Why Restic + S3 Is a Smart Backup Combo
If you want a modern Linux backup solution that is fast, encrypted by default, and easy to automate, restic is one of the best tools available today. It creates deduplicated, incremental snapshots, so repeated backups are much smaller than full copies. Pairing restic with an S3-compatible object storage (such as MinIO, Backblaze B2 S3, Wasabi, or a private S3 gateway) gives you reliable offsite storage without managing a traditional backup server.
In this tutorial, you will set up restic on Linux, connect it to an S3-compatible destination using environment variables, run your first backup, verify it, and schedule it with systemd. The steps are designed to be practical for a workstation or a small server.
Prerequisites
You will need: a Linux machine (Ubuntu/Debian/RHEL-based are fine), access keys for an S3-compatible bucket, outbound internet access (or network access to your S3 endpoint), and a user account with permission to read the folders you plan to back up. Choose a directory to store your restic password securely (or use a password manager and a root-only file).
Step 1: Install Restic (and Rclone if Needed)
On Ubuntu/Debian, install restic with:
sudo apt update && sudo apt install -y restic
On RHEL/CentOS/Fedora, you can use your distribution repositories or install a package from your vendor. If you prefer a consistent version everywhere, you can also download the official restic release binary from the project site and place it in /usr/local/bin.
Restic can speak to S3 directly, so rclone is optional. However, rclone is useful if you want a single configuration tool for many cloud backends or if your environment already relies on it. If you want it:
sudo apt install -y rclone
Step 2: Create Your Bucket and Gather S3 Settings
Create a bucket in your S3-compatible storage, for example my-linux-backups. Collect these values: Access Key, Secret Key, Bucket name, Region (if required), and the S3 endpoint URL. For AWS S3, the endpoint is usually implicit; for MinIO or other providers, you will typically use something like https://s3.example.com.
Step 3: Set Restic Environment Variables
Restic reads credentials from environment variables. Create a root-only file to store them. This approach avoids leaving secrets in shell history and makes automation easier.
Create /etc/restic/env:
sudo mkdir -p /etc/restic
sudo nano /etc/restic/env
Add the following (adjust values to your provider):
export RESTIC_REPOSITORY="s3:https://s3.example.com/my-linux-backups"
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export AWS_DEFAULT_REGION="us-east-1"
Now create a password file for the repository encryption key:
sudo nano /etc/restic/password
Put a long passphrase on a single line, then lock down permissions:
sudo chmod 600 /etc/restic/env /etc/restic/password
Step 4: Initialize the Restic Repository
Load the environment variables and initialize the repo:
source /etc/restic/env
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic init
If everything is correct, restic will create the repository structure in the bucket and confirm initialization. If you see endpoint or TLS errors, double-check the endpoint URL and whether your provider requires a specific region.
Step 5: Run Your First Backup (Incremental by Default)
Choose what to back up. A common starting point is /home plus important configuration under /etc. You should exclude cache folders and other noise to keep snapshots clean.
Create an exclude file:
sudo nano /etc/restic/excludes
Example excludes:
*/.cache
*/Downloads
/var/tmp
/tmp
Run the backup:
source /etc/restic/env
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic backup /home /etc --exclude-file=/etc/restic/excludes
The next time you run the same command, restic will automatically create an incremental snapshot and upload only new or changed data blocks. This is where deduplication saves both time and storage.
Step 6: Verify and Test a Restore
A backup you never tested is not a strategy. List snapshots:
source /etc/restic/env
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic snapshots
Check repository consistency (run occasionally, not every hour):
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic check
To restore a single file safely, restore into a temporary directory first:
sudo mkdir -p /restore-test
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic restore latest --target /restore-test --include /etc/hosts
Confirm the file is correct, then copy it to the desired location if needed.
Step 7: Set a Retention Policy (Forget + Prune)
Backups grow over time unless you define retention. A practical policy keeps daily snapshots for a week, weekly for a month, and monthly for a year:
source /etc/restic/env
sudo RESTIC_PASSWORD_FILE=/etc/restic/password restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
The --prune step removes unneeded data blocks so your S3 storage usage stays under control.
Step 8: Automate Backups with systemd
Create a simple script so the job is repeatable. Create /usr/local/sbin/restic-backup.sh:
sudo nano /usr/local/sbin/restic-backup.sh
Add:
#!/bin/sh
set -eu
. /etc/restic/env
export RESTIC_PASSWORD_FILE=/etc/restic/password
restic backup /home /etc --exclude-file=/etc/restic/excludes
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
Make it executable:
sudo chmod 750 /usr/local/sbin/restic-backup.sh
Now create a systemd service /etc/systemd/system/restic-backup.service:
[Unit]
Description=Restic Backup
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/restic-backup.sh
And a timer /etc/systemd/system/restic-backup.timer to run daily:
[Unit]
Description=Daily Restic Backup
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
Enable the timer:
sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
You can confirm runs with:
systemctl list-timers --all | grep restic
Final Tips for Reliable Offsite Backups
Keep your restic password file protected, and consider storing a sealed copy in a secure vault so you are not locked out during an emergency. If you are backing up a server with databases, add application-aware steps (such as dumping PostgreSQL or MySQL) before running restic. Most importantly, schedule a recurring restore test so you know the entire chain works—from Linux to S3 and back.
Comments
Post a Comment