Backups are very useful and in the event of fire or theft it is very useful to have them offsite, however offsite backups leave your data at risk of compromise if the offsite storage is attacked.
To prevent an attacker from locating your offsite backup (e.g. if you were backing up your laptop whilst in a hotel) and preventing theft of the data in the event the location is discovered one can use Tor and GPG.
As the data is encrypted at rest it is safe to use any number of VPS providers because even if they accidently attach your volume to someone elses instance the data is still unreadable.
Installing Tor for your server is explained on the Tor project website with that done you can check the Hidden Service manual for general advice on configuring a Hidden Service but it basically boils down to;
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 127.0.0.1:22
It is not advisable to run your Tor instance as a relay as whilst this will help the Tor network and could also provide a certain amount of traffic to/from the offsite server which may help mask its origin and frustrate correlation attacks if the relay goes down at the same time as your hidden service this would be a different form of correlation attack.
You could elect to run it as a private bridge for your own use too;
BridgeRelay 1 PublishServerDescriptor 0
##Configuring The Source: The following bash script is relatively well commented;
#!/bin/bash NOW=$(date +"%a") FILE="backup-$NOW.tar.gz" echo $FILE echo "Backup up directory 1" tar cf /backup/dir1.tar /directory1 echo "Backup high io" tar cf /backup/dir2.tar /directory2 echo "Backup up DBs;" for DB in mysql db1 db2 db3 db4 do echo $DB mysqldump $DB > /backup/$DB.sql done echo "Taring DBs" tar cf /backup/dbs.tar /backup/*.sql echo "Creating compressed tgz of all tars" tar czf /backup/$FILE /backup/*.tar echo "Encrypting" time gpg --encrypt --recipient firstname.lastname@example.org /backup/$FILE echo "Done" echo "Deleting unencrypted backups" rm /backup/*.tar /backup/*.sql echo "Done" echo "SCPing to Hidden Service" scp -i /root/backup.key -o ProxyCommand='nc --proxy 127.0.0.1:9150 \ --proxy-type socks5 %h %p' /backup/$FILE.gpg email@example.com: echo "Done" echo "RM'ing local GPG backup" rm /backup/$FILE.gpg echo "Done"