Do encrypted backups with Borgbackup or similar. That means the server never sees the plaintext or the decryption keys. The encryption happens on the client. Since it’s public-key encryption (separate keys for encryption and decryption), the client doesn’t need the decryption key either, except when restoring. So your backup can be automated without secret keys.