Peace of Mind with Restic Backup on Linux

Published:25 March 2022 - 10 min. read

Arvid Larson Image

Arvid Larson

Read more tutorials by Arvid Larson!

Block over 3 billion compromised passwords & strengthen your Active Directory password policy. Try Specops Password Policy for free!

Backup is one of the most critical things in every industry, and you may be looking for which backup solution is most reliable. Why not try Restic backup on Linux?

Restic is a secure, fast, and reliable backup solution. And in this tutorial, you’ll learn to set up Restic backup system on a Linux server.

Read on and never lose any of your data anymore!

Prerequisites

This tutorial will be a hands-on demonstration. To follow along, be sure you have the following:

  • Two Linux Servers – This tutorial uses two Debian 11 servers named server1 and backup-server.
  • A non-root user with sudo privileges.

Installing Restic on Linux

Restic stores data in the encrypted repository, and whenever you add data to the repository, Restic automatically creates a new snapshot. But before taking advantage of the Restic backup utility, you’ll first have to install Restic on your machine.

1. Open your terminal and log in to the server1 machine.

2. Next, run the wget command below to download the Restic binary file. As of this writing, the latest version of Restic is v0.12.1.

wget https://github.com/restic/restic/releases/download/v0.12.1/restic_0.12.1_linux_amd64.bz2

3. Run the following commands to extract the restic_0.12.1_linux_amd64.bz2 file, and verify the restic_0.12.1_linux_amd64 binary file exists.

# Extract restic_0.12.1_linux_amd64.bz2
bzip2 -dv restic_0.12.1_linux_amd64.bz2
# List the files to verify restic_0.12.1_linux_amd64 exists
ls
Extracting Restrict’s Binary File
Extracting Restrict’s Binary File

4. Now, run the chmod command to make the restic_0.12.1_linux_amd64 file executable, then rename and move the file to the /usr/bin/restic directory.

At this point, you can now run the restic command on your server.

# Make Restic file executable
chmod +x restic_0.12.1_linux_amd64

# Installing Restic
mv restic_0.12.1_linux_amd64 /usr/bin/restic

5. Run the restic command below to generate the bash completion for Restic. Doing so makes it easy for users to run the restic command.

restic generate --bash-completion /etc/bash_completion.d/restic

6. Lastly, run the below command to reload the bash completion on your current terminal session, then run the restic command and press TAB to show available options for the restic command.

Lastly, run the following commands to reload the bash completion on your current terminal session. Type restic, and press the TAB key to show available options for the restic command.

# reload bash completion
source /etc/profile.d/bash_completion.sh

# verify restic command
restic

You should see all available options of the restic command, as shown below.

Setting up Restic’s Auto-Complete
Setting up Restic’s Auto-Complete

Setting up a Backup Server

Now that you’ve installed Restic on the server1 machine, the next step is to set up the backup-server, so you can start backing your data through the SFTP protocol.

By default, Restic allows you to backup data to the local directory, remote server, and SFTP protocol. Restic also lets you backup data to third-party cloud backup services such as Amazon S3, Azure Blog Storage, Backblaze B2, and Google Cloud Storage.

1. Open a new terminal and log in to the backup-server machine.

2. Next, run the below command to create a new user named johndoe and set up a password.

# create new user
useradd -m -s /bin/bash johndoe

# setup the password
passwd johndoe

3. Run each command below to create a new backup directory (/srv/backup) for Restic and change the ownership (chown) to the johndoe user and group. This directory will store all backup data from the server1 machine.

# create new backup directory
mkdir -p /srv/backup

# change ownership of the backup directory
sudo chown -R johndoe:johndoe /srv/backup

4. Now, switch to the server1 machine, and run the below command to generate an SSH key.

Instead of using password-based authentication, you’ll go for key-based authentication. An SSH key is essential, especially when setting up an automatic backup with a shell script or using Cron jobs.

ssh-keygen

Press ENTER to the following prompts, as shown below. Doing so sets the save location of your SSH key to the default directory (~/.ssh) and disables the password for your SSH private key.

At this point, in the ~/.ssh directory, you’ll have the id_rsa (SSH private key) and the id_rsa.pub (your public key) files.

Generating an SSH Key
Generating an SSH Key

5. Run the ls command below to verify that the id_rsa and id_rsa.pub files exist in the ~/.ssh directory.

ls ~/.ssh/
Verify ID RSA
Verify ID RSA

6. Next, run the ssh-copy-id command below to upload the SSH public key to the backup-server. In this demo, the backup-server uses the username johndoe and the IP address 172.16.1.150.

ssh-copy-id [email protected]

When the upload completes, you’ll receive the message saying Number of key(s) added: 1 on your terminal.

Copying SSH key to the backup-server
Copying SSH key to the backup-server

7. Lastly, run the ssh command below to verify and connect to the backup-server.

Notice that you automatically logged in to the backup-server without password authentication.

Logging with SSH key
Logging with SSH key

Initializing a New Repository

You’ve now configured the Restic backup server, so the next step is to initialize a new repository. Restic will store backup data in a repository, and each backup action creates a new snapshot inside that repository.

1. Run the restic command below to initialize (init) a repository (-r <sftp:[email protected]>:/srv/backup) using the SFTP protocol.

restic -r sftp:[email protected]:/srv/backup init

2. Input a strong password for the repository and confirm the password. Remember the password, as you’ll use it to decrypt your backup data.

As shown below, the new repository (a9073b62d0) is created on the SFTP server (sftp:[email protected]:/srv/backup).

Initializing a New Repository
Initializing a New Repository

3. Lastly, run the restic command below to verify the repository. You’ll be prompted to input the password you previously noted for the repository (step two).

restic -r sftp:[email protected]:/srv/backup check

If there’s no error, you’ll get the no errors were found message, shown below.

Verifying the New Repository
Verifying the New Repository

Backing up Data to a Repository

You’ve now initialized the repository using the SFTP server on the backup-server. But how do you backup data with Restic? You’ll back up data from server1 to the repository in the backup-server.

1. Run the restic command below to back up the data from the /var/www/wordpress directory to the repository.

restic -r sftp:[email protected]:/srv/backup backup /var/www/wordpress

Input the password for the repository, and when the backup process is complete, Restic creates the snapshot (736949a9), as shown below.

Backing up Data with Restic
Backing up Data with Restic

2. Next, run the below command to list all snapshots.

restic -r sftp:[email protected]:/srv/backup snapshots

Ensure the snapshot (736949a9) is available on the list, as shown below

Checking Snapshots
Checking Snapshots

3. Run the below command to list all files (ls) on the snapshot (736949a9).

restic -r sftp:[email protected]:/srv/backup ls 736949a9

You’ll see the list of files on the snapshot (736949a9), which is the backup data from the /var/www/wordpress/ directory.

Checking Files on the Snapshot
Checking Files on the Snapshot

Additionally, you can run the below command to backup multiple directories (/var/www/wordpress and /var/www/html) to the same repository.

restic -r sftp:[email protected]:/srv/backup backup /var/www/wordpress /var/www/html

Notice below that Restic created a new snapshot (7b6e321e).

Backing up Multiple Directories
Backing up Multiple Directories

4. Now, run each command below to list all snapshots, stats of backup files, and the difference between two snapshots (736949a9 and 7b6e321e).

# checking list snapshots
restic -r sftp:[email protected]:/srv/backup snapshots

# show stats of repository
restic -r sftp:[email protected]:/srv/backup stats

# checking different between two snapshots
restic -r sftp:[email protected]:/srv/backup diff 736949a9 7b6e321e

Below, the snapshots 736949a9 and 7b6e321e have the same backup data (/var/www/wordpress). Notice that their file sizes on the repository are also the same since Restic only backs up file changes, making Restic fast and efficient.

Checking and Comparing Snapshots
Checking and Comparing Snapshots

Excluding Files in Backup Processes

Backing up data comes in handy, but how do you exclude unnecessary data? Restic lets you exclude files/directories with the --exclude-file option during the backup process.

The --exclude-file option can exclude junk files, such as log files, making the backup process faster and cleaner.

1. Run the below command to create a new directory called /opt/backup to store the backed-up files.

mkdir -p /opt/backup

2. Next, create a new file (/opt/backup/excludes.txt) using your preferred text editor and populate the following configuration.

The configuration below tells Restic to exclude files with different file types.

# excludes files .zip
*.tar.gz

# excludes directory logs
logs

# exclude .txt files on the directory data
data/*.txt

3. Run the below command to backup data from the /var/www/html directory to the repository (-r <sftp:[email protected]>:/srv/backup). The --exclude-files option tells Restic to exclude files and directories listed in the exludes.txt file.

restic -r sftp:[email protected]:/srv/backup backup /var/www/html --exclude-file=/opt/backup/excludes.txt

Below, the new backup snapshot ca99be01 is created by Restic, excluding files, you specified in the excludes.txt file.

Excluding Files from the Backup
Excluding Files from the Backup

4. Now, run the below command to verify the list of files (ls) on the snapshot ca99be01.

restic -r sftp:[email protected]:/srv/backup ls ca99be01

You’ll see all backed-up files except those you defined in the configuration file (excludes.txt).

Listing Files on Snapshot
Listing Files on Snapshot

5. Finally, run the tree command below to verify excluding data works with Restic.

tree /var/www/html/

As you see below, the /var/www/html directory contains text files inside, but Restic didn’t exclude them from the backup.

Listing Files on /var/www/html Directory
Listing Files on /var/www/html Directory

Removing Snapshots from Repository

In most cases, you may only need two or three versions of snapshots at the latest. So why not remove the older snapshots? Removing snapshots require that you know the snapshot’s ID, so check the list of snapshots first.

1. Run the below command to list all snapshots in the repository.

restic -r sftp:[email protected]:/srv/backup snapshots

Pick one ID of the snapshot to remove (736949a9).

Listing Snapshots in the Repository
Listing Snapshots in the Repository

2. Next, run the following commands to remove (forget) specific snapshot (736949a9), and its remaining data from the repository.

# Removes snapshot only
restic -r sftp:[email protected]:/srv/backup forget 736949a9
# Removes remaining data from repository
restic -r sftp:[email protected]:/srv/backup prune
Removing Snapshot and Remaining Data
Removing Snapshot and Remaining Data

3. Run the below command to perform a --dry-run and see which snapshots will be removed (forget) and which two snapshot versions will be kept (--keep-last 2).

Before deleting snapshots, a dry run is always recommended to avoid losing important snapshots.

restic -r sftp:[email protected]:/srv/backup forget --keep-last 2 --prune --dry-run
Checking which Snapshots to Remove and to Keep
Checking which Snapshots to Remove and to Keep

4. Run the below command to remove (forget) old snapshot versions and keep the last two (--keep-last 2) from the repository.

restic -r sftp:[email protected]:/srv/backup forget --keep-last 2 --prune
Remove Forget
Remove Forget

5. Finally, run the below command to list all existing snapshots.

restic -r sftp:[email protected]:/srv/backup snapshots

You can see below that only the last two snapshot versions remain.

Checking Available Snapshots
Checking Available Snapshots

Restoring Data on Repository

Perhaps you accidentally removed crucial data from the repository. If so, how do you get them back? Luckily, Restic lets you decrypt and restore backup data so long as you know the snapshot ID of the backup.

1. Run the restic command below to check available snapshots on the repository.

restic -r sftp:[email protected]:/srv/backup snapshots

Below is an example of snapshots available on the repository. Note the snapshot ID of the backup data to restore.

Checking Snapshots
Checking Snapshots

2. Next, run the following commands to create a restore directory (/opt/restore) and restore your target snapshot (6b44ac32) to that restore directory.

# Create a restore directory
mkdir -p /opt/restore
# Restore snapshot data to the /opt/restore directory
restic -r sftp:[email protected]:/srv/backup restore 6b44ac32 --target /opt/restore
Restoring Backup Data
Restoring Backup Data

3. Finally, run the ls command below to verify the restored data.

ls /opt/restore/var/www/wordpress

As shown below, you’ll see the list of files restored from the snapshot (6b44ac32).

Viewing Restored Data
Viewing Restored Data

Restoring Specific Files

You’ve just restored lost data, but what if you only need to restore a specific file? With Restic, you can target a specific file by appending the --include option in the restic command.

1. Run the below command to create a directory to hold the specific file to restore from a snapshot.

mkdir -p /opt/restore/specific

2. Next, run the restic commands below to restore a specific directory (/var/www/wordpress/wp-content) and a specific file (wp-config.php) from the snapshot (6b44ac32). Each command sets the target restore directory to the /opt/restore/specific directory.

# restore specific directory wp-config
restic -r sftp:[email protected]:/srv/backup restore 6b44ac32 --target /opt/restore/specific --include /var/www/wordpress/wp-content

# restore specific file wp-config.php
restic -r sftp:[email protected]:/srv/backup restore 6b44ac32 --target /opt/restore/specific --include /var/www/wordpress/wp-config.php
target restore directory
target restore directory

3. Lastly, run the ls command below to verify the restored file and directory in the directory (/opt/restore/specific).

ls /opt/restore/specific/var/www/wordpress

If the restoration worked correctly, you’d see the directory (wp-content) and file (wp-config.php) restored from the snapshot (6b44ac32).

Verifying Restored File and Directory
Verifying Restored File and Directory

Backing up Data Automatically with Restic and Cron

At this point, you’ve already learned all the basic usage of the Restic backup tool. But since manually backing up data can be a pain, why automatically backup data on your Linux system? Restic, together with Cron, can do wonders, such as automating the process of data backup.

1. Create a new file (/opt/backup/.secret) using your preferred editor and input the password of your repository. This demo uses the password ResticRepositoryPassword for the Restic repository.

2. Next, run the below command to change the permission of the /opt/backup/.secret file to 600. The permission code 600 gives read and write permission only to the/opt/backup/.secret file owner.

chmod 600 /opt/backup/.secret

3. Run the crontab command below to create a new Cron job. The -u root option indicates the Cron job will be running as the root user.

crontab -u root -e

4. Select your preferred editor, and the Cron configuration file opens in that editor. But this demo uses the nano editor.

Creating a New Cron Job
Creating a New Cron Job

5. Finally, populate the Cron configuration with the following configuration to set up automatic backup and save the changes.

The below script performs the following:

  • Run the restic command every 1.AM to backup directories (/var/www/wordpress and /var/www/html) to the repository SFTP server (sftp:[email protected]:/srv/backup).
  • Automatically delete old snapshot at 2.AM and keep the last two versions of snapshots.
  • Specifies (--password-file) the file (/opt/backup/.secret) that contains your password for the Restic repository, so you don’t have to hard code your password in the Cron configuration.
# Runs daily backup at 1.AM
0 1 * * * restic --password-file /opt/backup/.secret -r sftp:[email protected]:/srv/backup backup --verbose /var/www/{wordpress,html}

# Runs every 2.AM, and always keeps the last 2 backup snapshots
0 2 * * * restic --password-file /opt/backup/.secret -r sftp:[email protected]:/srv/backup forget --keep-last 2 --prune

Conclusion

In this tutorial, you’ve learned how to install Restic on Linux and different ways to backup your data, from directories to specific files with snapshots. Apart from data backup, you’ve discovered that you can restore unexpectedly lost data. Automation plays a big part in backing up your data, so keep the Cron jobs running to secure your data.

At this point, you’re ready to backup more data using Restic. And why not leverage your backup by using tags, filtering policy, and backup cloud services?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!