If you make a second backup tomorrow, you'll end up with a new (huge) encrypted tar. restic handles deltas when creating a second backup, and writes new files so that tools like rsync or rclone have to do less work to upload the new data.

That said, I don't see anything strictly _wrong_ with your approach.

No deduplication is a tradeoff I'm willing to make for simplicity and less things that can go wrong :)

Use specialized backup tools! There are cryptographic constructions designed specifically for backup. You will get better backup and better encryption.

"Better backup" aside, as I understand that I'd miss out on deduplication and all the other things backup software can do like keeping track of what it has backed up etc.

"Better encryption": Can you explain why age's encryption isn't sufficient if it's recommended for encrypting files? Really want to understand how it's recommended for encrypting and sharing a file over an untrusted channel like email, but not recommended to encrypt a file and upload it to an untrusted server.

I made a tiny shell script that combines tar+age, you may find it useful for simplicity

https://github.com/arcxio/urn/blob/main/urn

It’s obviously not practical except for small data, for many obvious reasons.

You may expect tools such as restic or Borg or rclone should use Age. But they don’t, because they need their own file formats.

Restic is excellent. I can’t recommend it enough.