Why restic + S3 is a great backup combo in 2025
Restic is a fast, open-source, and cross-platform backup tool that encrypts data by default and deduplicates efficiently. Pairing restic with an S3-compatible storage such as Backblaze B2 or Cloudflare R2 gives you affordable, durable, and offsite backups. In this step-by-step guide, you will install restic on Linux and Windows, connect it to an S3 bucket, automate backups, and set safe retention and restore procedures.
Prerequisites
You need an S3-compatible bucket, an access key ID and secret, and the bucket’s endpoint. For Backblaze B2, create a bucket and application key in the B2 console; for Cloudflare R2, create an R2 bucket and a token with S3 API access and note the account-specific endpoint (e.g., https://ACCOUNTID.r2.cloudflarestorage.com). Keep these credentials safe.
Install restic
Linux (Ubuntu/Debian/Fedora/Arch): Use your package manager or the official release binary. Example on Ubuntu 24.04: sudo apt update && sudo apt install restic. Verify with restic version. If your distro ships an older version, download the latest from the restic GitHub releases, place it in /usr/local/bin, and make it executable with chmod +x.
Windows 10/11: Download the latest restic .exe from the official releases page and place it in a directory on your PATH (e.g., C:\Tools\restic\ and add that folder to System PATH). Confirm with restic version in Windows Terminal or PowerShell.
Set environment variables securely
Restic reads credentials from environment variables. Create a small environment file you can source (Linux) or a script (Windows). For S3-compatible providers you’ll typically set:
RESTIC_REPOSITORY=s3:s3.amazonaws.com/your-bucket-name
RESTIC_PASSWORD=YourStrongPassphrase
AWS_ACCESS_KEY_ID=AKIA...orR2Key
AWS_SECRET_ACCESS_KEY=YourSecretHere
AWS_DEFAULT_REGION=us-east-1
AWS_ENDPOINT=https://ACCOUNTID.r2.cloudflarestorage.com (only for R2 or other non-AWS S3)
On Linux, store the password in a file for safety and reference it with RESTIC_PASSWORD_FILE=/path/to/pass.txt instead of RESTIC_PASSWORD. On Windows, use a .cmd script that sets these variables before running restic. Avoid committing credentials to Git or sharing them in logs.
Initialize the repository and run a first backup
Export or set your environment variables, then initialize the repo once:
restic init
Back up a test folder:
restic backup ~/Documents --tag initial
Windows users can back up with Volume Shadow Copy to avoid locked-file issues: run the terminal as Administrator and use restic backup C:\Users\YourName\Documents --use-fs-snapshot --tag initial.
Exclude files and speed tips
Create an exclude file to skip caches, node_modules, or VM images that you back up elsewhere. Example entries: *.iso, *.vdi, */.cache/*, */node_modules/*. Then call restic backup /data --exclude-file /etc/restic/excludes.txt --one-file-system. For slower links, cap bandwidth: --limit-upload 4 (MiB/s).
Schedule automatic backups
Linux with systemd: Create a small script at /usr/local/bin/restic-backup.sh that exports variables (or sources an .env file) and runs backup, forget, and prune. Minimal content:
#!/usr/bin/env bash
set -euo pipefail
source /etc/restic/env
restic backup /home /etc --exclude-file /etc/restic/excludes.txt --tag daily
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
restic check --read-data-subset=1%
Create a service /etc/systemd/system/restic-backup.service:
[Unit] Description=Restic backup
[Service] Type=oneshot ExecStart=/usr/local/bin/restic-backup.sh
Create a timer /etc/systemd/system/restic-backup.timer:
[Unit] Description=Run restic daily
[Timer] OnCalendar=daily Persistent=true
[Install] WantedBy=timers.target
Enable with sudo systemctl enable --now restic-backup.timer. Check status via systemctl list-timers.
Windows with Task Scheduler: Put a script at C:\Scripts\restic-backup.cmd:
set RESTIC_REPOSITORY=s3:s3.amazonaws.com\your-bucket
set RESTIC_PASSWORD_FILE=C:\Scripts\restic-pass.txt
set AWS_ACCESS_KEY_ID=...
set AWS_SECRET_ACCESS_KEY=...
restic backup C:\Users\YourName --use-fs-snapshot --tag daily
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
restic check --read-data-subset=1%
Create a Basic Task to run daily with highest privileges, start in C:\Scripts, and point to the script. Review the History tab for errors.
Verify, prune, and restore
Use forget + prune to enforce retention (e.g., 7 daily, 4 weekly, 12 monthly). Always run restic check periodically. To see snapshots, run restic snapshots. To restore the latest snapshot to a folder:
restic restore latest --target /restore
On Windows: restic restore latest --target D:\Restores. For a single path inside a snapshot, add --include (e.g., --include "/home/user/Documents").
Health checks and notifications
Add a final step that pings a monitoring URL (e.g., Healthchecks.io) only if the backup succeeded. Append to your script: curl -fsS https://hc.example/ping/UUID. If the cron or timer fails, you’ll get an alert.
Troubleshooting
Repository does not exist: Run restic init with the correct environment, bucket, and endpoint. For Cloudflare R2, set AWS_ENDPOINT and omit a region if required.
Access denied: Check your IAM or API token permissions for list/get/put/delete on the bucket. Ensure the bucket name matches exactly.
Slow or flaky uploads: Use --limit-upload, increase --retry-interval, and ensure no ISP or firewall is blocking the endpoint. Consider enabling object-level lifecycle policies on the provider to reduce storage costs for old versions.
Locked or in-use files on Windows: Run terminal as Administrator and use --use-fs-snapshot.
Security best practices
Use a long, unique passphrase; prefer RESTIC_PASSWORD_FILE over inline passwords. Restrict API keys to the specific bucket. Do not share your password or keys—anyone with both can read your backups. If your provider supports immutability (e.g., B2 Object Lock), consider a write-once policy for ransomware protection and adjust restic operations accordingly.
Wrap-up
You now have encrypted, deduplicated, and automated backups to S3-compatible storage using restic on Linux and Windows. Test restores regularly, monitor your backup jobs, and keep your credentials and retention policies tidy. This setup scales from a single laptop to multiple servers with minimal changes, giving you reliable offsite backups at low cost.
Comments
Post a Comment