Restic over HTTPS / Private Vaults / Zero-Knowledge

Restic backup hosting.
Private offsite backups that stay yours.

ServerCrate gives you a private Restic over HTTPS backup target with encrypted offsite storage, no egress fees, and a workflow that is easy to understand. Built for Linux servers, homelabs, Docker hosts, and serious file backups.

Use the free tier to validate your workflow first, then move up when storage or device count becomes the limit.

Restic over HTTPS
Your key only
ZFS-backed storage
No egress fees
Restic Vault - ServerCrate
Ready
Protocol
REST / HTTPS
Client
Restic
Storage
ZFS
Access
Encrypted
Use casesLinux, Docker, NAS Proxmox
Nightly backup
02:30 AM
Done
Retention prune
02:34 AM
Done
Restore test
Weekly
Ready
Encrypted on your device before upload
Open Restic workflow
Client-side encryption
Private vault per account
No restore fees
Built for real backup jobs
ZFS-backed vaults
Restore-ready workflow
Open Restic workflow
Client-side encryption
Private vault per account
No restore fees
Built for real backup jobs
ZFS-backed vaults
Restore-ready workflow
Why this page exists

You want Restic over HTTPS.
Not a weird black box.

A lot of backup products bury the actual workflow behind vague "cloud backup" language. ServerCrate is straightforward: you get a private vault, connect Restic over HTTPS, run your backups, and restore without paying egress penalties.

01
Create your account
Sign up and get your vault details from the portal without opening a support ticket.
02
Set your Restic variables
Copy your REST repository URL and token into your environment or backup script.
03
Run encrypted backups offsite
Back up files, configs, Docker volumes, site data, or server paths with a clean Restic workflow.
04
Restore when you need to
Pull back full snapshots or individual files without getting hit by restore fees.
Terminal - Restic over HTTPS
# Paste from your ServerCrate portal
$ export RESTIC_REPOSITORY=rest:https://vaultuser:YOUR_TOKEN@a1b2c3d4.vault.servercrate.net/
$ export RESTIC_PASSWORD=your-secret-token
 
# Initialize once and back up
$ restic snapshots || restic init
$ restic backup /etc /var/www /home
snapshot saved - encrypted and pushed offsite
Why this combination

Restic over its native REST protocol. Here's why it matters.

Most managed backup services give you two bad choices: a proprietary agent that only talks to their cloud, or raw object storage that you have to assemble tooling around yourself. Restic over HTTPS skips both traps.

Restic handles encryption before anything leaves your machine

Every chunk is AES-256 encrypted with a key that only exists on your device. The vault sees encrypted ciphertext - no metadata, no filenames, no file sizes that would leak intelligence about your data. Even with full root access to the server, we can see that you have data, but not what it is.

Plain HTTPS, no agent and no SSH keys to manage

Restic speaks rest-server's HTTP API natively, so there is no agent to install, no daemon to keep updated, and no SSH keys to provision or rotate. Authentication is a single per-vault token over TLS. The transport is ordinary HTTPS, so it works through firewalls and proxies that block SSH, and it makes fewer round-trips than SFTP.

No vendor lock-in on the repository format

Your Restic repo is a filesystem of opaque encrypted files. If you ever want to migrate to self-hosted, rsync.net, or a different backup host, you copy the files and point Restic at the new location. No export tools required. The repo format is documented and stable since 2017.

The value ServerCrate adds over a raw rest-server isn't a fancy protocol. It's having a vault with ZFS underneath, retention policies that make sense, and a portal that shows you which snapshots exist without touching a terminal.
Real throughput

What Restic over HTTPS actually does in practice.

Numbers from backing up a mixed-workload server over a residential 1 Gbps uplink to a ServerCrate vault. Your results depend heavily on the file mix, your upload speed, and how much data has changed.

Initial Backup
31 MB/s
Average throughput on 500 GB initial upload with medium-sized files (VM exports, Docker volumes). Upload-bound, not server-bound.
Incremental Runs
2-6 min
Typical daily incremental on a 200 GB dataset. Most runs upload under 1 GB thanks to content-defined chunking.
Dedup Efficiency
3.2x
Storage savings from Restic's chunk-level deduplication across overlapping Docker images and VM base disks.
Single-File Restore
4 min
Time to pull a specific 800 MB file from a snapshot on a 1 Gbps downlink. Zero egress cost regardless of volume.
What affects your numbers

Upload speed is almost always the bottleneck on the first run. A 50 Mbps residential uplink will push about 5-6 MB/s, so 500 GB takes ~28 hours. Plan the first run over a weekend.

File mix matters for incremental runs. A dataset with lots of small files (Docker volumes with SQLite databases, for example) spends more time on metadata than throughput. Large VM exports that change in narrow byte ranges dedup beautifully.

Cold cache effects show up on restore. The first restore from a new session pulls index metadata first. After that, restore is as fast as your downlink.

Inside the portal

Connection details, snapshots, and device management in one place.

Everything you need to connect Restic and monitor your backups. No support tickets, no console trails.

ServerCrate portal dashboard showing vault status, storage used, snapshots, devices, active subscription, and recent snapshot list
The dashboard shows vault status, storage used, recent snapshots, and current plan at a glance. Click into My Vault for the full Restic connection details.
ServerCrate My Vault page showing the REST repository URL, vault user, storage, backup health, Quick Connect commands, and snapshot list
The vault page has every connection detail: the REST repository URL, vault user, Restic environment variables, and the exact init and backup commands to paste into your terminal.
Under the hood

How the stack actually works.

Transparency on the infrastructure, because people asking about backup hosting deserve to know what they're trusting.

Storage layer: ZFS on Proxmox

Vaults live in LXC containers running on a Proxmox host with ZFS as the underlying filesystem. ZFS checksums every read and write - silent data corruption gets caught and repaired against a mirror, not blindly handed back to Restic. That matters for backups: a repo you can't actually restore from is worse than no backup at all.

Each customer gets a dedicated ZFS dataset with quota enforcement. Your data is physically separated from every other tenant's data. Not namespace isolation - separate datasets.

Network layer: TLS-terminating edge, nothing else exposed

Your vault lives at <id>.vault.servercrate.net. Requests hit a hardened edge that terminates TLS - with post-quantum hybrid key exchange - and proxies through to the isolated container your repo runs in. The only thing reachable from the public internet is HTTPS; the vault containers themselves are never directly exposed. Authentication is a per-vault token, so there is no SSH surface to brute-force.

Security layer: nftables, CrowdSec

The edge runs nftables with default-deny - only the HTTPS ports are open. Probing and abusive IPs are banned automatically, and CrowdSec pulls a shared community blocklist, so at any given moment the edge is dropping 15,000+ addresses already seen attacking anyone else running CrowdSec. Access to the repo itself is gated by your per-vault token over TLS.

Encryption layer: Restic client-side, server sees nothing

Restic's repository format wraps every backup chunk in AES-256-CTR with a Poly1305-AES MAC. The key is derived from your repository password via scrypt. That password lives only on your device - we store a hash of it in our database for provisioning, never the password itself.

Server-side we see a directory full of opaque data/xx/yyyyyy... files. Not filenames, not sizes that correlate to real files, not timing patterns that leak operational intel. Full zero-knowledge as a mathematical property, not a marketing claim.

Comparing hosts? Prove ours works first.
10 GB free vault, no card. Restore-verified every day, receipts public.
Start Free →
Honest comparison

Restic hosting vs the alternatives.

If you've been researching this space, you've probably already looked at these. Here's the practical tradeoff.

ServerCrate rsync.net BorgBase Self-host SFTP
Restic support First-class Supported Borg + Restic Yes
Entry price $5/mo (200 GB) $24/yr (100 GB)Cheaper annually $24/yr (250 GB)Borg-first VPS + time cost
Free tier 10 GB, no card None 10 GB free forever N/A
Dedicated storage ZFS dataset per user Shared ZFS pool Shared pool Whatever you build
Monitoring & alerts Portal + email Manual Built-in alerts Roll your own
Zero-knowledge Client-side Client-side Client-side You control the key
Egress fees None None None None if you're DIY
Time to first backup 5 minutes 15-30 min (SSH key setup) 15-30 min Hours to days
Best for Managed Restic, one page Long-tenure admins Borg purists Full control, time to burn

For deep side-by-side analysis: Restic vs Borg vs Tarsnap vs Arq vs Duplicacy vs BorgBase vs rsync.net.

Why ServerCrate

Restic hosting that stays simple,
private, and usable.

This is built for people who want clear offsite backup, not a messy pricing model or proprietary nonsense.

Your key only
Files are encrypted on your machine before upload. ServerCrate does not hold the key needed to read them.
Restic over HTTPS
Open, portable, and easy to reason about. No proprietary agent and no awkward restore trap.
No egress fees
You already paid to store your data. Restoring it should not turn into another invoice.
Built for server backups
Good fit for Linux servers, Docker hosts, web apps, VPS systems, and homelab gear.
ZFS-backed storage
ServerCrate is built on storage architecture chosen for integrity and real backup workloads.
Restore-ready workflow
A backup is only real if you can restore it. This page is built around that reality.
Who this is for

Common Restic backup workloads.

Linux servers
Back up app configs, web roots, database dumps, and system files to private offsite storage on a schedule. Works with any Linux distribution.
Docker workloads
Protect Docker volumes, compose stacks, and critical application data without changing your existing workflow or tooling.
Homelabs
Push Proxmox-related exports, NAS data, and homelab file sets offsite with a Restic workflow that stays simple and understandable.
The client

Restic is the client. That's the whole setup.

Your vault speaks Restic's native REST protocol, so the one tool you need is the Restic binary - on Linux, macOS, Windows, or BSD. No agent, no SSH keys, no GUI client to babysit: point Restic at your vault URL with your token and you are backing up. And because the repository is standard, open Restic format, you are never locked in - copy it to any other Restic backend, an SFTP host like rsync.net or BorgBase, S3, B2, or your own disk, and keep restoring exactly as before.

Who should not use ServerCrate

The strongest signal we can give you is to tell you when we are the wrong fit. Short and honest.

  • If you back up at the 10TB+ tier.rsync.net's pricing scales better. Their bulk tiers are below our largest plan on a per-TB basis.
  • If you need EU data residency.We're US-only. BorgBase has Frankfurt and Helsinki options.
  • If you need card-only payments.For accounts over $50/mo we require Bitcoin or bank wire.
FAQ

Questions?

It depends on size. rsync.net meters at about 1.2 cents/GB/month (100 GB minimum, no egress), so a small repo can run a dollar or two a month, often cheaper than the ServerCrate $5 entry. ServerCrate at a flat $5 for 200 GB buys a predictable bill, a 10 GB free tier, on-chain Bitcoin, and zero-knowledge by default. BorgBase is competitive but tuned for Borg rather than Restic.
ServerCrate and BorgBase do not charge egress, and rsync.net has no bandwidth or egress charges either. The egress cost to watch is on per-GB object stores like S3, B2, and Wasabi.
BorgBase counts repositories; rsync.net counts accounts. ServerCrate counts devices via a soft cap per plan tier (1/3/5 devices on Starter/Standard/Pro). Sysadmins backing up many machines should compare device counts as carefully as storage.
No. rest-server makes fewer round-trips than SFTP for Restic's access pattern, so REST is generally faster on metadata-heavy operations like locking and index updates. For raw backup throughput on typical homelab uplinks (100Mbps to 1Gbps) you are bandwidth-bound either way.
Yes, but it doubles the work. You would be tunneling Restic through rclone through another layer, and there is no benefit unless you need rclone-specific features like multi-cloud striping. For pure backup, point Restic at the vault directly.
Related pages

Keep going.

This page explains the product fit. These pages help with the next step.

Start Today

Run Restic offsite.
Keep your data private.

Private vaults. Zero-knowledge design. No egress fees.
Built for clean offsite backup workflows.

Start Free - 10 GB forever, no card View Plans

Restic-friendly, no egress fees, cancel anytime

Bitcoin-friendly: We accept on-chain BTC and Lightning via self-hosted BTCPay. See Restic backup paid with Bitcoin for the full breakdown.

Next steps
How we protect your data
Zero-knowledge encryption, ZFS isolation, what we log
Who runs ServerCrate
Operating commitments, where data lives, transparency
First backup in 5 min
Sign up, init vault, run your first Restic backup
Try it before you decide

Encrypted Restic vault, free forever

10 GB. No credit card. Setup in 5 minutes. Bitcoin or card when you upgrade.

Start free vault →