps. Every backup run creates an encrypted snapshot. Restore specific files, directories, or entire snapshots without egress charges.
Back up VM configs, Docker volumes, NAS data, and critical scripts to an encrypted offsite vault. ZFS-backed storage means your backup repository stays consistent over time. See the homelab backup guide for specific workflows.
Restic runs on macOS and Windows as well as Linux. Back up your development environment, project files, dotfiles, and local databases to an encrypted offsite vault. Restore to a new machine in minutes.
Photos, documents, financial records, and anything you want to keep private. Client-side encryption means your data stays private regardless of what happens on the server side. No scanning, no indexing, no analysis.
When evaluating encrypted backup services, the key question is: who holds the encryption key? Here is a quick breakdown:
ServerCrate and BorgBase are the two services that provide genuine zero-knowledge encrypted offsite backup for technical users. The primary differences are in pricing structure, storage infrastructure, and target workflow. See the ServerCrate vs BorgBase comparison.
ServerCrate uses flat monthly pricing with no egress fees. You pay one price and restore your encrypted backups as many times as you need.
Restic encrypts your data locally using a key derived from your password. The encrypted chunks are then transmitted to your ServerCrate vault. We store only ciphertext.
Free plan includes 10 GB. No credit card. Vault provisions in seconds after email verification.