GRC Notes

Because the nature of cloud services (like Notion) requires them to “read” your data to display it, almost no SaaS backup provider (like Probackup, Rewind, or BackupLabs) offers true Zero-Knowledge encryption. To offer features like “restore a single page,” they must be able to index your data, which requires them to hold the decryption keys.

If total privacy is your priority (where only you hold the keys), you must move away from “set-it-and-forget-it” SaaS tools and use Self-Hosted / “DIY” methods.

Here are the best Zero-Knowledge strategies for both platforms.

1. For GitHub (Easier)

Because GitHub is based on Git (a file-based system), it is very easy to pull your data offline and encrypt it yourself.

The Strategy: You clone your repositories to your own machine/server, encrypt them locally, and then push the encrypted blob to a cloud storage provider (like AWS S3, Backblaze B2, or Google Drive).

Recommended Tools:

• Restic (Highly Recommended): A command-line tool that performs fast, secure backups. It encrypts your data before it leaves your computer. You run a simple command like restic backup /path/to/my/repos. Restic encrypts the chunks and uploads them to S3/B2. The cloud provider only sees unintelligible data blobs.
• BorgBackup: Similar to Restic, but optimized for Linux/macOS.
• Kopia: A newer, faster alternative with a Graphical User Interface (GUI), if you prefer not to use the command line.

The Workflow:

1. Script a “Git Mirror” of your repos: git clone --mirror git@github.com:username/repo.git
2. Run Restic or Kopia to back up that folder to your cloud storage.

Result: Zero-Knowledge. Only you have the password to decrypt the repo.

2. For Notion (Harder)

Notion is harder because your data lives in a proprietary database, not as simple files. There is currently no 3rd-party SaaS that can back up Notion without seeing your data.

The Strategy: You must automate the “Export” feature in Notion, download the export to your computer, and then encrypt it.

Recommended Tools:

• Notion-Backup-Script (Open Source): There are several free scripts on GitHub (like notion-backup by various developers) that automate the “Export Workspace to Markdown/HTML” feature using Notion’s API or a session token.
• Cryptomator: An open-source tool that creates an encrypted “Vault” on your computer.

The Workflow:

1. Automate the Export: Set up a script (e.g., on a local NAS, a Raspberry Pi, or your always-on computer) to request a Notion export nightly.
2. Download: The script downloads the .zip file from Notion.
3. Encrypt: Move that .zip file into a Cryptomator vault (or use Restic/Veracrypt).
4. Sync: Let a standard cloud tool (like Dropbox/Google Drive) sync the encrypted vault file.

Result: Google/Dropbox sees only encrypted gibberish. Notion sees your data (obviously), but no backup company sits in the middle.