restic
Backup and restore data securely
TLDR
Initialize a backup repository in the specified local directory
Backup a directory to the repository
Show backup snapshots currently stored in the repository
Restore a specific backup snapshot to a target directory
Restore a specific path from a specific backup to a target directory
Clean up the repository and keep only the most recent snapshot of each unique backup
SYNOPSIS
restic [global-options] command [command-options] [arguments]
PARAMETERS
Global Options:
These options apply to the main restic command and affect its overall behavior.
-r, --repository <path>
Specifies the path or URL to the backup repository. This is often set via the RESTIC_REPOSITORY environment variable.
--password-file <file>
Reads the repository password from the specified file, enhancing security by avoiding password exposure in command history.
--json
Enables JSON output for machine-readable results, useful for scripting and integration.
--verbose, -v
Increases the verbosity of the output. Can be used multiple times for more detail (e.g., -vvv).
--compression <type>
Sets the compression level for data stored in the repository. Valid types include 'off', 'auto', 'max'.
Subcommand Options (Examples):
Each restic subcommand (e.g., backup, restore, prune) has its own set of specific options. Below are common examples for frequently used commands.
backup --exclude <pattern>
Excludes files or directories matching the specified pattern during a backup operation. Can be used multiple times.
backup --tag <tag>
Adds one or more tags to the snapshot, allowing for easier filtering and management of backups.
restore --target <dir>
Specifies the destination directory where the files will be restored. If not specified, files are restored to the current directory.
prune --keep-daily <n>
Retains n daily snapshots during the pruning process, removing older ones.
prune --dry-run
Simulates the prune operation without making any actual changes to the repository, useful for testing retention policies.
DESCRIPTION
restic is a modern, open-source backup program designed for speed, efficiency, and security. It focuses on solving common backup challenges with innovative features.
At its core, restic employs data deduplication, ensuring that only unique data blocks are stored in the repository, significantly reducing storage space and bandwidth requirements, especially across multiple backups of similar data. All data is encrypted client-side using authenticated encryption (AES-256 in counter mode with Poly1305) before being sent to the repository, ensuring privacy and integrity even if the storage backend is compromised.
restic operates by creating snapshots of your files and directories. Each snapshot is incremental, meaning it only stores the changes since the last snapshot, yet it appears as a full backup, making restoration straightforward. It supports various storage backends, including local directories, SSH servers, and cloud storage providers like Amazon S3, Google Cloud Storage, Azure Blob Storage, Backblaze B2, and SFTP.
Key features include resumable backups, efficient pruning of old snapshots based on flexible retention policies, and robust integrity checking to verify the repository's consistency. Its command-line interface is user-friendly, and it's written in Go, making it cross-platform compatible with Linux, macOS, Windows, and BSD. restic is an excellent choice for individuals and small businesses seeking a reliable, secure, and resource-efficient backup solution.
CAVEATS
restic itself does not include a built-in scheduler; users must rely on external tools like cron, systemd timers, or Windows Task Scheduler to automate backups.
Performance can vary significantly depending on the chosen backend, network latency, and local disk I/O. For large repositories, operations like check can be memory-intensive.
While highly secure, losing your repository password means permanent loss of all encrypted data.
REPOSITORY INITIALIZATION
Before performing any backup, a restic repository must be initialized. This is done using the restic init command, which creates the repository structure and prompts for a new password. For example:restic init --repo sftp:user@host:/path/to/repo
This sets up the secure storage location for your backups.
ENVIRONMENT VARIABLES
For convenience and security, restic highly recommends using environment variables to specify common parameters like the repository path and password. For instance:export RESTIC_REPOSITORY="s3:s3.amazonaws.com/my-bucket/restic-repo"
export RESTIC_PASSWORD_FILE="/root/.restic-password"
This prevents sensitive information from appearing in command history and reduces typing.
SECURITY MODEL
restic's security model is built on client-side encryption and authenticated encryption. Data is encrypted using AES-256 in counter mode with Poly1305 before it leaves your machine. This ensures that even if the storage backend is compromised, your data remains confidential and its integrity protected. The repository password serves as the master key for all encryption and decryption operations.
SUPPORTED BACKENDS
restic offers flexible backend support, allowing users to store their repositories in various locations. Common supported backends include:
Local: A directory on the local filesystem.
SSH/SFTP: An SSH server with SFTP access.
Amazon S3: Amazon Web Services S3 buckets.
Google Cloud Storage: Google's cloud storage.
Azure Blob Storage: Microsoft Azure's object storage.
Backblaze B2: Backblaze's cloud storage.
MinIO: Self-hosted S3-compatible object storage.
HISTORY
restic was initiated by Alexander Neumann around 2014, with the first public release in 2015. It was developed to address shortcomings found in existing backup solutions, particularly focusing on robust encryption, efficient deduplication, and a user-friendly command-line interface. Written in Go, it quickly gained traction for its cross-platform compatibility and modern feature set, establishing itself as a popular choice for both personal and server backups.