Encrypted Linux Backups with Restic and S3
Backup

Encrypted Linux Backups with Restic and S3

  • Author :Liam K.
  • Date :March 08, 2026
  • Time :16 minutes

Step 1: Install Restic

bash
sudo apt update
sudo apt install -y restic

Step 2: Configure Environment Variables

Use an S3-compatible endpoint (AWS S3, Backblaze, Wasabi, MinIO, etc.).

bash
cat > ~/.restic-env <<'EOF'
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export RESTIC_REPOSITORY="s3:https://s3.example.net/my-server-backups"
export RESTIC_PASSWORD="REPLACE_WITH_LONG_RANDOM_PASSWORD"
EOF
chmod 600 ~/.restic-env
source ~/.restic-env

Step 3: Initialize Repository

bash
restic init

Step 4: Create Exclude File

bash
cat > ~/.restic-excludes <<'EOF'
/proc
/sys
/dev
/run
/tmp
/var/tmp
/mnt
[...]
Command truncated. Copy to view full command.

Step 5: Run First Full Backup

bash
restic backup / --exclude-file ~/.restic-excludes --one-file-system --verbose

Step 6: Check Snapshots and Integrity

bash
restic snapshots
restic check

Step 7: Apply Retention Policy

bash
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6

Step 8: Create Automation Script

bash
sudo tee /usr/local/bin/restic-backup.sh >/dev/null <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
source /root/.restic-env
restic backup / --exclude-file /root/.restic-excludes --one-file-system
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6
restic check --read-data-subset=1/20
EOF
[...]
Command truncated. Copy to view full command.

Step 9: Schedule Daily Run with systemd Timer

bash
sudo tee /etc/systemd/system/restic-backup.service >/dev/null <<'EOF'
[Unit]
Description=Restic Backup
[Service]
Type=oneshot
ExecStart=/usr/local/bin/restic-backup.sh
EOF
sudo tee /etc/systemd/system/restic-backup.timer >/dev/null <<'EOF'
[...]
Command truncated. Copy to view full command.

Step 10: Restore Drill (Required)

bash
mkdir -p /tmp/restic-restore-test
restic restore latest --target /tmp/restic-restore-test --include /etc
ls -la /tmp/restic-restore-test/etc

"Backups that were never restored are assumptions. Always include restore drills in your runbook."

Technical Author

Technical Author - Liam K.
Liam K.

System administrator and technical writer specializing in server infrastructure, security and deployment. Creating comprehensive guides to help you master server administration.

Related Guides

Ansible Dynamic Inventory for AWS at Scale
Ansible Dynamic Inventory for AWS at Scale

March 08, 2026

Ansible for Server Automation: Playbooks, Roles and Idempotence
Ansible for Server Automation: Playbooks, Roles and Idempotence

March 08, 2026

Ansible Role Testing with Molecule and CI Pipelines
Ansible Role Testing with Molecule and CI Pipelines

March 08, 2026

Topics