Restic Backups: Encrypted, Incremental, and Cloud-Ready

Reliable backups require three things: encryption, automation, and restore confidence. Restic provides all three with a lightweight CLI and broad backend support.

This guide sets up a practical backup workflow suitable for servers and small infrastructure teams.

1) Install Restic

On Ubuntu/Debian:

sudo apt update
sudo apt install restic -y
restic version

2) Configure repository credentials

Use environment variables for non-interactive jobs:

export RESTIC_REPOSITORY=s3:https://s3.us-east-1.amazonaws.com/my-restic-bucket
export RESTIC_PASSWORD='use-a-strong-passphrase'
export AWS_ACCESS_KEY_ID='...'
export AWS_SECRET_ACCESS_KEY='...'

For local repository:

export RESTIC_REPOSITORY=/backup/restic-repo
export RESTIC_PASSWORD='use-a-strong-passphrase'

Initialize repository:

restic init

3) Create first snapshot

restic backup /etc /var/www /home

List snapshots:

restic snapshots

4) Apply retention policy

A balanced policy:

restic forget --prune \
  --keep-last 10 \
  --keep-daily 14 \
  --keep-weekly 8 \
  --keep-monthly 12

This controls growth while preserving useful recovery points.

5) Verify repository integrity

Quick check:

restic check --read-data-subset=5%

Periodic full check:

restic check

6) Restore test (mandatory)

Restore specific path from latest snapshot:

restic restore latest --target /tmp/restore-test --include /etc/nginx/nginx.conf

Validate file integrity and permissions after restore.

7) Automate with systemd

Create service unit /etc/systemd/system/restic-backup.service:

[Unit]
Description=Restic Backup Job

[Service]
Type=oneshot
EnvironmentFile=/etc/restic/env
ExecStart=/usr/bin/restic backup /etc /var/www /home
ExecStartPost=/usr/bin/restic forget --prune --keep-last 10 --keep-daily 14 --keep-weekly 8 --keep-monthly 12

Create timer /etc/systemd/system/restic-backup.timer:

[Unit]
Description=Run Restic backup daily

[Timer]
OnCalendar=*-*-* 02:15:00
Persistent=true

[Install]
WantedBy=timers.target

Enable timer:

sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
sudo systemctl list-timers | grep restic

Practical Best Practices

Keep repository password in a secure secret manager
Separate backup credentials from runtime app credentials
Keep immutable/offline copy for ransomware resilience
Document restore runbook and recovery priorities

Summary

Restic gives you enterprise-grade backup fundamentals with minimal complexity. If you automate snapshots, retention, checks, and restore drills, you get a dependable data protection baseline for both local and cloud targets.

The key is operational discipline: backup jobs must be observable, testable, and periodically restored.

Frequently Asked Questions

Is Restic suitable for offsite backups in production?

Yes. Restic is widely used for encrypted offsite backups. It supports object storage backends and performs deduplication and incremental snapshots, making it efficient for recurring backup jobs.

Can I restore a single file instead of full snapshots?

Yes. Restic allows browsing snapshots and restoring selected paths. You can restore entire snapshots, directories, or individual files as needed.

How often should I run backup integrity checks?

A practical baseline is weekly quick checks and monthly full checks, combined with periodic restore drills. Backup success alone is not enough; verify recoverability.