Restic Backup

Restic Backup

Restic is a modern backup tool that addresses the main weaknesses of rsync backups: built-in encryption (all data encrypted at rest and in transit), deduplication across all backups (not just consecutive), and support for many storage backends including S3, SFTP, B2, and local paths. Its snapshot model lets you keep complex retention policies ("keep 7 daily, 4 weekly, 12 monthly backups") in a single command.

Why restic over rsync?

Installing and initializing a repository

# Install restic:
sudo apt install -y restic
# OR get latest from GitHub releases for newest features

# Initialize a local repository:
restic init --repo /mnt/backup/restic-repo

restic init output

enter password for new repository:
enter password again:
created restic repository abc12345 at /mnt/backup/restic-repo
Please note that knowledge of your password is required to access the repository.
Losing your password means that your data is forever lost.

# Initialize an S3 repository (for offsite backups):
export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"
restic init --repo s3:s3.amazonaws.com/your-backup-bucket/server1

Creating backups

# Backup /var/www and /etc to the repository:
restic backup --repo /mnt/backup/restic-repo /var/www /etc

# Exclude patterns:
restic backup --repo /mnt/backup/restic-repo   --exclude="*.log" --exclude="/var/www/cache/"   /var/www /etc /home

# List all snapshots:
restic snapshots --repo /mnt/backup/restic-repo

restic snapshots output

ID        Time                 Host        Tags        Paths
----------------------------------------------------------------
abc12345  2025-06-07 02:00:15  webserver               /var/www, /etc
def67890  2025-06-08 02:00:12  webserver               /var/www, /etc
fed09876  2025-06-09 02:00:08  webserver               /var/www, /etc

Restoring from restic

# Restore latest snapshot to a directory:
restic restore latest --repo /mnt/backup/restic-repo --target /tmp/restore/

# Restore a specific snapshot:
restic restore abc12345 --repo /mnt/backup/restic-repo --target /tmp/restore/

# Restore specific paths only:
restic restore latest --repo /mnt/backup/restic-repo   --include "/etc/nginx" --target /tmp/restore/

# Mount a snapshot to browse files (requires FUSE):
restic mount --repo /mnt/backup/restic-repo /mnt/restic-mount &
ls /mnt/restic-mount/snapshots/latest/etc/nginx/

Automating with retention policies

# Create automated backup script:
sudo nano /usr/local/bin/restic-backup.sh

/usr/local/bin/restic-backup.sh

#!/bin/bash
export RESTIC_REPOSITORY="/mnt/backup/restic-repo"
export RESTIC_PASSWORD="your-repo-password"

# Run backup
restic backup /var/www /etc /home /root

# Apply retention policy:
restic forget   --keep-daily 7 \      # Keep 7 daily backups
  --keep-weekly 4 \     # Keep 4 weekly backups
  --keep-monthly 12 \   # Keep 12 monthly backups
  --prune               # Actually delete removed snapshots

# Verify repository integrity monthly (expensive — skip on daily runs):
# restic check --read-data

sudo chmod +x /usr/local/bin/restic-backup.sh
echo "0 2 * * * root /usr/local/bin/restic-backup.sh >> /var/log/restic.log 2>&1" | sudo tee /etc/cron.d/restic

Conclusion

Restic is the better choice over rsync when you need encryption (required for cloud storage you don't control), cross-file deduplication, or automated retention policies. The encryption key is everything — store it in a password manager and separately from the backup server. Run restic check --read-data monthly to verify backup integrity. The forget --prune command removes old snapshots but must be run regularly, otherwise the repository grows without bound.