Duplicati
Encrypted, incremental, compressed backups on storage you already have - Amazon S3, Backblaze B2, Google Drive, Azure, OneDrive, Dropbox, MEGA, Storj, WebDAV, SFTP, FTP, SMB, or a plain local disk - is what the MIT-licensed Duplicati has quietly done for years. Its security model is Trust No One: every block is encrypted with AES-256 (or a local GPG instance) before leaving the machine, and the passphrase never travels, so the storage provider holds only ciphertext. The block-based storage engine gives the best of both backup worlds: after one initial full backup, only changed data blocks upload - modify a tiny part of a huge file and only that part transfers - yet every backup version restores like a full backup in a single operation, with no incremental chains to replay. Deduplication and compression keep remote storage growth slow even across years of versions. A web interface manages everything: the built-in scheduler keeps backups current automatically, flexible filters select folders, file types, or custom patterns, retention policies prune old versions, and an integrated updater flags new releases. On compatible object-lock backends, immutable (WORM) storage protects backup data from ransomware that reaches the credentials. Runs on Windows, macOS, and Linux, free even for commercial use.
Kopia
Engineers who have outgrown Duplicati or rsync scripts tend to appreciate Kopia's design: encrypted, compressed, content-deduplicated snapshots in Go, stored in a repository on any storage you control - S3, Google Cloud Storage, Azure Blob, Backblaze B2, SFTP, WebDAV, or a plain filesystem. Encryption is mandatory and end-to-end: every block is encrypted client-side with AES-256-GCM or ChaCha20-Poly1305 using keys derived from your repository password, and even file names never leave the machine in plaintext. Blocks are packed into 20-40 MB blobs with random names, so the storage provider learns nothing about content or structure. Deduplication is automatic and content-based - identical data across files, snapshots, and even multiple machines backing up to the same repository is stored once. Policies govern everything per-directory: compression choice, retention (hourly through annual), scheduling, and ignore rules. Incremental snapshots are point-in-time records you can mount and browse like a filesystem. This deployment runs the Kopia repository server with its web UI, centralizing backups from multiple client machines over an authenticated API - each client connects with the server URL and certificate fingerprint, and users only see their own snapshots. Error correction, high-latency-tolerant caching, and both CLI and GUI round it out.