diff --git a/README.md b/README.md
index a3bd107ec8dadb5ea00c1f3dac744ee4ba002fac..9a29f806ce735bfbcb4f81b3312afdf60c27242e 100644
--- a/README.md
+++ b/README.md
@@ -34,14 +34,14 @@ backends:
 	restic:
 		# url of the restic repository
 		url: '/var/backup-client/restic'
-		# repository type musst be 'local'
+		# repository type can be 'local' or 'sftp'
 		repo_type: 'local'
 
 # Mode in which the backup is taken. One of the following:
 #
 # vm-via-hypervisor: backup a vm via restic on the hypervisor. Saves config on the host
 # hypervisor-restic: backup its vms via restic
-# standalone-restic: use restic on the target itself to save a backup to a backup location (TODO)
+# standalone-restic: use restic on the target itself to save a backup to a backup location
 mode: vm-via-hypervisor
 
 # Allows backups to be skipped
@@ -68,6 +68,26 @@ export:
 #	  port: 22
 #	  key: "/etc/backup-client/id_ed25519"
 
+# Settings to create a remote sftp user. Use this for restic sftp repos
+remote_sftp_user:
+	# enable/disable the user creation feature
+	enabled: False
+	# user name
+	name: backup
+	# user group
+	group: nogroup
+	# user auxillary groups
+	groups: []
+	# host to create the user on
+	host: ~
+	# Path used to setup an sftp chroot using ssh.
+	# Only the top most folder is created
+	chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
+	# Path to bindmount in the chroot jail
+	storage_path: "/srv/backups/{{ inventory_hostname }}"
+	# Wether to create the topmost storage folder or not
+	create_storage_folder: True
+
 # keys are strings with glob patterns of files to be excluded. Value musst be true to enable the exclude, false to disable it
 # Only supportet in restic based backups
 exclude_files: {}
diff --git a/defaults/main.yml b/defaults/main.yml
index 3baa1843f7d420077f2510c371da0058ae06e5dd..4cddbf476f1960123ff2dff63e8acdb8d63f52aa 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,6 +26,15 @@ backups:
     years: 3
   export:
     destinations: []
+  remote_sftp_user:
+    name: backup
+    host: ~
+    chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
+    storage_path: "/srv/backups/{{ inventory_hostname }}"
+    groups: []
+    group: nogroup
+    enabled: False
+    create_storage_folder: True
   exclude_files:
     '/tmp': true
     '/var/tmp': true
diff --git a/tasks/main.yml b/tasks/main.yml
index 8c7a8eb95e5aa4233301a8f6f9718fa0dd9c24c3..4c986cc095d876961c86943ec81b8d12dfcdbf23 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -15,6 +15,7 @@
   when: backup_executor
   block:
   - name: generate ssh key
+    register: backup_ssh_key_task
     community.crypto.openssh_keypair:
       path: /etc/backup-client/id_ed25519
       type: ed25519
@@ -98,6 +99,60 @@
       group: root
       mode: 0700
 
+- name: create a remote sftp user if enabled
+  when:
+    - backups.remote_sftp_user.enabled
+    - backup_executor
+  delegate_to: "{{ backups.remote_sftp_user.host }}"
+  block:
+    - name: "create user {{ backups.remote_sftp_user.name }}"
+      user:
+        name: "{{ backups.remote_sftp_user.name }}"
+        createhome: yes
+        shell: /sbin/nologin
+        system: false
+        group: "{{ backups.remote_sftp_user.group }}"
+        groups: "{{backups.remote_sftp_user.groups }}"
+    - name: add ssh key to user
+      when: not ansible_check_mode
+      ansible.posix.authorized_key:
+        user: "{{ backups.remote_sftp_user.name }}"
+        state: present
+        key: '{{ backup_ssh_key_task.public_key }}'
+    - name: create chroot folder
+      file:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}"
+        owner: root
+        group: root
+        mode: 0755
+        state: directory
+    - name: create bind mount point in chroot folder
+      file:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
+        owner: "{{ backups.remote_sftp_user.name }}"
+        group: "{{ backups.remote_sftp_user.group }}"
+        mode: 0700
+        state: directory
+    - name: create storage folder
+      when: backups.remote_sftp_user.create_storage_folder
+      file:
+        path: "{{ backups.remote_sftp_user.storage_path }}"
+        owner: "{{ backups.remote_sftp_user.name }}"
+        group: "{{ backups.remote_sftp_user.group }}"
+        mode: 0700
+        state: directory
+    - name: "setup bindmount"
+      loop:
+        - mounted
+        - present
+      mount:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
+        src: "{{ backups.remote_sftp_user.storage_path }}"
+        opts: "rw,bind,noauto,x-systemd.automount"
+        fstype: auto
+        passno: "0"
+        state: "{{ item }}"
+
 - name: handle common restic based setup tasks
   when: backup_backend == 'restic'
   block: