diff --git a/test-and-deploy.yml b/test-and-deploy.yml
index 6783161bc10bddfc9a7c7866c4a22392c830d47e..7f55e102a7224fdc4816420aa09db032198a4cc8 100644
--- a/test-and-deploy.yml
+++ b/test-and-deploy.yml
@@ -428,7 +428,7 @@ Debug:
     - mkdir -p /data/${CI_COMMIT_REF_NAME}/redis
     - echo "BORG_PASSPHRASE=${BORG_PASSPHRASE}" >/data/${CI_COMMIT_REF_NAME}/backup/.env
     - echo "${BORG_SSH_KEY}" >/data/${CI_COMMIT_REF_NAME}/backup/ssh/id_rsa
-    #- chmod 0600 /data/${CI_COMMIT_REF_NAME}/backup/ssh/id_rsa
+    - echo "${BORG_SERVER_PUBKEY}" >/data/${CI_COMMIT_REF_NAME}/backup/ssh/known_hosts
     - cd /data/${CI_COMMIT_REF_NAME}/app
     - drush -y sset system.maintenance_mode 1
     - cd -
@@ -450,6 +450,8 @@ Debug:
     - docker compose exec -u root php chmod -R ug-w .
     - docker compose exec -u root php chmod -R ug+w web/sites/*/files
     - docker compose exec -u root php chmod -R ug+w web/sites/*/private
+    - docker compose exec -u root borgmatic chmod -R go-w-r-x /root/.ssh
+    - if [[ ! -d /data/${CI_COMMIT_REF_NAME}/backup/config/security ]]; then docker compose exec -u root borgmatic borgmatic --init --encryption repokey; fi
     - drush -y cache-rebuild
     - drush -y config-import
     - drush -y updatedb