diff --git a/docs/ops/backup-recovery.rst b/docs/ops/backup-recovery.rst
index a39c96dfa859203d6b54c1812e70414715b920e9..93ccf4ae5aeb72c85ef4e35dc3fb3a700e1d1580 100644
--- a/docs/ops/backup-recovery.rst
+++ b/docs/ops/backup-recovery.rst
@@ -113,3 +113,50 @@ Recovery
 #. Clean up the remote copies of the backup file ::
 
      [REMOTE]$ rm -iv recovery.tar.bz2
+
+Storage Directories
+~~~~~~~~~~~~~~~~~~~
+
+The user ciphertext is backed up to a separate location using `Borg backup <https://borgbackup.readthedocs.io/>`_ and `borgbase.com <https://borgbase.com>`_.
+Borg backup uses a *RepoKey* secured by a *passphrase* to encrypt the backup data, and an *SSH key* to authenticate against the backup service (borgbase).
+Each Borg backup job requires one *backup repository* (at borgbase).
+
+
+SSH keys
+````````
+Borgbase `recommends creating ed25519 ssh keys with one hundred KDF rounds <https://www.borgbase.com/ssh>`_.
+We create one key pair per grid (not per host)::
+
+    $ ssh-keygen -f borgbackup-appendonly-staging -t ed25519 -a 100
+    $ ssh-keygen -f borgbackup-appendonly-production -t ed25519 -a 100
+
+Save the key without a passphrase, and upload the public part to `Borgbase SSH keys <https://www.borgbase.com/ssh>`_.
+Next, create repositories to back up to.
+
+Passphrase
+``````````
+
+Make up a passphrase to encrypt our repository key with, use computer help if you like::
+
+    nix-shell --packages pwgen --command 'pwgen --secure 83 1'  # 83 is the year I was born. Very random.
+
+Create & initialize the backup repository
+`````````````````````````````````````````
+
+Borgbase.com offers a `borgbase.com GraphQL API <https://docs.borgbase.com/api/>`_, but since our current number of repositories is small, we save time by creating the repositories by clicking a few buttons in the `borgbase.com Web Interface <https://www.borgbase.com/repositories>`_.
+
+Set up one repo per backup job.
+Set the *Repository Name* to the FQDN of the host to be backed up, add the SSH key created earlier as *Append-Only Access* key and leave the other settings at their defaults.
+
+Once only: Initialize those repositories with our chosen parameters::
+
+    export BORG_PASSCOMMAND="cat borgbackup-passphrase-staging"
+    export BORG_RSH="ssh -i borgbackup-appendonly-staging"
+    borg init -e repokey-blake2 xyxyx123@xyxyx123.repo.borgbase.com:repo
+
+Recovery
+````````
+
+Borg offers various methods to restore backups.
+Very convenient is mounting a backup set using FUSE.
+Please consult the Borg documentation.