Linux Backup and Recovery with restic and a Restore Drill
You will build an encrypted, deduplicated backup with restic and prove it works with an actual restore. By the end you will follow the 3-2-1 rule and have a verified recovery path, not just hope.
Learning Objectives
- Initialize an encrypted restic repository.
- Take scheduled, deduplicated snapshots.
- Restore data and verify integrity.
- Time: ~3 hours · Difficulty: Intermediate · Prereqs: a server plus an offsite/secondary backup target.
Architecture Overview
graph LR
Src[Server data] -->|restic backup| Local[(Local repo)]
Local -->|restic copy| Off[(Offsite repo)]
Off -->|restic restore| Test[Restore drill]
Environment Setup
You will need: restic installed and a backup target (local disk plus an offsite location such as object storage).
Before you begin: store the repository password in a secret manager, losing it means losing access to backups.
Step-by-Step Execution
01
Initialize an encrypted repository
restic encrypts and deduplicates at the repo level, so backups are private and space-efficient.
export RESTIC_PASSWORD_FILE=/root/.restic-pass && restic -r /backup/repo init[ROOT REQUIRED] Creates an encrypted restic repository.
02
Take a snapshot
restic -r /backup/repo backup /etc /srv --tag daily03
Apply a retention policy
Pruning keeps storage bounded while retaining enough history to recover.
restic -r /backup/repo forget --keep-daily 7 --keep-weekly 4 --prune04
Run a restore drill
# restic -r /backup/repo restore latest --target /tmp/restore --include /etc/hostname
restoring <Snapshot 9c2a1f> to /tmp/restore
Summary: Restored 1 files (17 B) in 0:00
Progress So Far
graph LR
A[01 Init repo] -->|done| B[02 Snapshot]
B -->|done| C[03 Retention]
C -->|done| D[04 Restore drill]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
style D fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
restic -r /backup/repo check && diff /etc/hostname /tmp/restore/etc/hostnameThe repository check should report no errors and the diff should be empty. If both pass, your backups are recoverable, not just present.
Troubleshooting
- Wrong password: restic cannot recover without the repo password; store it safely and redundantly.
- Repo locked: a previous run was interrupted; run
restic unlock. - Slow first backup: initial snapshots are full; later ones dedupe and are fast.
Extension Ideas
- Schedule backups with a systemd timer.
- Copy to offsite object storage to complete the 3-2-1 rule.
- Compare with database-aware backups in DB Backup & Recovery.
Key Results
- Created encrypted, deduplicated backups with restic.
- Proved recovery with a real restore drill, not assumptions.
- Bounded storage with a 7-daily/4-weekly retention policy.
- Verified repository integrity with
restic check.