Overview
If you need cloud backups that ransomware cannot silently erase, combine Restic with Backblaze B2 buckets that have Object Lock enabled. Restic gives fast, deduplicated encrypted backups, while B2 Object Lock makes every uploaded backup file immutable for a time you choose. This guide shows how to set up the entire pipeline on Linux, from creating an Object Lock bucket to scheduling backups and verifying restores.
What You Need
- A Linux machine with shell access (Ubuntu/Debian/RHEL/AlmaLinux etc.)
- A Backblaze B2 account
- Restic 0.12 or newer (most modern distros provide it)
- Basic understanding of environment variables and systemd (for scheduling)
Step 1 — Create a Backblaze B2 Bucket with Object Lock
1) Sign in to the Backblaze B2 web console and create a new bucket. Choose a unique name, keep it Private, and enable Object Lock during creation. You cannot turn this on later for an existing bucket.
2) In the bucket settings, set a Default Bucket Retention under Object Lock. A common starting point is Governance mode with a retention of 30 days. This applies immutability automatically to all new objects (Restic pack files), blocking deletion or modification until retention expires.
3) Optional: configure lifecycle rules for versioning if you store non-Restic data in the same bucket. For a pure Restic repository, the default retention plus Restic’s own forget/prune policy is usually enough.
Step 2 — Generate a Restricted Application Key
Create a new application key limited to your bucket. In Backblaze, go to App Keys, click Add a New Application Key, restrict it to the bucket you created, and copy the KeyID and Application Key. Treat these like passwords.
Step 3 — Install Restic
On Ubuntu/Debian, run: sudo apt update && sudo apt install restic. On RHEL/AlmaLinux/Rocky, use: sudo dnf install restic. If your distro is outdated, download the latest static binary from Restic’s releases page and place it in /usr/local/bin with executable permissions.
Step 4 — Export Environment Variables
Set environment variables so Restic knows how to reach B2 and encrypt your repository:
export RESTIC_REPOSITORY=b2:your-bucket-name:restic-repo
export B2_ACCOUNT_ID=your-key-id
export B2_ACCOUNT_KEY=your-application-key
export RESTIC_PASSWORD=strong-passphrase (or use RESTIC_PASSWORD_FILE to read it from a file)
Tip: store these in a root-only file such as /root/.restic-env, then source it: set -a; . /root/.restic-env; set +a.
Step 5 — Initialize the Repository
Create the Restic repository in your B2 bucket: restic init. You should see “created restic repository.” From now on, all data is encrypted client-side and written as immutable objects (because the bucket has Object Lock with default retention).
Step 6 — Run Your First Backup
Start with a focused scope. For example: restic backup /etc /home /var/www --exclude "*/node_modules/*" --tag initial. Restic deduplicates files automatically and shows a summary when done. Use tags like --tag server01 to identify hosts or workloads.
Step 7 — Set a Retention Policy (Forget + Prune)
Tell Restic how many restore points to keep. A common policy is: restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune. Note: pruning cannot remove pack files that are still under Object Lock. That is expected. Deletion will occur automatically once retention expires and the data is no longer referenced by any snapshot.
Step 8 — Schedule Automatic Backups with systemd
Create a service file, e.g. /etc/systemd/system/restic-backup.service with:
[Unit]Description=Restic backupWants=network-online.targetAfter=network-online.target[Service]Type=oneshotEnvironmentFile=/root/.restic-envExecStart=/usr/bin/restic backup /etc /home /var/www --exclude "*/node_modules/*" --tag dailyExecStart=/usr/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
Add a timer in /etc/systemd/system/restic-backup.timer:
[Unit]Description=Run Restic backup daily[Timer]OnCalendar=dailyPersistent=true[Install]WantedBy=timers.target
Enable with: sudo systemctl daemon-reload && sudo systemctl enable --now restic-backup.timer.
Step 9 — Test a Restore
List snapshots: restic snapshots. Restore the latest to a safe directory: restic restore latest --target /tmp/restore. To restore a single path, add --include "/etc" or --include "/home/user/Documents". Verify that the restored files open normally.
Security and Cost Tips
- Use RESTIC_PASSWORD_FILE with a root-only file and consider storing it via a secrets manager or an encrypted password store.
- Restrict your B2 application key to the single bucket and avoid account-wide keys.
- Monitor storage growth. Deduplication helps, but backups expand over time. Object Lock increases short-term storage because data cannot be deleted until retention ends.
Troubleshooting
- Permission errors (403): verify the KeyID/key, bucket restriction, and that Object Lock is enabled.
- Time sync issues: B2 rejects requests if the server time is off. Ensure NTP is running (systemd-timesyncd or chrony).
- Prune failures: if objects are still under retention, pruning cannot delete them. This is normal. They will be removed automatically once retention expires and no snapshots reference them.
You’re Done
You now have a backup strategy that is fast, encrypted, deduplicated, and resilient to ransomware. Restic handles the heavy lifting, while Backblaze B2 Object Lock prevents attackers or accidents from wiping out recent restore points. Periodically test restores and review your retention window to balance recoverability and storage costs.
3.
Comments
Post a Comment