#. Clean up the remote copies of the backup file ::
[REMOTE]$ rm -iv recovery.tar.bz2
Storage Directories
~~~~~~~~~~~~~~~~~~~
The user ciphertext is backed up to a separate location using `Borg backup <https://borgbackup.readthedocs.io/>`_ and `borgbase.com <https://borgbase.com>`_.
Borg backup uses a *RepoKey* secured by a *passphrase* to encrypt the backup data, and an *SSH key* to authenticate against the backup service (borgbase).
Each Borg backup job requires one *backup repository* (at borgbase).
SSH keys
````````
Borgbase `recommends creating ed25519 ssh keys with one hundred KDF rounds <https://www.borgbase.com/ssh>`_.
We create one key pair per grid (not per host)::
$ ssh-keygen -f borgbackup-appendonly-staging -t ed25519 -a 100
$ ssh-keygen -f borgbackup-appendonly-production -t ed25519 -a 100
Save the key without a passphrase, and upload the public part to `Borgbase SSH keys <https://www.borgbase.com/ssh>`_.
Next, create repositories to back up to.
Passphrase
``````````
Make up a passphrase to encrypt our repository key with, use computer help if you like::
nix-shell --packages pwgen --command 'pwgen --secure 83 1' # 83 is the year I was born. Very random.
Create & initialize the backup repository
`````````````````````````````````````````
Borgbase.com offers a `borgbase.com GraphQL API <https://docs.borgbase.com/api/>`_, but since our current number of repositories is small, we save time by creating the repositories by clicking a few buttons in the `borgbase.com Web Interface <https://www.borgbase.com/repositories>`_.
Set up one repo per backup job.
Set the *Repository Name* to the FQDN of the host to be backed up, add the SSH key created earlier as *Append-Only Access* key and leave the other settings at their defaults.
Once only: Initialize those repositories with our chosen parameters::
