You will build an encrypted, deduplicated backup with restic and prove it works with an actual restore. By the end you will follow the 3-2-1 rule and have a verified recovery path, not just hope.

Learning Objectives

  • Initialize an encrypted restic repository.
  • Take scheduled, deduplicated snapshots.
  • Restore data and verify integrity.
  • Time: ~3 hours · Difficulty: Intermediate · Prereqs: a server plus an offsite/secondary backup target.

Architecture Overview

Environment Setup

You will need: restic installed and a backup target (local disk plus an offsite location such as object storage).

Before you begin: store the repository password in a secret manager, losing it means losing access to backups.

Step-by-Step Execution

01
Initialize an encrypted repository

restic encrypts and deduplicates at the repo level, so backups are private and space-efficient.

export RESTIC_PASSWORD_FILE=/root/.restic-pass && restic -r /backup/repo init
[ROOT REQUIRED] Creates an encrypted restic repository.
02
Take a snapshot
restic -r /backup/repo backup /etc /srv --tag daily
03
Apply a retention policy

Pruning keeps storage bounded while retaining enough history to recover.

restic -r /backup/repo forget --keep-daily 7 --keep-weekly 4 --prune
04
Run a restore drill
# restic -r /backup/repo restore latest --target /tmp/restore --include /etc/hostname
restoring <Snapshot 9c2a1f> to /tmp/restore Summary: Restored 1 files (17 B) in 0:00

Progress So Far

Testing & Validation

restic -r /backup/repo check && diff /etc/hostname /tmp/restore/etc/hostname

The repository check should report no errors and the diff should be empty. If both pass, your backups are recoverable, not just present.

Troubleshooting
  • Wrong password: restic cannot recover without the repo password; store it safely and redundantly.
  • Repo locked: a previous run was interrupted; run restic unlock.
  • Slow first backup: initial snapshots are full; later ones dedupe and are fast.

Extension Ideas

Key Results

  • Created encrypted, deduplicated backups with restic.
  • Proved recovery with a real restore drill, not assumptions.
  • Bounded storage with a 7-daily/4-weekly retention policy.
  • Verified repository integrity with restic check.