How to Back Up Your Server Offsite with rclone and SFTP

Object storage charges per-GB for egress. If you store 2TB on S3 and need to restore it, you're looking at ~$185 in transfer fees on top of whatever you've paid in monthly storage. A flat-rate VPS with SSH access sidesteps this entirely — you pay one price, move data freely.

rclone is the right tool for the job. It speaks SFTP natively, handles incremental copies efficiently, and can be automated with a single cron line. This guide walks through the full setup: SSH key auth, rclone config, running your first backup, and automating it.

What You Need

Source machine: the server you want to back up (any Linux machine with SSH access)
Destination VPS: a BulkVM VPS — or any server you can SSH into
Root or sudo access on both machines

Step 1: Create an SSH Key for Backups

Automated backups need passwordless SSH. The right approach is a dedicated key pair — not your main login key.

On the source machine:

ssh-keygen -t ed25519 -f ~/.ssh/backup_key -N "" -C "backup"

This creates two files: ~/.ssh/backup_key (private key, stays on the source) and ~/.ssh/backup_key.pub (public key, goes on the destination).

Copy the public key to your destination VPS:

ssh-copy-id -i ~/.ssh/backup_key.pub root@YOUR_VPS_IP

Test it:

ssh -i ~/.ssh/backup_key root@YOUR_VPS_IP "echo connected"

If you see connected without a password prompt, you're good.

If ssh-copy-id isn't available, copy the key manually: cat ~/.ssh/backup_key.pub | ssh root@YOUR_VPS_IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Step 2: Create a Backup Directory on the Destination

On the destination VPS, create a dedicated directory for your backups:

ssh -i ~/.ssh/backup_key root@YOUR_VPS_IP "mkdir -p /mnt/data/backups"

If your HDD storage volume isn't mounted yet, see our guide on formatting and mounting additional storage first.

Step 3: Install rclone on the Source Machine

On the source machine:

curl https://rclone.org/install.sh | sudo bash

Or via your package manager on Debian/Ubuntu:

sudo apt install rclone

Verify it installed:

rclone version

Step 4: Configure the SFTP Remote

rclone stores remote configurations in ~/.config/rclone/rclone.conf. You can configure it interactively with rclone config, or write the config directly. The direct approach is faster:

mkdir -p ~/.config/rclone

cat >> ~/.config/rclone/rclone.conf << 'EOF'
[offsite]
type = sftp
host = YOUR_VPS_IP
user = root
key_file = /root/.ssh/backup_key
EOF

Replace YOUR_VPS_IP with your VPS IP address. If you're running as a non-root user, update the user and key_file path accordingly.

Test the connection:

rclone lsd offsite:

You should see a listing of the directories on your VPS. If you get an error, double-check the IP, username, and key file path.

Step 5: Run Your First Backup

Copy a directory from the source to the destination:

rclone copy /var/www offsite:/mnt/data/backups/www --progress

The --progress flag shows a live transfer summary. On the first run this copies everything; subsequent runs only copy files that are new or have changed.

rclone compares files by size and modification time by default. You can add --checksum to compare by hash instead — slower, but catches files where the content changed without the mtime updating.

Understanding copy vs sync

rclone has two main commands for this use case:

rclone copy — copies files that are missing or newer at the destination. Never deletes anything at the destination.
rclone sync — makes the destination an exact mirror of the source. Deletes files at the destination that no longer exist at the source.

rclone sync is more disk-efficient long term, but it's dangerous if you accidentally point it at the wrong source path — it will delete everything at the destination that isn't in the source. If you use sync, always test with --dry-run first:

rclone sync /var/www offsite:/mnt/data/backups/www --dry-run

For most backup setups, rclone copy is the safer default. You accumulate old files at the destination, but nothing gets deleted unexpectedly.

One limitation worth knowing: rclone backups are plain files, and the SSH key on your source machine can delete them. If an attacker compromises the source, they can wipe the destination too. For encrypted, deduplicated backups that a compromised server can't delete, see our guide to ransomware-proof backups with BorgBackup.

Step 6: Back Up Multiple Directories

Run separate commands for each directory you want to back up:

rclone copy /var/www offsite:/mnt/data/backups/www --progress
rclone copy /home offsite:/mnt/data/backups/home --progress
rclone copy /etc offsite:/mnt/data/backups/etc --progress

Databases: Do not copy live database files directly — the files will be in an inconsistent state during the copy. Dump first, then copy the dump file.

MySQL/MariaDB: mysqldump -u root --all-databases > /tmp/db.sql
PostgreSQL: pg_dumpall -U postgres > /tmp/db.sql

Then include /tmp/db.sql in your backup copy.

Step 7: Automate with Cron

Open the crontab editor:

crontab -e

Add a line to run the backup nightly at 3 AM:

0 3 * * * /usr/bin/rclone copy /var/www offsite:/mnt/data/backups/www --log-file=/var/log/rclone-backup.log --log-level INFO

If you have multiple directories to back up, create a shell script instead:

nano /usr/local/bin/offsite-backup.sh

#!/bin/bash
set -e

RCLONE=/usr/bin/rclone
DEST=offsite:/mnt/data/backups
LOG=/var/log/rclone-backup.log
OPTS="--log-file=$LOG --log-level INFO"

# Dump databases first
mysqldump -u root --all-databases > /tmp/db-backup.sql

# Copy directories
$RCLONE copy /var/www $DEST/www $OPTS
$RCLONE copy /home $DEST/home $OPTS
$RCLONE copy /etc $DEST/etc $OPTS
$RCLONE copy /tmp/db-backup.sql $DEST/db $OPTS

# Clean up
rm -f /tmp/db-backup.sql

Make it executable:

chmod +x /usr/local/bin/offsite-backup.sh

Schedule it:

0 3 * * * /usr/local/bin/offsite-backup.sh

Step 8: Verify the Backup

Check what's on the destination:

rclone ls offsite:/mnt/data/backups/www | head -20

Check total size:

rclone size offsite:/mnt/data/backups

Run a check to verify file integrity (compares checksums between source and destination):

rclone check /var/www offsite:/mnt/data/backups/www

The check command will report any files that differ or are missing. Run it after your first backup to confirm the copy completed correctly.

Checking the Log

After the first automated run, check the log to confirm it ran cleanly:

tail -50 /var/log/rclone-backup.log

A clean run ends with a stats block showing bytes transferred and no errors. If you see errors, they'll appear on lines tagged ERROR.

Quick Reference

# Generate SSH key
ssh-keygen -t ed25519 -f ~/.ssh/backup_key -N "" -C "backup"
ssh-copy-id -i ~/.ssh/backup_key.pub root@YOUR_VPS_IP

# Install rclone
curl https://rclone.org/install.sh | sudo bash

# Configure remote (~/.config/rclone/rclone.conf)
[offsite]
type = sftp
host = YOUR_VPS_IP
user = root
key_file = /root/.ssh/backup_key

# Test connection
rclone lsd offsite:

# Run backup
rclone copy /var/www offsite:/mnt/data/backups/www --progress

# Dry-run sync (preview deletions before committing)
rclone sync /var/www offsite:/mnt/data/backups/www --dry-run

# Check integrity
rclone check /var/www offsite:/mnt/data/backups/www

# View remote size
rclone size offsite:/mnt/data/backups

Offsite backup VPS starting at $5/month

2TB ZFS storage, flat monthly rate, no egress fees. SSH in and copy whatever you need back.

See the Backup VPS All Plans