Skip to content

Restic

Is a Backup Software that can run on Windows, Linux, MacOS

Links: - Website - GitHub - Releases - Documentation - Command list - Environment variable list - Forum - Backup script

Reference

  • Exclude restic from antivirus
  • Configuration are held using environment variables using Batch, PowerShell or bash
  • Update binaries using restic self-update

Initialize a repo

  • restic init to create the remote repository
  • Specify the repo with
    • --repo repoPath or RESTIC_REPOSITORY environment variable
    • --repo /path/to/folder for local files
    • --repo sftp:user@host:/path/to/folder for SFTP
    • --repo rclone:<remote>:<path> as defined in Rclone to access external cloud services
  • Passwords can be provided via:
    • CLI, when the user execute restic
    • The variable RESTIC_PASSWORD or option
    • A file, defined in --password-file file or variable RESTIC_PASSWORD_FILE
    • An external software, called via --password-command command or variable RESTIC_PASSWORD_COMMAND

Create a backup

  • restic backup ~/dirA to backup dirA to the repo
    • restic backup /dirA /dirB to backup multiple directories or files
  • restic backup /fileA.zip to backup fileA to the repo
    • If fileA was part of dirA, it get saved at no extra cost 🤯
  • Use stdin as backup input for CLI dump
  • Exclusions & inclusions filters
    • --exclude-if-present .backupignore will ignore the content of any directory with file .backupignore inside - only the directory name and this file will be saved

View snapshots

  • restic snapshots to view all snapshots in the repo - doc
  • restic stats to view information: size of all snapshots (not on disk), ...
  • restic diff snapshotID1 snapshotID2 to check difference between 2 snapshots
    • Add --tag XYZ to add identify information on creation or edition

Manage data

Verification

  • restic check to verify structural consistency & integrity - Should be used regularly!
  • restic check --read-data to verify backup data integrity
    • This command does it in full, but subset are possible - see doc

Removing snapshots

  • restic forget snapshotID|policy to remove one snapshot
    • Policy are defined here
    • Policy are chainable like restic forget --keep-daily 7 --keep-weekly 5 --keep-monthly 6 --keep-yearly 1 for 100 years
    • Default policy is grouped per host name and path, can be changed with --group-by 'tags for instance
  • restic prune to definitely remove data that are unlinked to any snapshot
    • It is advised to run a restic check after
  • And restic recover to restore removed snapshot that are not pruneed

Manage locks

  • restic unlock to remove locks from the repo that are ≥ 30 min or created by local host
    • restic unlock --remove-all to force remove lock

Restore data

  • restic ls <snapshot_id> to list all files in the snapshot
    • grep can be used to find a file - see Linux
  • restic restore <snapshot_ID> --target /path/to/restore to restore a snapshot to directory
    • restic restore <snapshot id> --include=/path/to/files/we/want/to/restore --target=/path/where/to/restore for a certain directory to a certain target directory
  • restic mount ~/tempmount/ to mount the whole backup repo

Passwords

Multiple passwords (or called key) can be defined in one repo: - restic key list - restic key add - restic key remove <key_id> - restic key passwd to change current key

CLI Flags

Command Note
--use-fs-snapshot on Windows to use VSS and avoid file lock, bu there's some default exclusions (see doc)
--verbose to see what is happening
--verbose=2 to see more of what is happening: files and folder
--dry-run to try a command but not write anything to the repo

Scripting

  • Scheduling must be done by host OS, cannot done by Restic
  • Make sure that there's no already running instances!

Windows

Process: - Task scheduler will run the task - General - Run whether user is logged on or not and Do not store password - Run with highest privilege - Trigger: every day - Conditions: none - Settings: - 450 - A script will be called to - check wheter the connection is metered or not - see gist.github.com - Powershell check if on metered network · GitHub - if true, it will send a ping to monitoring tool - do a restic backup according to pre-defined command - as admin in order to use VSS - send the result to monitoring tool - do a restic forget according to policy - send the result to monitoring tool - do a restic check - send the result to monitoring tool - A lot of inspiration coming from this set of script

Linux

  • Use the same PowerShell script than on Windows above
  • Execute it, not as root but as dedicated restic user - see restic doc
    • Don't forget to set proper files & folder permissions and ownership
      • chown -R root:restic /opt/restic/restic
      • chmod 750 /opt/restic/restic
      • setcap cap_dac_read_search=+ep /opt/restic/restic
  • Then schedule it with crontab - see Cron

Ressources