How to Back Up to Backblaze B2 with Restic: Installation, Automation, and Pruning (Linux and Windows)

Overview

Backups should be encrypted, efficient, and easy to automate. Restic meets all three goals: it is a fast, deduplicating, and end‑to‑end encrypted backup tool that works on Linux, Windows, and macOS. In this guide, you will learn how to back up files to Backblaze B2, schedule automatic runs, set a sensible retention policy, and verify your data. The steps cover both Linux and Windows with actionable commands and clear defaults you can copy and adapt.

Why Restic + Backblaze B2

Restic encrypts everything (including filenames) before it leaves your machine. It also deduplicates data, so repeating backups are small and fast. Backblaze B2 is affordable object storage with predictable pricing and a robust API that restic supports natively. The combination gives you offsite, encrypted, incremental backups you can restore from any machine.

Prerequisites

You need a Backblaze B2 account, a bucket created for backups, and an Application Key with permissions limited to that bucket (read, write, list, delete). Note the Key ID and Key. Decide on a repository path such as b2:my-backups:laptop01 so multiple devices can share one bucket cleanly.

Step 1 — Install Restic

Linux (Debian/Ubuntu): sudo apt update && sudo apt install restic. On other distributions, use your package manager or the official binary release. Verify with restic version.

Windows 10/11: Install via Winget: winget install restic.restic. Or via Chocolatey: choco install restic. Verify with restic version in PowerShell.

Step 2 — Configure Environment and Initialize the Repository

Linux: Export the following environment variables in your shell or place them into a root‑readable file such as /etc/restic/env and source it in your scripts.

export B2_ACCOUNT_ID="YOUR_KEY_ID"
export B2_ACCOUNT_KEY="YOUR_APP_KEY"
export RESTIC_REPOSITORY="b2:my-backups:laptop01"
export RESTIC_PASSWORD_FILE="/etc/restic/pass"

Create the password file with strong permissions and a long random passphrase: sudo install -m 600 /dev/null /etc/restic/pass then sudo sh -c 'openssl rand -base64 48 > /etc/restic/pass'. Initialize the repository: restic init. If successful, you will see “created restic repository.”

Windows: In PowerShell, create C:\restic\env.ps1 with:
$env:B2_ACCOUNT_ID="YOUR_KEY_ID"
$env:B2_ACCOUNT_KEY="YOUR_APP_KEY"
$env:RESTIC_REPOSITORY="b2:my-backups:laptop01"
$env:RESTIC_PASSWORD_FILE="C:\restic\pass.txt"
Generate a passphrase: New-Guid | Out-File C:\restic\pass.txt -Encoding ascii (or choose your own). Then run: powershell -ExecutionPolicy Bypass -File C:\restic\env.ps1; restic init.

Step 3 — Choose What to Back Up and What to Skip

Create an exclude file to avoid caches, temp folders, and large throwaway data. Examples:

# Linux excludes
/proc
/sys
/dev
/tmp
/var/tmp
/var/cache
*.ISO

# Windows excludes
C:\Windows\Temp
C:\Users\*\AppData\Local\Temp
*.iso
*.vhdx

Step 4 — Run Your First Backup

Linux: sudo --preserve-env=B2_ACCOUNT_ID,B2_ACCOUNT_KEY,RESTIC_REPOSITORY,RESTIC_PASSWORD_FILE restic backup /home /etc --exclude-file /etc/restic/excludes --tag baseline. List snapshots with restic snapshots. Sanity‑check data with restic check --read-data-subset=10%.

Windows: Open PowerShell as Administrator, then: powershell -ExecutionPolicy Bypass -File C:\restic\env.ps1; restic backup "C:\Users" "D:\Data" --exclude-file "C:\restic\excludes.txt" --tag baseline. View snapshots with restic snapshots.

Step 5 — Automate Daily Backups (Linux via systemd)

Store environment variables in /etc/restic/env and your excludes in /etc/restic/excludes. Create a systemd service /etc/systemd/system/restic-backup.service with:
[Unit]
Description=Restic backup to B2

[Service]
Type=oneshot
EnvironmentFile=/etc/restic/env
ExecStart=/usr/bin/restic backup /home /etc --exclude-file /etc/restic/excludes --tag daily
Nice=10
IOSchedulingClass=best-effort

Create the timer /etc/systemd/system/restic-backup.timer:
[Unit]
Description=Daily Restic backup

[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=10m

[Install]
WantedBy=timers.target
Enable and start: sudo systemctl daemon-reload && sudo systemctl enable --now restic-backup.timer.

Step 6 — Retention and Pruning

Keep what you need and trim the rest. A good starting policy keeps a week of daily points, a month of weekly points, and a year of monthly points. Run weekly: restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --keep-yearly 3. Add this to a separate systemd timer (e.g., restic-prune.timer) or include it after the daily backup on Sundays.

To reduce API load and speed up operations on B2, consider limiting parallel connections when pruning: restic -o b2.connections=8 forget --prune .... You can also set a cache directory to speed up metadata operations: export RESTIC_CACHE_DIR=/var/cache/restic (ensure it’s persistent and has room).

Step 7 — Automate on Windows (Task Scheduler)

Create C:\restic\backup.ps1 with:
. C:\restic\env.ps1
restic backup "C:\Users" "D:\Data" --exclude-file "C:\restic\excludes.txt" --tag daily
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 12
Then open Task Scheduler → Create Task → General: Run whether user is logged on or not, run with highest privileges. Triggers: Daily at a quiet hour. Actions: Start a Program → Program/script: powershell → Arguments: -ExecutionPolicy Bypass -File C:\restic\backup.ps1 → Start in: C:\restic.

Step 8 — Restores You Can Trust

List snapshots and pick a point in time: restic snapshots. Restore everything to a safe directory: restic restore latest --target /tmp/restore. Restore only a folder: restic restore latest --target /tmp/restore --include "/home/alex/Documents". On Windows, run the same commands in PowerShell with paths like "C:\Users\Alex\Documents". For browsing, Linux supports FUSE: restic mount /mnt/restic (unmount with fusermount -u /mnt/restic).

Security and Cost Tips

Protect your password file and environment files with strict permissions; never hardcode keys in scripts. Use a bucket‑scoped Application Key limited to your backup bucket. Tag backups (e.g., --tag daily, --tag before-upgrade) to make pruning and auditing easier. Keep your monthly bill predictable by excluding caches and VM images that change often, and by using a sensible retention policy.

Troubleshooting

If you see transient B2 errors (429/503), restic will retry; adding -o b2.connections=4 can help. For permission errors, confirm that your Application Key has delete permissions (needed for pruning). If backups seem slow, verify your excludes and consider running restic check --with-cache during off‑hours. Always test a small restore before you need a big one.

What You Achieved

You now have encrypted, offsite, incremental backups to Backblaze B2 with restic, running on a schedule, pruned to a clear retention policy, and verified for integrity. Keep the password safe, periodically test restores, and you will be ready when hardware fails or ransomware strikes.