Backup with Restic

This is a comprehensive tutorial for setting up Restic backups.

```wiki = Backup with Restic = Restic is a modern, fast, secure, and easy-to-use backup program. It supports various backends, including local directories, SFTP servers, and cloud storage like Amazon S3, Google Cloud Storage, and Azure Blob Storage. This guide will walk you through setting up Restic for encrypted backups to local, SFTP, and S3 destinations.

Prerequisites

• A Linux server with root or sudo privileges.
• Basic understanding of the Linux command line.
• For SFTP backups: An SFTP server accessible from your backup server and a dedicated user account for backups.
• For S3 backups: An AWS account with an S3 bucket created and appropriate access credentials (Access Key ID and Secret Access Key).
• Restic installed on your backup server. If not installed, you can download the latest release from the Restic GitHub releases page and install it. For example, on Debian/Ubuntu:

wget https://github.com/restic/restic/releases/download/v0.16.0/restic_0.16.0_linux_amd64.deb
sudo dpkg -i restic_0.16.0_linux_amd64.deb

• Ensure your system is up-to-date:

sudo apt update && sudo apt upgrade -y

Initializing a Restic Repository

A Restic repository is where your backups are stored. It's essential to initialize it before you can start backing up. You will need to choose a strong password to encrypt your backups. This password is crucial; if lost, your backups will be unrecoverable.

Local Repository

To initialize a repository on a local directory: # Choose a directory for your repository. Ensure it has enough free space for your backups.

sudo mkdir /mnt/backups/restic_repo

# Initialize the repository, providing a password. Replace 'your_strong_password' with a secure password.

export RESTIC_PASSWORD='your_strong_password'
restic init --repo /mnt/backups/restic_repo

Expected Output:

repository created

# It's recommended to store your password securely, for example, in an environment file.

echo "export RESTIC_PASSWORD='your_strong_password'" >> ~/.restic_env
source ~/.restic_env

Security Implication: Storing the password in plain text in an environment file is convenient but can be a security risk if the file is not properly protected. Consider using a secrets management tool for production environments.

SFTP Repository

To initialize a repository on an SFTP server: # Ensure you have an SFTP user (e.g., `backupuser`) and an SSH key for passwordless access. # Create a directory on the SFTP server for your repository. # Initialize the repository. Replace `sftp://user@your_sftp_server.com/path/to/repo` with your SFTP details.

export RESTIC_PASSWORD='your_strong_password'
restic init --repo sftp://backupuser@your_sftp_server.com/home/backupuser/restic_repo

Expected Output:

repository created

Security Implication: Using SSH keys for authentication is more secure than password-based authentication. Ensure your private SSH key is protected.

S3 Repository

To initialize a repository on an S3 bucket: # Ensure you have an S3 bucket created and your AWS Access Key ID and Secret Access Key. # Set the AWS credentials as environment variables.

export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'
export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY'
export RESTIC_PASSWORD='your_strong_password'

# Initialize the repository. Replace `s3:your-s3-bucket-name/restic_repo` with your bucket name and desired path.

restic init --repo s3:my-backup-bucket/restic_repo

Expected Output:

repository created

Security Implication: Never hardcode AWS credentials in scripts. Using environment variables or IAM roles is the recommended approach.

Performing Backups

Once your repository is initialized, you can start backing up your data.

Backup to Local Repository

To back up a directory (e.g., `/var/www/html`) to your local repository:

restic backup /var/www/html --repo /mnt/backups/restic_repo

Expected Output (will vary based on files):

repository contains X snapshots
now: ...
...
Files:              10000
Dirs:               1000
Size:               1.234 GiB
[...]
Snapshots created:  1
[...]

Explanation: Restic will scan the specified directory, identify new or changed files, encrypt them, and store them in the repository. The `backup` command creates a new snapshot of your data.

Backup to SFTP Repository

restic backup /var/www/html --repo sftp://backupuser@your_sftp_server.com/home/backupuser/restic_repo

Backup to S3 Repository

export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'
export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY'
export RESTIC_PASSWORD='your_strong_password'
restic backup /var/www/html --repo s3:my-backup-bucket/restic_repo

Automating Backups with Cron

To ensure regular backups, you should automate the process using `cron`.

# Edit your crontab:

crontab -e

# Add a line to schedule your backup. This example runs a backup every day at 2 AM to the local repository:

0 2 * * * /usr/bin/restic --repo /mnt/backups/restic_repo backup /var/www/html --password-file /etc/restic/repo.pass > /var/log/restic_backup.log 2>&1

Explanation:
• `0 2 * * *`: Cron schedule (minute, hour, day of month, month, day of week).
• `/usr/bin/restic`: Full path to the Restic executable.
• `--repo`: Specifies the repository location.
• `--password-file`: Points to a file containing your repository password. Create this file and secure its permissions:

sudo mkdir -p /etc/restic
echo 'your_strong_password' sudo tee /etc/restic/repo.pass
sudo chmod 600 /etc/restic/repo.pass

• `> /var/log/restic_backup.log 2>&1`: Redirects standard output and standard error to a log file for review.

Security Implication: Using `--password-file` is generally preferred over `RESTIC_PASSWORD` environment variable in cron jobs for better security. Ensure the password file has strict permissions (readable only by root).

Managing Backups

Restic provides commands to manage your snapshots and repository.

Listing Snapshots

To list all snapshots in a repository:

restic snapshots --repo /mnt/backups/restic_repo

Expected Output:

ID     Time                 Host     Tags        Paths
----------------------------------------------------------------------------
a1b2c3d4 2023-10-27 02:00:00  myserver             /var/www/html
e5f6g7h8 2023-10-28 02:00:00  myserver             /var/www/html
----------------------------------------------------------------------------
2 snapshots

Pruning Old Snapshots

To save space, you should periodically remove old snapshots.

restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --repo /mnt/backups/restic_repo
restic prune --repo /mnt/backups/restic_repo

Explanation:
• `forget`: Marks snapshots for deletion based on retention policies.
* `--keep-daily 7`: Keep the last 7 daily snapshots. * `--keep-weekly 4`: Keep the last 4 weekly snapshots. * `--keep-monthly 6`: Keep the last 6 monthly snapshots.
• `prune`: Actually removes the marked snapshots and any associated data that is no longer referenced.

Performance Benchmark: Pruning can be I/O intensive, especially for large repositories. Schedule it during off-peak hours. The time taken depends on the repository size and the number of snapshots being pruned.

Checking Repository Integrity

It's good practice to periodically check your repository's integrity.

restic check --repo /mnt/backups/restic_repo

Explanation: This command verifies the repository's data integrity and checks for any corruption.

Restoring Data

In case of data loss, you can restore your files.

Listing Files in a Snapshot

First, find the snapshot ID you want to restore from.

restic snapshots --repo /mnt/backups/restic_repo

Then, list the files in that snapshot:

restic ls  --repo /mnt/backups/restic_repo

Restoring a Snapshot

To restore a specific snapshot to a directory:

restic restore  --target /tmp/restore --repo /mnt/backups/restic_repo

Explanation: This will restore all files from the specified snapshot into the `/tmp/restore` directory.

Restoring Specific Files/Directories

To restore a specific file or directory from a snapshot:

restic restore  --target /tmp/restore --include '/var/www/html/index.html' --repo /mnt/backups/restic_repo

Troubleshooting

• `restic init` fails with "repository already exists": This means the repository has already been initialized. You can proceed to use it or re-initialize if you intend to start fresh (ensure you have a backup of the old repository if needed).
• `restic backup` is slow:
* Ensure your network connection (for SFTP/S3) is stable and has sufficient bandwidth. * Check disk I/O performance on your backup source and repository destination. * For S3, consider using a region closer to your server. * Use the `--compression` flag (though Restic compresses by default).
• `restic restore` fails:
* Verify the snapshot ID is correct. * Check if the target directory exists and has write permissions. * Ensure you have sufficient disk space at the target location. * If using SFTP/S3, verify your credentials and network connectivity.
• Cron job not running:
* Check cron logs (e.g., `/var/log/syslog` or `/var/log/cron`). * Ensure the Restic executable path is correct in the crontab. * Verify the `RESTIC_PASSWORD` or `--password-file` is correctly set and accessible. * Ensure the user running the cron job has necessary permissions.

Related Articles

• Cron
• SSH Keys
• AWS S3

Category:Backup Category:System Administration Category:Restic