Restic Backup
Efficient encrypted backups with Restic, local, remote (SFTP, S3, B2) and scheduled with systemd
Restic is a modern backup solution offering incremental backups with AES-256 encryption, deduplication, and support for multiple backends including local storage, SFTP, S3, and B2. It's ideal for automated, efficient and secure VPS backups.
Installation
Ubuntu/Debian
apt install restic -yCentOS/AlmaLinux/Rocky
dnf install restic -yManual Installation from Binary
curl -L https://github.com/restic/restic/releases/download/v0.16.4/restic_0.16.4_linux_amd64.bz2 | bzip2 -d > /usr/local/bin/restic
chmod +x /usr/local/bin/restic
restic versionLocal Backup
Initialize Repository
Create an encrypted backup repository with password protection:
restic init --repo /backup/myrepo
# Enter password twice when promptedStore the password securely. Without it, backups are unrecoverable.
Create First Backup
restic -r /backup/myrepo backup /home /etc /var/wwwRestic will show progress and summary. Subsequent backups are incremental.
List Snapshots
restic -r /backup/myrepo snapshots
# Output: ID | Time | Host | Tags | PathsRestore Data
# Restore latest snapshot to temporary location
restic -r /backup/myrepo restore latest --target /tmp/restore
# Restore specific snapshot
restic -r /backup/myrepo restore abc12345 --target /tmp/restore
# Restore specific path
restic -r /backup/myrepo restore latest --target /tmp/restore --path /homeRemote Backup: S3 (AWS, Wasabi, MinIO)
Wasabi Configuration
export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
export RESTIC_PASSWORD="your_backup_password"
restic -r s3:https://s3.wasabisys.com/my-backup-bucket/restic \
backup /home /etc /var/wwwAWS S3
export AWS_ACCESS_KEY_ID="your_key"
export AWS_SECRET_ACCESS_KEY="your_secret"
export RESTIC_PASSWORD="your_password"
restic -r s3:https://s3.amazonaws.com/my-bucket/restic \
backup /home /etcMinIO (Self-hosted S3)
export AWS_ACCESS_KEY_ID="minioadmin"
export AWS_SECRET_ACCESS_KEY="minioadmin"
export RESTIC_PASSWORD="your_password"
restic -r s3:http://192.168.1.100:9000/backup-bucket/restic \
backup /home /etcWasabi offers affordable S3-compatible storage with $5.99/TB/month flat rate, no egress fees.
Remote Backup: SFTP
Backup to a remote server via SSH:
export RESTIC_PASSWORD="your_password"
restic -r sftp:backup@backup-server.com:/backup/restic \
backup /home /etc /var/wwwRestic will use your SSH key from ~/.ssh/id_rsa. Ensure SFTP access is configured on the remote server.
Backup Rotation and Cleanup
Apply retention policy to delete old snapshots:
restic -r /backup/myrepo forget \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 6 \
--pruneThis keeps 7 daily, 4 weekly, and 6 monthly snapshots, then removes orphaned data.
Verify Backup Integrity
Check repository consistency:
restic -r /backup/myrepo checkRun this regularly to detect corruption early.
Automated Backup with Systemd
Create Service Script
Create /usr/local/bin/restic-backup.sh:
#!/bin/bash
set -e
export RESTIC_REPOSITORY="/backup/myrepo"
export RESTIC_PASSWORD_FILE="/root/.restic_password"
export HOSTNAME="$(hostname)"
# Perform backup
/usr/bin/restic backup \
/home \
/etc \
/var/www \
--exclude-file=/etc/restic/excludes.txt \
--exclude-caches
# Apply retention
/usr/bin/restic forget \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 6 \
--prune
# Verify
/usr/bin/restic check
# Notify on success
echo "Backup completed successfully on $HOSTNAME" | \
mail -s "Restic Backup Success" admin@example.comMake it executable:
chmod +x /usr/local/bin/restic-backup.shCreate Systemd Service
Create /etc/systemd/system/restic-backup.service:
[Unit]
Description=Restic Backup
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/restic-backup.sh
StandardOutput=journal
StandardError=journalCreate Systemd Timer
Create /etc/systemd/system/restic-backup.timer:
[Unit]
Description=Restic Backup Timer
Requires=restic-backup.service
[Timer]
OnCalendar=daily
OnCalendar=03:00
Persistent=true
AccuracySec=1m
[Install]
WantedBy=timers.targetEnable and Start Timer
systemctl daemon-reload
systemctl enable restic-backup.timer
systemctl start restic-backup.timer
# Check timer status
systemctl status restic-backup.timer
systemctl list-timers restic-backup.timerExclude Files
Create /etc/restic/excludes.txt:
*.log
*.tmp
/proc/*
/sys/*
/dev/*
/run/*
/mnt/*
.cache
node_modules
__pycache__Use in backup:
restic backup /home --exclude-file=/etc/restic/excludes.txtBackup with Error Notification
Enhanced script with email alerts:
#!/bin/bash
set -e
export RESTIC_REPOSITORY="/backup/myrepo"
export RESTIC_PASSWORD_FILE="/root/.restic_password"
MAIL="admin@example.com"
LOG="/var/log/restic-backup.log"
{
echo "Starting backup at $(date)"
/usr/bin/restic backup /home /etc /var/www || {
echo "BACKUP FAILED"
echo "Backup failed at $(date)" | mail -s "ALERT: Restic Backup Failed" $MAIL
exit 1
}
/usr/bin/restic forget --keep-daily 7 --keep-monthly 6 --prune
echo "Backup completed successfully at $(date)"
} | tee -a $LOG
# Send summary
tail -n 10 $LOG | mail -s "Restic Backup Summary" $MAILSecurity Considerations
Store your RESTIC_PASSWORD securely in a file with restricted permissions (600). Without the password, backups are inaccessible. Consider storing the password in a separate secure location. Never commit passwords to version control.
Create password file:
echo "your_secure_password" > /root/.restic_password
chmod 600 /root/.restic_passwordUse in automation:
export RESTIC_PASSWORD_FILE="/root/.restic_password"
restic -r /backup/myrepo snapshotsMonitoring and Maintenance
Check Repository Size
restic -r /backup/myrepo du -sRebuild Index
If index corruption occurs:
restic -r /backup/myrepo rebuild-indexMigrate Repository
Move backup to different location:
restic -r /old/path copy --repo2 /new/pathBoth repositories need the same password.