Offsite Encrypted Backup
for QNAP NAS

Why QNAP needs offsite backup

A NAS is one machine. RAID handles drive failures; it does not handle fires, theft, ransomware, or a silent bit-flip that propagates to all mirrors before you notice. If everything important lives on your QNAP and only your QNAP, you do not have a backup - you have a single copy on redundant drives.

The 3-2-1 rule applies: three copies, two media types, one offsite. Offsite is where most homelab and small-business QNAP owners fall short. Cloud buckets with egress fees make restores expensive. Consumer cloud sync services are not backups - they mirror deletion and corruption.

A proper offsite backup target for a QNAP is: encrypted client-side, stored on an independent stack you do not operate, restorable without bandwidth penalties, and cheap enough to keep running without babying the bill.

Three ways to back up a QNAP offsite

Option 1: Restic in Container Station (recommended)

Restic gives you deduplication, encryption, and snapshot history. QNAP's Container Station runs Docker, so you can mount your shares into a Restic container and back them up to ServerCrate on a schedule.

# On the QNAP, install Container Station from App Center if not installed
# SSH into the NAS as admin
ssh admin@your-qnap.local

# Create a persistent dir for Restic cache and env
mkdir -p /share/Container/restic/cache /share/Container/restic/etc
cat > /share/Container/restic/etc/env <<EOF
RESTIC_REPOSITORY=sftp:vaultuser@vault.servercrate.net:22150:/data
RESTIC_PASSWORD=your-repository-password
EOF
chmod 600 /share/Container/restic/etc/env

Then create a compose file and run nightly:

# /share/Container/restic/docker-compose.yml
services:
  restic:
    image: restic/restic:latest
    env_file: /share/Container/restic/etc/env
    volumes:
      - /share/Public:/data/Public:ro
      - /share/homes:/data/homes:ro
      - /share/Container/restic/cache:/root/.cache/restic
    command: backup /data --tag qnap-$(hostname)

Schedule with QNAP's built-in Task Scheduler to run docker compose run --rm restic nightly. Add a second cron for restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune weekly.

Option 2: HBS 3 rsync to SFTP

Hybrid Backup Sync 3 is QNAP's first-party backup app. It does not speak Restic, but it speaks rsync over SSH, which works against any SFTP host. This gives you server-side storage but no client-side encryption. Use this only if you can accept that the backup host can read your files - or pair it with QNAP's own volume encryption before sync.

In HBS 3: Create a Job → Sync → Remote → rsync. Enter your ServerCrate vault hostname, port, username, and password. Select the shares to sync. HBS 3 will incrementally mirror them.

Compared to Option 1, HBS 3 is easier to configure but loses the biggest benefit of this kind of target: client-side encryption.

Option 3: Direct SSH with rclone or restic

If you have SSH access to your QNAP (enabled from Control Panel → Telnet/SSH), you can run restic or rclone directly. This gives you the most control and the fewest moving parts. Install Entware to get a proper package manager, then opkg install restic.

What to back up from a QNAP

Not everything on a NAS is worth backing up. Scratch directories, downloads, transcode caches, and media libraries that come from physical originals (DVDs you own) waste storage and bandwidth. Back up:

• /share/homes - user home directories with documents, photos, and config
• /share/Public and any other share with unique data
• Container Station volumes with application data (Home Assistant DB, Nextcloud data, databases)
• System config exports from Control Panel → Backup/Restore → System Settings
• QNAP Notes Station, Photo Station, and Music Station databases if you use them

Ransomware and QNAP

QNAP has been targeted repeatedly - DeadBolt, Qlocker, eCh0raix. If your NAS is ever exposed to the internet (even by accident via UPnP), you are a target. A proper offsite backup with snapshot history is what saves you. Restic keeps all snapshots by default; when ransomware encrypts your NAS and HBS 3 dutifully syncs the encrypted files to your backup, Restic still has yesterday's clean snapshot sitting in the repository.

This is the single biggest reason to use Restic over rsync for QNAP backups. rsync's "mirror" model propagates corruption. Restic's snapshot model preserves history.

Restoring a QNAP from ServerCrate

Two scenarios: file-level restore and bare-metal restore.

For individual files, restic mount your repository on any Linux machine (or the QNAP itself via Container Station), browse the snapshot tree, and copy what you need:

mkdir -p /mnt/restore
docker compose run --rm restic mount /mnt/restore
# in another terminal
cp -a /mnt/restore/snapshots/latest/homes/kane/Documents /share/homes/kane/

For full-NAS restore after a hardware failure, set up a clean QNAP, reinstall Container Station, restore the Restic env, and run restic restore latest --target /share. Depending on data size and upload speed, plan for several hours to a day.

ServerCrate vs other QNAP backup targets

The common alternatives:

• Backblaze B2 / AWS S3 - cheap ingress, expensive egress. A 500GB restore on B2 is $5, on S3 it is $45. Restore cost matters more than storage cost for backups.
• Google Drive / OneDrive via HBS 3 - rate-limited, opaque TOS, no client-side encryption by default. Works, but not a serious backup target.
• A second QNAP at a friend's house - works, requires their uptime and goodwill, and has no snapshot isolation from an attacker who gets into either side.
• ServerCrate - Restic-native, zero-knowledge, SFTP, ZFS storage, flat monthly price, no egress fees. Built for this exact use case.

Getting started

Sign up for a free 10GB vault, no card required. Follow the Restic in Container Station steps above. A typical homelab QNAP with 200-500GB of user data can run an initial backup overnight on a 1Gbps symmetric connection and nightly incrementals in under 15 minutes after that.