diff --git a/README.md b/README.md
index 2eda54d..c7693b4 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,22 @@
 
 [Authentik](https://goauthentik.io/) based SSO for our sevices.
 
-## Prerequisites - Server Setup
+## Table of Contents
+
+- [`sso.base23.de` - Base23 SSO for all services](#ssobase23de---base23-sso-for-all-services)
+  - [Table of Contents](#table-of-contents)
+  - [Prerequisites](#prerequisites)
+    - [Server Setup](#server-setup)
+    - [Base23 Docker registry login](#base23-docker-registry-login)
+  - [Installation](#installation)
+    - [Clone \& configure initially](#clone--configure-initially)
+    - [Fist run](#fist-run)
+  - [Upgrade](#upgrade)
+  - [Rebuild containers locally](#rebuild-containers-locally)
+
+## Prerequisites
+
+### Server Setup
 
 ```shell
 apt update \
@@ -29,16 +44,37 @@ apt update \
   && unset TEMP_DIR
 ```
 
+### Base23 Docker registry login
+
+```shell
+docker login -u gitlab+deploy-token-5 registry.git.base23.de
+```
+
 ## Installation
 
-Clone & configure initially:
+### Clone & configure initially
+
+1. [Create a Storage Box sub account](https://confluence.base23.de/pages/viewpage.action?pageId=27820074).
+2. Enter the username to `env.template`.
+3. Run the initial configuration script:  
 
 ```shell
 cd /root/apps \
   && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
   && cd sso.base23.de \
-  && ./scripts/init.sh \
-  && docker compose build --no-cache \
+  && ./scripts/init.sh
+```
+
+4. Use the generated SSH key and copy it to the Hetzner Storage box for backups:
+
+```shell
+ssh-copy-id -i ./data/restic/ssh/id_ed25519 -p 23 -s u291924-sub4@u291924.your-storagebox.de
+```
+
+### Fist run
+
+```shell
+docker compose build --no-cache \
     --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
     --build-arg SRC_REV=$(git rev-parse --short HEAD) \
   && docker compose up -d; docker compose logs -f
diff --git a/env.template b/env.template
index abc279c..b1134b6 100644
--- a/env.template
+++ b/env.template
@@ -56,3 +56,8 @@ NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always'
 NGINX_SSL_STAPLING=on
 NGINX_SSL_STAPLING_VERIFY=on
 
+# Restic configuration
+RESTIC_REPO_USER=u291924-sub4
+RESTIC_REPO_ADDRESS=u291924.your-storagebox.de
+RESTIC_REPO_PORT=23
+
diff --git a/scripts/init.sh b/scripts/init.sh
index a895189..1bfcdb7 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -38,9 +38,16 @@ if [[ ! -f ./.env ]]; then
 	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> ./.env
 	prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
 	prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
+	prompt_password "RESTIC_REPO_PASSWORD"; echo "RESTIC_REPO_PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
 	echo "" >> ./.env
 fi
 
+# Check if ssh key already exists, otherwise generate one
+if [[ ! -f ./data/restic/ssh/ ]]; then
+	[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/
+	ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519
+fi
+
 # Generate dhparam, if not existing
 [[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs && chown 101:101 ./data/nginx/certs || true
 [[ ! -f ./data/nginx/dhparams.pem ]] && echo "" && openssl dhparam -out ./data/nginx/dhparams.pem 4096 && chown 101:101 ./data/nginx/dhparams.pem \