Linux Backups

Restic encrypted backups intro

Practical Linux guide: restic encrypted backups intro without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Encrypted, deduplicated backups with Restic to local disk, SFTP, or S3 — incremental by default and script-friendly for Linux servers.

1) Install and init repo

sudo apt install restic
export RESTIC_PASSWORD="strong-repo-password"
restic init -r /mnt/backup/restic-repo

2) Backup

restic -r /mnt/backup/restic-repo backup /etc /home /var/www
restic -r /mnt/backup/restic-repo snapshots

3) Restore

restic -r /mnt/backup/restic-repo restore latest --target /tmp/restore

4) Automation and retention

restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6

Wrap in a systemd timer; store password in a root-only file or use RESTIC_PASSWORD_FILE.

Verify

restic check -r /mnt/backup/restic-repo
restic stats -r /mnt/backup/restic-repo

5) SFTP backend

restic init -r sftp:user@backuphost:/backups/restic

Requires SSH key auth; embed in systemd service EnvironmentFile.

6) Exclude patterns

restic backup / --exclude-file=/etc/restic-excludes.txt
/proc
/sys
/run
/tmp
/var/cache

7) Restore single file

restic restore latest --target /tmp/out --include /etc/nginx/nginx.conf

3-2-1 rule

Three copies, two media types, one offsite. Restic repo on same disk as source is not a backup — replicate repo to S3 or remote SFTP with restic copy.

8) restic copy between repos

restic copy --from-repo /mnt/a --to-repo s3:s3.amazonaws.com/bucket

Prerequisites

Restic binary, repository location (local path, SFTP, S3), strong repo password in secure store. Enough destination space for deduplicated growth. Data to backup identified and tested restore path once.

Bandwidth limits

restic backup --limit-upload 5000 /home

Caps upload kb/s — prevents saturating uplink on home connections during first full backup.

RESTIC_REPOSITORY env

export RESTIC_REPOSITORY=s3:s3.amazonaws.com/mybucket
export RESTIC_PASSWORD_FILE=/root/.restic-pass

Standardise env in systemd unit for cron-free automation.

Restic and ransomware

Immutable S3 object lock on restic repo bucket prevents attacker deleting backups after encrypting production — pair restic password with separate AWS IAM role limited to PutObject only from backup host. Test restore quarterly; backup without tested restore is wishful thinking.

Lock and forget prune

Run forget/prune in separate maintenance window from backup — prune locks repo briefly. Stagger repos across nights. Monitor restic exit code in systemd OnFailure= unit triggering alert.

Multiple repos per host

Separate repos for /etc and /var/www reduce blast radius if one repo password compromised — different RESTIC_PASSWORD per repo in root-only env files referenced by distinct systemd units.

Exit codes in automation

restic returns 0 success, 1 partial error, 3 fatal — systemd OnSuccess and OnFailure units should branch on exit code not assume zero means verified restore. Add weekly restic check separate from backup job.

Related guides

backup intro linux restic

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Backups
Timeshift snapshots on Linux desktop
Practical Linux guide: timeshift snapshots on Linux desktop without the usual guesswork.
Read guide
Backups
Restore from tar backup
Practical Linux guide: restore from tar backup without the usual guesswork.
Read guide