Restic over SFTP / Private Vaults / Zero-Knowledge

Restic SFTP backup hosting.
Private offsite backups that stay yours.

ServerCrate gives you a private Restic over SFTP backup target with encrypted offsite storage, no egress fees, and a workflow that is easy to understand. Built for Linux servers, homelabs, Docker hosts, and serious file backups.

Start Free - 10 GB forever, no card View Setup Guide

Use the free tier to validate your workflow first, then move up when storage or device count becomes the limit.

Restic over SFTP
Your key only
ZFS-backed storage
No egress fees
Restic Vault - ServerCrate
Ready
Protocol
SFTP
Client
Restic
Storage
ZFS
Access
Encrypted
Use casesLinux, Docker, NAS Proxmox
Nightly backup
02:30 AM
Done
Retention prune
02:34 AM
Done
Restore test
Weekly
Ready
Encrypted on your device before upload
Open Restic workflow
Client-side encryption
Private vault per account
No restore fees
Built for real backup jobs
ZFS-backed vaults
Restore-ready workflow
Open Restic workflow
Client-side encryption
Private vault per account
No restore fees
Built for real backup jobs
ZFS-backed vaults
Restore-ready workflow
Why this page exists

You want Restic over SFTP.
Not a weird black box.

A lot of backup products bury the actual workflow behind vague "cloud backup" language. ServerCrate is straightforward: you get a private vault, connect Restic over SFTP, run your backups, and restore without paying egress penalties.

See the Setup Flow
01
Create your account
Sign up and get your vault details from the portal without opening a support ticket.
02
Set your Restic variables
Copy your SFTP repository path and token into your environment or backup script.
03
Run encrypted backups offsite
Back up files, configs, Docker volumes, site data, or server paths with a clean Restic workflow.
04
Restore when you need to
Pull back full snapshots or individual files without getting hit by restore fees.
Terminal - Restic over SFTP
# Paste from your ServerCrate portal
$ export RESTIC_REPOSITORY=sftp:vaultuser@vault.servercrate.net:22150:/data
$ export RESTIC_PASSWORD=your-secret-token
 
# Initialize once and back up
$ restic snapshots || restic init
$ restic backup /etc /var/www /home
snapshot saved - encrypted and pushed offsite
On this page
Why Restic over SFTP Performance data Portal walkthrough Architecture vs B2, BorgBase, rsync.net Setup Features FAQ
Why this combination

Restic plus SFTP is a rare pairing. Here's why it matters.

Most managed backup services give you two bad choices: a proprietary agent that only talks to their cloud, or raw object storage that you have to assemble tooling around yourself. Restic over SFTP skips both traps.

Restic handles encryption before anything leaves your machine

Every chunk is AES-256 encrypted with a key that only exists on your device. The vault sees encrypted ciphertext - no metadata, no filenames, no file sizes that would leak intelligence about your data. Even with full root access to the server, we can see that you have data, but not what it is.

SFTP is already installed on every Linux system

No agent to install, no daemon to keep updated, no proprietary protocol to audit. If OpenSSH works on your box (it does, or you have bigger problems), SFTP works. The transport is mature, well-audited, and supports standard SSH key authentication.

No vendor lock-in on the repository format

Your Restic repo is a filesystem of opaque encrypted files. If you ever want to migrate to self-hosted, rsync.net, or a different backup host, you copy the files and point Restic at the new location. No export tools required. The repo format is documented and stable since 2017.

The value ServerCrate adds over a raw SFTP server isn't a fancy protocol. It's having a vault with ZFS underneath, retention policies that make sense, and a portal that shows you which snapshots exist without SSH'ing anywhere.
Real throughput

What Restic over SFTP actually does in practice.

Numbers from backing up a mixed-workload server over a residential 1 Gbps uplink to a ServerCrate vault. Your results depend heavily on the file mix, your upload speed, and how much data has changed.

Initial Backup
31 MB/s
Average throughput on 500 GB initial upload with medium-sized files (VM exports, Docker volumes). Upload-bound, not server-bound.
Incremental Runs
2-6 min
Typical daily incremental on a 200 GB dataset. Most runs upload under 1 GB thanks to content-defined chunking.
Dedup Efficiency
3.2x
Storage savings from Restic's chunk-level deduplication across overlapping Docker images and VM base disks.
Single-File Restore
4 min
Time to pull a specific 800 MB file from a snapshot on a 1 Gbps downlink. Zero egress cost regardless of volume.
What affects your numbers

Upload speed is almost always the bottleneck on the first run. A 50 Mbps residential uplink will push about 5-6 MB/s, so 500 GB takes ~28 hours. Plan the first run over a weekend.

File mix matters for incremental runs. A dataset with lots of small files (Docker volumes with SQLite databases, for example) spends more time on metadata than throughput. Large VM exports that change in narrow byte ranges dedup beautifully.

Cold cache effects show up on restore. The first restore from a new session pulls index metadata first. After that, restore is as fast as your downlink.

Inside the portal

Connection details, snapshots, and device management in one place.

Everything you need to connect Restic and monitor your backups. No support tickets, no console trails.

ServerCrate portal dashboard showing vault status, storage used, snapshots, devices, active subscription, and recent snapshot list
The dashboard shows vault status, storage used, recent snapshots, and current plan at a glance. Click into My Vault for the full Restic connection details.
ServerCrate My Vault page showing SFTP host, port, vault user, storage, backup health, Quick Connect commands, and snapshot list
The vault page has every connection detail: SFTP host, port, user, Restic environment variables, and the exact init and backup commands to paste into your terminal.
Under the hood

How the stack actually works.

Transparency on the infrastructure, because people asking about backup hosting deserve to know what they're trusting.

Storage layer: ZFS on Proxmox

Vaults live in LXC containers running on a Proxmox host with ZFS as the underlying filesystem. ZFS checksums every read and write - silent data corruption gets caught and repaired against a mirror, not blindly handed back to Restic. That matters for backups: a repo you can't actually restore from is worse than no backup at all.

Each customer gets a dedicated ZFS dataset with quota enforcement. Your data is physically separated from every other tenant's data. Not namespace isolation - separate datasets.

Network layer: WireGuard tunnel to public endpoint

The public-facing endpoint vault.servercrate.net terminates at an edge router that forwards SSH/SFTP traffic over a WireGuard tunnel into the private network where the vault containers actually run. This keeps the attack surface minimal - the vault containers themselves aren't exposed to the public internet, only SFTP and only through a per-port mapping.

Security layer: nftables, fail2ban, CrowdSec

The edge router runs nftables with default-deny. SSH/SFTP attempts that fail are tracked by fail2ban with short bans for probes and long bans for persistent attackers. Above that, CrowdSec pulls a shared community blocklist - at any given moment the edge is blocking 15,000+ IPs that have been seen attacking anyone else running CrowdSec. Your vault port only sees traffic from your known devices.

Encryption layer: Restic client-side, server sees nothing

Restic's repository format wraps every backup chunk in AES-256-CTR with a Poly1305-AES MAC. The key is derived from your repository password via scrypt. That password lives only on your device - we store a hash of it in our database for provisioning, never the password itself.

Server-side we see a directory full of opaque data/xx/yyyyyy... files. Not filenames, not sizes that correlate to real files, not timing patterns that leak operational intel. Full zero-knowledge as a mathematical property, not a marketing claim.

Honest comparison

Restic SFTP hosting vs the alternatives.

If you've been researching this space, you've probably already looked at these. Here's the practical tradeoff.

ServerCrate rsync.net BorgBase Self-host SFTP
Restic support First-class Supported Borg + Restic Yes
Entry price $5/mo (200 GB) $24/yr (100 GB)Cheaper annually $16.80/yr (250 GB)Borg-first VPS + time cost
Free tier 10 GB, no card None 10 GB free forever N/A
Dedicated storage ZFS dataset per user Shared ZFS pool Shared pool Whatever you build
Monitoring & alerts Portal + email Manual Built-in alerts Roll your own
Zero-knowledge Client-side Client-side Client-side You control the key
Egress fees None None None None if you're DIY
Time to first backup 5 minutes 15-30 min (SSH key setup) 15-30 min Hours to days
Best for Managed Restic, one page Long-tenure admins Borg purists Full control, time to burn

For deep side-by-side analysis: Restic vs Borg vs Tarsnap vs Arq vs Duplicacy vs BorgBase vs rsync.net.

Why ServerCrate

Restic hosting that stays simple,
private, and usable.

This is built for people who want clear offsite backup, not a messy pricing model or proprietary nonsense.

Your key only
Files are encrypted on your machine before upload. ServerCrate does not hold the key needed to read them.
Restic over SFTP
Open, portable, and easy to reason about. No proprietary agent and no awkward restore trap.
No egress fees
You already paid to store your data. Restoring it should not turn into another invoice.
Built for server backups
Good fit for Linux servers, Docker hosts, web apps, VPS systems, and homelab gear.
ZFS-backed storage
ServerCrate is built on storage architecture chosen for integrity and real backup workloads.
Restore-ready workflow
A backup is only real if you can restore it. This page is built around that reality.
Who this is for

Common Restic backup workloads.

Linux servers
Back up app configs, web roots, database dumps, and system files to private offsite storage on a schedule. Works with any Linux distribution.
Docker workloads
Protect Docker volumes, compose stacks, and critical application data without changing your existing workflow or tooling.
Homelabs
Push Proxmox-related exports, NAS data, and homelab file sets offsite with a Restic workflow that stays simple and understandable.
Other clients

Restic-first, but it's just SFTP - so any SFTP client works.

Restic is the recommended client and what we tune the platform around. The vault itself is a standard SFTP endpoint though, so anything that speaks the protocol can read or write to it. That matters for two reasons: you can verify Restic uploads landed by browsing the vault with FileZilla, and you have a fallback if you ever need raw access to the encrypted blobs.

FileZilla / WinSCP / Cyberduck
Browse and verify your vault visually. Drag-drop transfers when you need them.
rclone
Sync, copy, mount. Use the sftp backend with md5sum_command=none.
sshfs
Mount the vault as a local filesystem. Pair with client-side encryption to keep zero-knowledge.
OpenSSH sftp(1) + lftp + curl
CLI access for scripting and CI. Native sftp:// support across the toolchain.

BorgBackup is the one major exception - it requires SSH shell access we don't ship by design. If you need Borg, BorgBase is the right home for it.

Who should not use ServerCrate

The strongest signal we can give you is to tell you when we are the wrong fit. Short and honest.

  • If you back up at the 10TB+ tier.rsync.net's pricing scales better. Their bulk tiers are below our largest plan on a per-TB basis.
  • If you need EU data residency.We're US-only. BorgBase has Frankfurt and Helsinki options.
  • If you need card-only payments.For accounts over $50/mo we require Bitcoin or bank wire.
FAQ

Questions?

ServerCrate at $5/mo for 200GB is the cheapest entry-tier option for Restic specifically. BorgBase has a similar entry but it's tuned for Borg. rsync.net is more expensive at small tiers but scales better at multi-TB.
ServerCrate and BorgBase don't charge egress. rsync.net's pricing includes generous bandwidth but commercial-tier accounts have caps. Always check the fine print for restore-volume scenarios.
BorgBase counts repositories; rsync.net counts accounts. ServerCrate counts devices via a soft cap per plan tier (1/3/5 devices on Starter/Standard/Pro). Sysadmins backing up many machines should compare device counts as carefully as storage.
Marginally, on some operations. SFTP has more round-trips than rest-server's HTTP API. For backup throughput on typical homelab uplinks (100Mbps to 1Gbps), the difference is invisible -- you're bandwidth-bound.
Yes, but it doubles the work -- you'd be tunneling Restic through rclone through SFTP. There's no benefit unless you need rclone-specific features like multi-cloud striping. For pure backup, point Restic at SFTP directly.
Related pages

Keep going.

This page explains the product fit. These pages help with the next step.

Setup Guide
Copy-paste Restic setup instructions for ServerCrate.
Homelab Backup Storage
See how ServerCrate fits Proxmox, NAS, Docker, and self-hosted backups.
Small Business Backup
See the business-facing angle for shared folders, NAS data, website assets, and office backups.
Start Today

Run Restic offsite.
Keep your data private.

Private vaults. Zero-knowledge design. No egress fees.
Built for clean offsite backup workflows.

Start Free - 10 GB forever, no card View Plans

Restic-friendly, no egress fees, cancel anytime

Bitcoin-friendly: We accept on-chain BTC and Lightning via self-hosted BTCPay. See Restic backup paid with Bitcoin for the full breakdown.

Next steps
How we protect your data
Zero-knowledge encryption, ZFS isolation, what we log
Who runs ServerCrate
Operating commitments, where data lives, transparency
First backup in 5 min
Sign up, init vault, run your first Restic backup
Try it before you decide

Encrypted Restic vault, free forever

10 GB. No credit card. Setup in 5 minutes. Bitcoin or card when you upgrade.

Start free vault →