After giving it a little more thought, I just came up with the following proposal: As before, rent a second storage server ("B"). Use a different Filesystem than vostok for the backup-storage mountpoint. Use duplicity/duply on the servers for our secondary backup-chain. Duply/Duplicity allow for assymmetric crypto using gpg and they support separate keys for signing and encrypting. Each server could have its own keypair so that it can sign its own backups. For encryption we could use the Arch Linux Master keys?! (The individual servers only need the public key parts, obviously). Although duplicity/duply are not as "fancy" as borg, we could follow some kind of "weekly full backup" with "incremental daily backups". Of course we would need to deny the servers deletion/prune permissions on "B" but this time we could use some sort of find -mtime +90 algorithm on "B" for cleanup. This would be a considerable benefit over borg for the secondary backup chain as the servers themselves are not able to decrypt their own backups, hence an attacker couldn't do that either. As this would be part of a "disaster recovery" backup chain, it should not be an issue that the backups can only be decrypted by our Master keys (or a new set of privileged keys that only a very few selected members will given access to) because for our day-to-day restore needs we could continue to use borg. (And the awesome borg-restore.pl script from Florian) I think this a more complete concept and could suite us well. Feedback welcome! (For my previous "failed" attempts too!) Cheers, Thore --