A Raspberry Pi with an encrypted external drive makes a surprisingly capable backup server. For under £100 in hardware, you get an always-on, low-power backup target that you control — no subscriptions, no cloud dependency, and full encryption at rest.
Why Build Your Own Backup Server?
- You own the hardware and data — no third-party cloud provider involved
- One-time cost — no monthly subscription fees
- Full-disk encryption — data at rest is protected if the device is stolen
- Local network speed — backup over Gigabit Ethernet, not internet upload
- Learning opportunity — understand exactly how your backups work
This project pairs well with a cloud backup for off-site redundancy. See our comparison of air-gapped vs. cloud backups for why both matter.
What You’ll Need
| Component | Recommendation | Approx. Cost |
|---|---|---|
| Raspberry Pi 5 (4 GB+) | Pi 5 for USB 3.0 and better I/O | £55 |
| MicroSD card (32 GB) | For the OS | £8 |
| External USB HDD/SSD | 1 TB+ for backup storage | £40–80 |
| USB-C power supply | Official Pi 5 PSU (5V 5A) | £10 |
| Ethernet cable | Gigabit for reliable backup speed | £3 |
| Case (optional) | Passive cooling case | £10 |
Total: approximately £125–165
Step 1: Install the OS
Flash Raspberry Pi OS Lite (64-bit) to the microSD card using the Raspberry Pi Imager:
- Download Raspberry Pi Imager
- Select Raspberry Pi OS Lite (64-bit) — no desktop environment needed for a server
- Click the gear icon to pre-configure: hostname, SSH enabled, username/password, Wi-Fi (optional)
- Flash to the microSD card
Insert the card, connect Ethernet and power, and SSH in:
ssh [email protected]
Step 2: Set Up LUKS Encryption on the External Drive
Connect the external USB drive and identify it:
sudo lsblk
The external drive is typically /dev/sda. This will erase all data on the drive:
# Install cryptsetup
sudo apt update && sudo apt install -y cryptsetup
# Create a LUKS-encrypted partition
sudo cryptsetup luksFormat /dev/sda1
# Confirm with YES (uppercase), enter a strong passphrase
# Open the encrypted volume
sudo cryptsetup open /dev/sda1 backupvault
# Create a filesystem
sudo mkfs.ext4 /dev/mapper/backupvault
# Create a mount point and mount
sudo mkdir -p /mnt/backup
sudo mount /dev/mapper/backupvault /mnt/backup
Auto-Unlock With a Key File (Optional)
For an always-on server, you may want the drive to unlock automatically on boot using a key file stored on the SD card:
# Generate a key file
sudo dd if=/dev/urandom of=/root/backup-keyfile bs=1024 count=4
sudo chmod 600 /root/backup-keyfile
# Add the key file to LUKS
sudo cryptsetup luksAddKey /dev/sda1 /root/backup-keyfile
Add entries to /etc/crypttab and /etc/fstab for automatic mounting. Be aware this trades security for convenience — if the Pi is stolen, the key file on the SD card can unlock the drive. For higher security, enter the passphrase manually after each reboot.
Step 3: Set Up a Backup Service
Option A: Samba Share (Windows-Friendly)
Install Samba so Windows machines can back up to the Pi:
sudo apt install -y samba
Edit /etc/samba/smb.conf and add:
[backup]
path = /mnt/backup
browseable = yes
writable = yes
valid users = pi
create mask = 0700
directory mask = 0700
Set the Samba password and restart:
sudo smbpasswd -a pi
sudo systemctl restart smbd
From Windows, access \\backupserver\backup and use it as a backup target.
Option B: Rsync Over SSH (More Secure)
For Linux/macOS clients (or Windows with WSL):
rsync -avz --delete /path/to/data/ [email protected]:/mnt/backup/mydata/
This is more secure than Samba (SSH-encrypted transfer) and supports incremental backups.
Step 4: Automate Backups From Windows
Use Windows Task Scheduler with a robocopy script:
@echo off
net use Z: \\backupserver\backup /user:pi PASSWORD /persistent:no
robocopy "C:\Users\Jamie\Documents" "Z:\documents" /MIR /R:3 /W:10 /LOG:C:\backup.log
net use Z: /delete
Schedule this to run daily. For better security, use Windows Credential Manager instead of embedding the password.
Encrypt sensitive files before backing them up to the server for an extra layer of protection. See Windows Encryption Basics for options.
Step 5: Monitoring and Maintenance
Set up basic monitoring:
# Check drive health
sudo apt install -y smartmontools
sudo smartctl -a /dev/sda
# Check disk space
df -h /mnt/backup
# Set up email alerts (optional)
sudo apt install -y msmtp msmtp-mta
Create a weekly cron job to check drive health and email you if SMART errors are detected.
Security Considerations
- Change the default SSH port and disable password authentication (use SSH keys)
- Keep the Pi updated:
sudo apt update && sudo apt upgrade - Firewall: Install
ufwand allow only SSH and Samba from your LAN - Physical security: The Pi should be in a secure location — anyone who steals the Pi and SD card can potentially access the backup drive
For storing the LUKS passphrase securely, see our offline vault workflow and password manager guide.
Key Takeaways
- A Raspberry Pi backup server is affordable, private, and fully encrypted
- LUKS encryption protects your data if the hardware is stolen
- Combine this local backup with a cloud backup for the 3-2-1 rule
- Regularly test restores and monitor drive health
Further Reading
- Raspberry Pi Documentation — Official setup and configuration guides
- LUKS — Linux Unified Key Setup — Encryption tool documentation
- NIST SP 800-111 — Guide to Storage Encryption Technologies — Encryption best practices
- CISA — Securing network infrastructure — Network security guidance
- Samba Documentation — File sharing setup