Find us on social media

Client area
BackupsEncryptionrestic5 min read

Encrypted and secure backups

Backups with restic, automated scripts, offsite storage, verification and the 3-2-1 rule.

The 3-2-1 backup rule

  • 3 copies of your data
  • 2 different storage types
  • 1 offsite copy (outside the server)

Install restic

restic is a modern backup tool with built-in encryption:

bash
sudo apt install -y restic

Initialize repository

Local repository

bash
restic init --repo /mnt/backups/my-server

S3 repository (AWS/Backblaze B2)

bash
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
restic init --repo s3:s3.amazonaws.com/my-backup-bucket

Backblaze B2

bash
export B2_ACCOUNT_ID="your-account-id"
export B2_ACCOUNT_KEY="your-account-key"
restic init --repo b2:my-backup-bucket

restic will ask for an encryption password. Store it securely.

Create backups

bash
# Backup specific directories
restic backup /home /etc /var/www --repo /mnt/backups/my-server

# Exclude files
restic backup /var/www --exclude='*.log' --exclude='node_modules' --repo /mnt/backups/my-server

# Backup with tags
restic backup /var/www --tag web --tag production --repo /mnt/backups/my-server

Automated script

bash
#!/bin/bash
# /usr/local/bin/backup.sh
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/my-backup-bucket"
export RESTIC_PASSWORD_FILE="/root/.restic-password"
export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"

# Database backup
mysqldump -u root --all-databases > /tmp/db-dump.sql

# Run backup
restic backup /home /etc /var/www /tmp/db-dump.sql --tag automated

# Clean temp dumps
rm /tmp/db-dump.sql

# Retention: keep 7 daily, 4 weekly, 6 monthly
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune

echo "Backup completed: $(date)"
bash
chmod 700 /usr/local/bin/backup.sh

Daily cron at 2 AM:

bash
0 2 * * * /usr/local/bin/backup.sh >> /var/log/backup.log 2>&1

Verify backups

bash
# List snapshots
restic snapshots --repo /mnt/backups/my-server

# Verify integrity
restic check --repo /mnt/backups/my-server

# Verify with data read
restic check --read-data --repo /mnt/backups/my-server

Restore backups

bash
# Restore latest snapshot
restic restore latest --target /tmp/restore --repo /mnt/backups/my-server

# Restore a specific file
restic restore latest --target /tmp/restore --include '/var/www/config.php' --repo /mnt/backups/my-server

Test restoration

Perform monthly restore tests:

  1. Restore the latest backup to a temporary directory
  2. Verify files are complete
  3. If it's a database, import it in a test environment
  4. Document the result

Recommendations

  • Never store the restic password on the same server
  • Verify backup integrity weekly
  • Perform monthly restore tests (a backup you can't restore is useless)
  • Use offsite storage (S3, B2) to protect against physical disasters
  • Set up alerts if backup fails
  • Encrypt database backups before uploading
Was this guide helpful?
← Back to Security