Why Restic + S3 is a Modern Backup Strategy
Traditional backups often fail for the same reasons: they are slow, unencrypted, hard to automate, or too expensive to store long term. Restic is a modern backup tool designed for speed and simplicity. It creates deduplicated and encrypted backups by default, and it works great with object storage such as Amazon S3 and S3-compatible services (Backblaze B2 S3, Wasabi, MinIO, etc.). In this tutorial, you will set up incremental backups on Linux, store them in S3, and add an automated schedule with pruning and retention.
What You Need Before You Start
You will need a Linux server or desktop with shell access, an S3 bucket (or an S3-compatible endpoint), and credentials that can read/write to that bucket. Make sure your system clock is correct (NTP enabled), because backups and retention policies rely on timestamps. This guide uses a systemd-based distro such as Ubuntu Server, Debian, Fedora, or Rocky Linux.
Step 1: Install Restic
On many distributions, Restic is available in the default repositories. On Ubuntu/Debian you can install it with:
sudo apt update && sudo apt install -y restic
On Fedora/RHEL-based systems:
sudo dnf install -y restic
Verify the installation:
restic version
Step 2: Create an S3 Bucket and Credentials
Create an S3 bucket dedicated to backups, ideally in a region close to your server. Then create an IAM user (or service account) with permissions limited to that bucket. For security, avoid using broad admin keys. At minimum, the credentials must allow listing the bucket and reading/writing objects inside it.
If you are using an S3-compatible provider, note the endpoint URL (for example: https://s3.us-west-000.backblazeb2.com or your own MinIO endpoint). Restic can use standard AWS environment variables and an optional endpoint override.
Step 3: Set Environment Variables Securely
Restic reads S3 credentials from environment variables. Create a root-only file to store them so they are not exposed in shell history:
sudo nano /etc/restic/env
Add the following (adjust values for your environment):
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export RESTIC_PASSWORD="USE_A_LONG_RANDOM_PASSPHRASE"
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/your-bucket-name"
If you need a custom endpoint (S3-compatible storage), add:
export AWS_DEFAULT_REGION="us-east-1"
export RESTIC_REPOSITORY="s3:https://YOUR-ENDPOINT/your-bucket-name"
Lock down permissions:
sudo chmod 600 /etc/restic/env
Step 4: Initialize the Restic Repository
Load the environment file and initialize the repository:
source /etc/restic/env
restic init
Restic will create the repository structure in your bucket. If it says the repo already exists, you can proceed.
Step 5: Run Your First Incremental Backup
Choose what you want to back up. Common targets are /etc, application configuration, and data directories (for example, /var/www or /home). Run:
restic backup /etc /home
Restic backups are incremental by design. After the first run, subsequent backups only upload changed data blocks, which saves bandwidth and storage.
Step 6: Verify and Test Restore (Don’t Skip This)
List available snapshots:
restic snapshots
Check repository integrity occasionally:
restic check
To restore, first create a test folder and restore the latest snapshot:
mkdir -p /tmp/restic-restore-test
restic restore latest --target /tmp/restic-restore-test
A backup that cannot be restored is not a backup. Testing restore early helps you catch permission issues, missing paths, or incorrect repository settings.
Step 7: Add Retention and Pruning
Without retention rules, backups grow forever. A practical policy for many servers is: keep 7 daily, 4 weekly, and 6 monthly snapshots. Run:
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
Pruning removes unneeded data blocks. It can take time on large repositories, so schedule it during low usage.
Step 8: Automate Backups with systemd Timer
Create a script that loads the environment file and runs backup + retention. Create:
sudo nano /usr/local/sbin/restic-backup.sh
Example content:
#!/bin/bash
set -euo pipefail
source /etc/restic/env
restic backup /etc /home --exclude /home/*/.cache
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
Make it executable:
sudo chmod 750 /usr/local/sbin/restic-backup.sh
Now create a systemd service:
sudo nano /etc/systemd/system/restic-backup.service
Use:
[Unit]
Description=Restic Backup to S3
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/restic-backup.sh
Create a timer to run daily:
sudo nano /etc/systemd/system/restic-backup.timer
Use:
[Unit]
Description=Daily Restic Backup
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
systemctl list-timers | grep restic
Troubleshooting Tips
If you see access denied errors, confirm the bucket policy and IAM permissions, and double-check the repository URL. If backups are slow, test DNS and network throughput, and consider excluding large temporary folders. If you changed credentials, restart your shell or ensure the systemd service reads the correct environment (this guide sources /etc/restic/env directly in the script, which is straightforward and reliable).
Next Steps for Production Hardening
For production servers, consider adding alerting (email on failure via a monitoring tool), using a dedicated backup user, and enabling immutable storage features if your provider supports it. With Restic + S3, you get encrypted, incremental backups with clean automation—without relying on complex backup suites.
3.
Comments
Post a Comment