Set Up Restic + S3-Compatible Storage for Secure, Automated Linux Backups

on

Why Restic Is a Smart Backup Choice in 2026

Backups are easy to postpone until the day you need them. Restic is a modern backup tool that helps you avoid that trap by making backups fast, encrypted by default, and storage-efficient through deduplication. It works especially well with S3-compatible object storage (such as MinIO, Wasabi, Backblaze B2 S3, Cloudflare R2 via S3 API, and many NAS appliances), giving you an offsite backup that is both resilient and scalable.

In this tutorial, you will install Restic on Linux, connect it to an S3-compatible bucket, create a secure backup policy, automate it with systemd, and verify that restores work. The steps focus on a practical, production-friendly setup you can run on a server or workstation.

Prerequisites

Before you start, you need: a Linux machine (Debian/Ubuntu, RHEL/Rocky/Alma, or similar), credentials for an S3-compatible bucket (access key, secret key, endpoint URL, and bucket name), and enough permissions to read the directories you want to back up. If you are backing up system paths like /etc and /var, you will likely run Restic as root.

Step 1: Install Restic

On Ubuntu/Debian, you can install Restic from the package manager:

sudo apt update && sudo apt install -y restic

On RHEL/Rocky/Alma, Restic is often available via EPEL:

sudo dnf install -y epel-release && sudo dnf install -y restic

After installation, confirm the version:

restic version

Step 2: Define Environment Variables for S3 Storage

Restic reads S3 credentials from environment variables. Create a root-only environment file so secrets are not exposed in shell history:

sudo install -m 0600 /dev/null /etc/restic.env

Edit the file:

sudo nano /etc/restic.env

Add the following (adjust values for your provider):

AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY

AWS_SECRET_ACCESS_KEY=YOUR_SECRET_KEY

AWS_DEFAULT_REGION=us-east-1

RESTIC_REPOSITORY=s3:https://s3.example.com/my-restic-bucket

RESTIC_PASSWORD=Use-A-Long-Unique-Passphrase

If you are using a custom endpoint (common with MinIO and many S3-compatible services), the repository URL format is important: s3:https://ENDPOINT/BUCKET. Keep the password strong; it encrypts your data, and there is no recovery if you lose it.

Step 3: Initialize the Restic Repository

Load the environment and initialize the repository:

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic init'

This creates the repository structure in your bucket. If initialization fails, double-check your endpoint URL, bucket name, and credentials. Also ensure the bucket exists and the credentials have permission to list, put, and delete objects.

Step 4: Run Your First Backup

Start with a clear, high-value set of directories. For example, backing up system configuration and user data:

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic backup /etc /home --exclude /home/*/.cache'

Restic will scan files, upload only new chunks, and output a snapshot ID. The next backups are usually much faster thanks to deduplication.

Step 5: Verify Snapshots and Test a Restore

List snapshots to confirm your backup history:

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic snapshots'

To restore safely, do a test restore to a temporary directory:

sudo mkdir -p /restore-test

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic restore latest --target /restore-test'

Open a few restored files and confirm permissions and content. A backup you never tested is not a backup; it is a guess.

Step 6: Add Retention and Repository Maintenance

Without retention rules, storage can grow quietly. A common policy keeps daily backups for a week, weekly backups for a month, and monthly backups for a year:

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune'

Also schedule an integrity check occasionally (weekly or monthly):

sudo -E bash -c 'set -a; source /etc/restic.env; set +a; restic check'

Step 7: Automate Backups with systemd

Create a service unit that loads the environment file. Save this as /etc/systemd/system/restic-backup.service:

[Unit]

Description=Restic Backup

Wants=network-online.target

After=network-online.target

[Service]

Type=oneshot

EnvironmentFile=/etc/restic.env

ExecStart=/usr/bin/restic backup /etc /home --exclude /home/*/.cache

ExecStartPost=/usr/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune

[Install]

WantedBy=multi-user.target

Now create a timer at /etc/systemd/system/restic-backup.timer:

[Unit]

Description=Run Restic Backup Daily

[Timer]

OnCalendar=daily

Persistent=true

[Install]

WantedBy=timers.target

Enable and start the timer:

sudo systemctl daemon-reload

sudo systemctl enable --now restic-backup.timer

To confirm it will run, check timers and the last run logs:

systemctl list-timers --all | grep restic

journalctl -u restic-backup.service --no-pager -n 100

Common Troubleshooting Tips

If you see authentication errors, re-check the environment file permissions and values, and confirm your storage provider’s S3 endpoint URL. If backups are slow, review exclusions (caches and build directories can explode in size) and consider backing up database dumps instead of live database directories. If you are backing up a server over a flaky connection, Restic’s incremental design helps, but you should still schedule backups during quieter hours.

With Restic plus S3-compatible storage, you get encrypted offsite backups, predictable automation, and a restore process that is straightforward. Once your daily job is stable, the next best improvement is to document a full recovery runbook and test it quarterly.

Comments

Post a Comment