Restic – The Backup You Should Be Using

Don't let the happy little guy in the logo throw you. Restic is a serious backup application that features encryption, version control, backup verification as well as space efficiency. Everything an admin should be looking for in a backup solution. If you're currently using Rsync as your primary backup method, I would give Restic a serious look. On top of the aformentioned features, it can also backup directly to SFTP-only servers without the need for a shell account...something Rsync can't do.

I discovered this backup application a few months ago and so far have been pretty impressed with it. Like any new app, there is a learning curve, which is why I decided to put together this Restic primer. It will take you through the initial setup process as well as expose you to some of Restic's better features. By the end of this article, I hope you become another Restic convert as this app definitely deserves more love.

*NOTE: This guide will be using Ubuntu 18.04 LTS as the base OS and the latest version of Restic, 0.9.5.


Installation - Go Straight to the Source

While there is a version of Restic available in the standard Ubuntu repository, it's fairly out-of-date, so I suggest downloading the latest version directly from Restic's GitHub page.

As I do with all apps that aren't installed from a repository, I install it in the good ole' /opt directory.

sudo mkdir /opt/restic
sudo wget -P /opt/restic
sudo bzip2 -d /opt/restic/restic_0.9.5_linux_amd64.bz2
sudo chmod 755 /opt/restic/restic_0.9.5_linux_amd64
sudo ln -rs /opt/restic/restic_0.9.5_linux_amd64 restic

The last command creates a relative symbolic link named restic so you don't need to type the entire name of the app everytime you run it. You can use this shortened name if you create an alias in your bashrc or bash_profile or when adding /opt/restic to your PATH.

Building Your Snapshots a Home

Restic refers to their backups as snapshots so whenever you see that term in this guide, think backups.

Restic has been developed to store snapshots on many different types of servers using various transport methods including popular cloud-based hosting services like Amazon S3 & BackBlaze B2. A list of currently supported repository locations can be found in the Restic Documentation.

To simplify this guide and not flood you with information, I'm going to show you how to create a local repository which can be used when storing backups on a locally mounted USB drive.

Creating the Restic Repository

In this guide, I'll be using /media/usbdrive as the USB drive's mountpoint and where we'll be creating the repository. Make sure to change this path to your drive's location.

sudo /opt/restic/restic init --repo /media/usbdrive/restic-repo

You'll be prompted to enter and confirm the password to the repository. Please use something long and difficult or use a password generator like pwgen. Do not lose this password as you'll need it anytime you access the repository.

Encrypting the Repository

Nothing to do here

Sorry for the lame joke. Restic encrypts every repository by default with an AES-256 cypher so there's nothing to do here.

I'm Ready for My Snapshot Mr. Restic

Taking snapshots with Restic is all done command-line. While this may be a problem for those who are only comfortable with the warmth of a nice and easy graphical interface, this is actually perfect for those looking to automate and/or script their backups. We'll start off slow with a simple backup of a couple of directories to our Restic repository.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo backup --verbose --tag directories /opt/backupdir1 /opt/backupdir2

The above command will backup two directories at once to our Restic repository, /opt/backupdir1 & /opt/backupdir2.

Most of the command is pretty self-explanatory. The -r parameter specifies the repository location while the --verbose parameter makes the command output more...verbose.

The parameter that is not so self-explanatory and which deserves a closer look is --tag.

Tag Me In

When I first started using Restic, I wasn't aware of the tag parameter and how important it becomes when you start rotating your backups. I had already setup multiple backups from various locations all saving to the same repository and couldn't figure how to keep 30 days worth of backups from each backup job. Restic kept treating every new backup I added as part of the same group and only saving 30 backups total. Well after some digging, I found out that I needed to give each backup job a different tag so that backups from each job could be grouped separately.

In short, adding tags gives you a way to group various backups together which makes it a whole lot easier to search, delete or rotate them.

You're also not limited to just one tag per backup job. You can specify multiple tags per backup by using the --tag parameter more than once.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo backup --verbose --tag directories --tag weekly --tag mailserver /opt/backupdir1 /opt/backupdir2

In our example, we tagged our backups with three different terms, directories, weekly & mailserver. Now if you ever want to find backups of a certain type, a certain schedule or from a particular server, you can do so with ease.

Listing Snapshots

What's the point of taking a nice snapshot if you're not going to admire it. You can view all the snapshots in a repository by running the snapshots command.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo snapshots

Below is an example of what your snapshot list will look like.

Example Snapshot Output

ID        Time                 Host        Tags         Paths
740bc6e8  2019-09-22 02:34:39  Servername  directories  /opt/backupdir1

d8e470ff  2019-10-02 01:12:01  Servername  directories  /opt/backupdir1
2 snapshots

As you can see, all the relevant data will be listed including the Host where the backup originated from, any tags used with the backup job and the original path of your data. If you have an eagle eye, you'll have noticed the ID number in front of each snapshot.

Every snapshot is assigned a random ID number. This ID is used most frequently when restoring a backup from your repository, which I'll show you how to do in the next section.

Hitting the Panic Button

Unfortunately, there will probably come a time when you accidentially delete something or mess up something so bad that the only way to climb out of Hades is to do a backup restoration. If you're a Restic user, you can rest easy knowing you always have that out.

Restoring Snapshots

Restoring a snapshot is pretty easy. The only thing we need to know beforehand is the ID of the snapshot we want to restore. We can easily get that info by running the snapshots command from the previous section.

We'll use that ID to run the restore command to copy our backup data to a location of our choosing.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo restore 740bc6e8 --target /tmp/restoredir

The --target parameter specifies the directory we want to restore the data to.

*TIP: If you want to restore the latest backup from your repository, you can substitute the ID number for the word latest in the restore command. Use caution when doing this if you run multiple backup jobs to the same repository. You'll want to include the --path and --host parameters to make sure you restore the correct snapshot.

There are other parameters such as --include & --exclude that can be used if you don't want to restore an entire snapshot. You can find more info about them and other useful commands in the Restoring from backup documentation.

Mount the Whole Damn Repo

There may be a time when you're not exactly sure which backup contains the data you want to restore. Instead of restoring each snapshot individually you can mount the whole repository and look through each snapshot.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo mount /media/resticmount

After entering your password, the terminal will keep the process open until you cancel it or unmount the repository. You can reclaim your terminal by hitting Ctrl-Z and then entering the bg command to force the process to the background. You can then traverse the repository and look for the data you need to restore.

When you're done, make sure you are no longer in the /media/resticmount directory and unmount the repository with the following command.

sudo umount /media/resticmount

Out with the Old

If you let your backup jobs run long enough, you're eventually going to run out of space. This is why you should always delete older backups after taking your new backups. Restic handles this in a two-step process. You first delete the snapshot by running the forget command and then cleanup all data & references to the snapshot by using the --prune parameter. We can combine these two steps into one command to make things easier.

*NOTE: The forget command runs fairly quickly as it just deletes the snapshot name from the repository. Pruning, on the other hand, actually deletes all the data and any references to the snapshot. If you haven't pruned your repository in a long time, this process can be lengthy. This is why I recommend always pruning after running forget.

In the following example, we'll target a specific group of backups and delete all but the last 30 backups from our repository.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo backup --verbose --tag directories forget --keep-last 30 --prune

In the above command, we only used one tag targetting any backup with the directories tag. If we had specified the mailserver tag along with the directories tag, we would then target any backup containing both tags. Hopefully you can start to see the flexibility tags give you when managing your backups.

There are many more ways to handle the deletion and rotation of your snapshots. Check out the the Restic documentation on Removing backup snapshots for more options.

Keeping an Eye on Things

Along with rotating your backups, its a good idea to occasionally check on the health of your repository. You never know when a slowly dying hard drive will start corrupting your precious backups.

sudo /opt/restic/restic -r /media/usbdrive/restic-repo check

If everything checks out ok, you should see a message saying "no errors were found".

An Automated Snapshot Factory

If you're like most admins, you'll be looking for a way to automate or script your backups. One hurdle you'll need to overcome with Restic is that it asks for the repository password everytime it is accessed. You can get around this by referencing a password file when Restic is run. Of course you'll want to restrict access to this file and only grant read access to the user which will be running your backups.

In our example we'll create a password file in the /root directory and change its permissions so it's only accessible by root.

sudo install -m 600 /dev/null /root/.restic
sudo nano /root/.restic

Within nano, enter your repository password and save.

To backup using this password file, just use the --password-file parameter like so and you'll no longer be prompted for the repository password.

sudo /opt/restic/restic --password-file /root/.restic -r /media/usbdrive/restic-repo backup --verbose /opt/backupdir1

You can add this command to a cronjob to have your backups run automatically on a set schedule.

sudo crontab -e

The cronjob below runs as root and will automatically backup to the Restic repository Daily at 1:00AM.

0 1 * * * /opt/restic/restic --password-file /root/.restic -r /media/usbdrive/restic-repo backup --verbose /opt/backupdir1

If you need help writing a cronjob tailored to your specific schedule, is a useful site that can automatically generate one for you.

Sending Your Snapshots Away

As mentioned at the beginning of the article, one of the advantages Restic has over Rsync is its ability to backup to a remote Linux server without the need for shell access. This allows you to setup a more secure SFTP-only account on the server that houses your repository.

Assuming you already have an SFTP-only account setup on the remote server housing your Restic repository, here's how you can backup your data directly to it.

sudo /opt/restic/restic -r sftp:sftpuser@sftpserver:/mnt/usbdrive/restic-repo --verbose backup /opt/backupdir1

You'll need to replace sftpuser with the SFTP account username and sftpserver with the hostname or IP of the SFTP server.

If you're interested in creating fully automated remote backups, I wrote an indepth article on building a Chrooted SFTP Jail. I highly recommend giving this a read as it also includes info on using Restic with this setup.

Mandatory Parting Words

Well that wraps up another guide. There's a lot more features that Restic has to offer that I didn't have time to go through, but I hope what I provided motivates you to look further into this criminally underused application. Take care all and feel free to ask questions or comment below.

Please Share Me, I'm Lonely