- Always use encrypted repositories with strong passphrases.
- Store passphrases in a secrets manager, not shell history or plain files.
- Restrict repository path permissions to the backup user only.
- Use SSH with key-based authentication for remote repositories.
- Disable password SSH logins on backup targets.
- Pin known hosts and avoid host key checking bypasses.
- Run periodic
borg check and verify restores in staging.
- Enable append-only mode on remote repositories where possible.
- Keep immutable/offline copies to mitigate ransomware scenarios.