Why Restic + S3-Compatible Storage Is a Modern Backup Strategy
If you are still copying folders to an external drive or relying on a single NAS, you are one accident, hardware failure, or ransomware event away from a bad day. A current, practical approach is to use incremental, encrypted backups pushed to S3-compatible object storage (such as MinIO, Backblaze B2 S3, Wasabi, or many private cloud providers). This tutorial walks you through implementing that setup on Linux using Restic, a fast backup tool that deduplicates data, encrypts everything, and supports snapshots you can restore from in minutes.
What You Will Build
By the end of this guide, your Linux server or workstation will automatically create incremental backups to an S3 bucket, keep only a sensible number of snapshots, and run on a schedule using systemd. The result is a backup workflow that is efficient (deduplication), secure (client-side encryption), and resilient (object storage with versioning and immutability options, depending on provider).
Prerequisites
You need a Linux machine with sudo access, an S3-compatible endpoint (provider URL, access key, secret key), and a bucket you can write to. Make sure the system clock is correct (NTP enabled) because snapshot timestamps matter for troubleshooting. If you can, enable bucket-level features like versioning or object lock on the storage side for extra protection.
Step 1: Install Restic
On Debian/Ubuntu, you can install from the repository, although it may not always be the newest version:
sudo apt update && sudo apt install -y restic
On RHEL/CentOS/Fedora systems, check your distro packages or download a current release from Restic’s official GitHub releases. The key point is to use a recent version to benefit from performance and compatibility improvements.
Step 2: Set Environment Variables Securely
Restic reads credentials from environment variables. Create a root-only file to store them. This keeps secrets out of shell history and scripts.
sudo mkdir -p /etc/restic
sudo nano /etc/restic/restic-env
Add values like these (adjust for your provider):
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export RESTIC_REPOSITORY="s3:https://s3.example.com/my-linux-backups"
export RESTIC_PASSWORD="Use-A-Long-Unique-Passphrase"
Lock the permissions down:
sudo chmod 600 /etc/restic/restic-env
Step 3: Initialize the Backup Repository
Load the environment file and initialize the repository. This creates the encrypted Restic structure in your bucket.
sudo -i
source /etc/restic/restic-env
restic init
If you get TLS or endpoint errors, verify the S3 URL format and whether your provider requires a region setting. For some S3-compatible services, you may also need to export AWS_DEFAULT_REGION, even if it is a placeholder value.
Step 4: Create an Exclude File (Recommended)
Backups get faster and cleaner when you avoid caches and temporary files. Create an exclude file:
nano /etc/restic/excludes.txt
Example entries:
/proc
/sys
/dev
/run
/tmp
/var/tmp
**/.cache
Step 5: Run Your First Backup
Start with important directories such as /etc, home folders, and application data. For servers, you might also include /var/lib for databases or container volumes (with proper application-aware procedures).
source /etc/restic/restic-env
restic backup /etc /home --exclude-file /etc/restic/excludes.txt
Then confirm a snapshot was created:
restic snapshots
Step 6: Set a Smart Retention Policy
Incremental backups are only useful if you keep enough history without growing storage forever. A common policy is to keep daily snapshots for a week, weekly for a month, and monthly for a year.
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
The --prune flag removes unneeded data chunks after snapshots are forgotten, keeping storage usage under control.
Step 7: Automate Backups with systemd
Create a service that runs one backup job. Save this as /etc/systemd/system/restic-backup.service:
[Unit]
Description=Restic Backup to S3
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
EnvironmentFile=/etc/restic/restic-env
ExecStart=/usr/bin/restic backup /etc /home --exclude-file /etc/restic/excludes.txt
ExecStartPost=/usr/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
[Install]
WantedBy=multi-user.target
Now create a timer at /etc/systemd/system/restic-backup.timer:
[Unit]
Description=Nightly Restic Backup
[Timer]
OnCalendar=*-*-* 02:00:00
Persistent=true
[Install]
WantedBy=timers.target
Enable and start the timer:
sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
systemctl list-timers | grep restic
Step 8: Test Restores (Do Not Skip This)
A backup is only proven when you restore from it. To restore a single file, first browse snapshots:
source /etc/restic/restic-env
restic snapshots
restic ls latest
Restore a directory to a safe location:
mkdir -p /tmp/restic-restore
restic restore latest --target /tmp/restic-restore --include /etc
For quick checks, you can also run integrity verification occasionally:
restic check
Practical Security Notes
Treat the Restic password like a master key. Store it in a password manager, not only in a file. If your S3 provider supports object lock (WORM) or immutable retention, consider enabling it for the backup bucket to reduce the risk of backup deletion during an attack. Finally, keep at least one additional backup copy or bucket replication in a different region or account for true defense in depth.
Comments
Post a Comment