How to Set Up Restic + S3-Compatible Storage for Fast, Encrypted Linux Backups (With Automation and Restore Testing)
Why Restic Is a Smart Backup Tool in 2026
If you want a modern backup system on Linux that is fast, encrypted by default, and easy to automate, restic is one of the most practical options available today. It creates deduplicated snapshots, supports incremental backups automatically, and works with many backends including local disks, SSH, and S3-compatible object storage (Amazon S3, Backblaze B2 S3 API, MinIO, Wasabi, and more). In this tutorial, you will set up restic with an S3-compatible bucket, run your first backup, verify integrity, and automate daily runs with systemd.
What You Need Before You Start
You will need a Linux machine (server or workstation), an S3-compatible bucket, and access credentials (Access Key ID and Secret Access Key). Make sure the bucket exists and that your account has permission to list, write, and delete objects. Also plan a secure place for a restic password (a file readable only by root is typical). If you are backing up a server, decide which paths to include and which to exclude (temporary folders, caches, and large build artifacts).
Step 1: Install Restic
On Ubuntu/Debian, you can install from the repo, but for newer features you may prefer the official binary release. First try the package manager:
Debian/Ubuntu: sudo apt update && sudo apt install -y restic
RHEL/Fedora: sudo dnf install -y restic
Confirm the version with restic version. If your distro version is old and you need a newer build, download the official release from restic’s GitHub and place it in /usr/local/bin.
Step 2: Create a Secure Password File
Restic encrypts the repository using a password. Store it in a root-owned file and lock down permissions:
sudo mkdir -p /etc/restic
sudo bash -c 'umask 077; printf "%s\n" "REPLACE_WITH_A_LONG_RANDOM_PASSWORD" > /etc/restic/repo.pass'
sudo chmod 600 /etc/restic/repo.pass
Use a long random password. If you lose it, you lose access to the backup data.
Step 3: Export S3 and Restic Environment Variables
Restic reads configuration from environment variables. For an S3-compatible provider, you will typically set the endpoint URL too (MinIO, Wasabi, or private S3 gateways). Create a config file you can reuse for scripts:
sudo bash -c 'cat > /etc/restic/env.sh <<EOF
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export RESTIC_PASSWORD_FILE="/etc/restic/repo.pass"
export RESTIC_REPOSITORY="s3:https://s3.example.com/my-linux-backups"
# Optional but common for S3-compatible services:
export AWS_DEFAULT_REGION="us-east-1"
EOF
chmod 600 /etc/restic/env.sh'
Replace s3.example.com with your provider endpoint (or omit it for AWS), and use your bucket name in the repository path.
Step 4: Initialize the Backup Repository
Initialize the repo once. After that, all backups go into this encrypted repository:
sudo bash -c 'source /etc/restic/env.sh; restic init'
If you see an error about permissions or endpoint connectivity, confirm that the endpoint URL is correct and that your credentials can write to the bucket.
Step 5: Run Your First Backup (With Sensible Exclusions)
A good first backup for a Linux server is often /etc, home directories, and important app data. Exclude caches and ephemeral content to reduce cost and time:
sudo bash -c 'source /etc/restic/env.sh; restic backup /etc /home \
--exclude "/home/*/.cache" \
--exclude "/home/*/.local/share/Trash" \
--exclude "/var/tmp" \
--exclude "/tmp"'
Restic will create a snapshot ID. That snapshot is an immutable point-in-time view you can list and restore later.
Step 6: Verify Backups and Test Restore
A backup that has never been verified is not a backup. Start by listing snapshots:
sudo bash -c 'source /etc/restic/env.sh; restic snapshots'
Then run an integrity check occasionally (especially after large backups):
sudo bash -c 'source /etc/restic/env.sh; restic check'
Finally, do a small restore test to a temporary directory to confirm you can recover files:
sudo mkdir -p /root/restore-test
sudo bash -c 'source /etc/restic/env.sh; restic restore latest --target /root/restore-test --include "/etc/hostname"'
Open the restored file and confirm it matches the live system. This simple step catches password, permissions, and repository issues early.
Step 7: Automate Daily Backups with systemd
For reliable automation, systemd timers are cleaner than cron because they can track failures and integrate with logs. Create a backup script:
sudo bash -c 'cat > /usr/local/sbin/restic-backup.sh <<EOF
#!/bin/bash
set -euo pipefail
source /etc/restic/env.sh
restic backup /etc /home \
--exclude "/home/*/.cache" \
--exclude "/home/*/.local/share/Trash" \
--exclude "/tmp" --exclude "/var/tmp"
# Keep policy: adjust to your needs and storage costs
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
EOF
chmod 700 /usr/local/sbin/restic-backup.sh'
Now create a systemd service and timer:
sudo bash -c 'cat > /etc/systemd/system/restic-backup.service <<EOF
[Unit]
Description=Restic backup to S3
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/restic-backup.sh
EOF'
sudo bash -c 'cat > /etc/systemd/system/restic-backup.timer <<EOF
[Unit]
Description=Run restic backup daily
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
EOF'
Enable and start the timer:
sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
systemctl list-timers | grep restic
Troubleshooting Tips
If backups fail with S3 errors, double-check the endpoint URL, DNS, firewall rules, and bucket permissions. If you see slow performance, consider placing the repository in a region closer to your server, and avoid backing up huge temporary directories. If pruning takes too long, run it weekly instead of daily, or prune during low-traffic hours. Most importantly, schedule a recurring restore test (monthly is a good baseline) so you know recovery is possible when you actually need it.
Wrap-Up
With restic and S3-compatible storage, you get encrypted, deduplicated backups that scale from a single VPS to multiple servers. The setup is lightweight, the restore process is straightforward, and automation with systemd makes it dependable. Once this is working, the next advanced step is to add monitoring (alert on failed timers) and document your restore procedure so anyone on your team can recover data under pressure.
3.
Comments
Post a Comment