After moving some of my websites to my own servers, I needed to make sure I always have good back-ups.
I already use the Vultr automatic backups but those backups are kept in the same data center as where your server is running. If anything bad happens on that location (fire, natural disaster) you lost your server AND your backup. Not very safe.
I also have a backup on my Macbook and external hard drive but those are usually also kept in the same location. If my backback gets stolen and something bad happens to the data centre before I have a replacement, everything is lost.
To add an extra layer of redundancy I also want to keep another backup in the cloud in a different geographical location than my server.
Step 1: Install Restic
Restic is a fast and efficient backup program that can quickly make encrypted backups. It can store them locally, on a server or with cloud providers like AWS, BackBlaze or Google Cloud.
The backups are encrypted and de-duplicated before its written to storage so it's secure and limited in file size.
To install Restic you navigate to the release page on GitHub and look for the file that matches your OS.
if you aren't sure what your server is running it is usually displayed in the welcome message when you ssh into your server.
Or you can also run
uname -a to get this information.
In my case that's 64-bit linux:
Now right click the link and copy the link address. SSH into your server and run
curl -LO <Paste download link here> and unzip it with
Now we need to move it into the
usr/local/bin folder and make it executable by updating the permissions:
$ sudo cp restic* /usr/local/bin/restic $ sudo chmod a+x /usr/local/bin/restic
You might not need to use sudo to run these commands depending on the priveleges of the account you are using.
To verify that Restic is installed correctly you can run
restic and you should see all the available commands.
Setting up Your S3 Bucket
Now it's time to setup your S3 Bucket so you have a bucket to save your backups in.
Login to AWS and create a new bucket in S3 in a region that works best for you.
I went with Frankfurt as Germany is a stable country with low chances of natural disasters occurring. It's also far away from the US (where my server is located) so if something bad happens in the US, my data is still safe.
To allow Restic to write backups to your S3 bucket, you will need to create access keys.
Don't use the access keys of your root account here!
Navigate to the IAM console, create a new user and make sure to check the 'enable programmatic access' to get access keys.
Now, if these keys are ever compromised you can easily revoke them.
Select one of the template security policies or create your own policy and make sure the users has write access to your S3 bucket.
Once the users is created you get the access key and secret access key, save these for the next step.
Restic needs to know a few things to access your S3 bucket - like your access key, secret key, object storage connection details and password.
It's best practice to pass these as environment variables so we don't have to type sensitive information into the command line.
Open a new file in your home directory
nano ~/.restic-env and paste this:
export AWS_ACCESS_KEY_ID="your-access-key" export AWS_SECRET_ACCESS_KEY="your-secret-key" export RESTIC_REPOSITORY="s3:server-url/bucket-name" export RESTIC_PASSWORD="a-strong-password"
Replace the text within quotes with your access keys and server url.
The password can be anything you like and will be used to encrypt your backups.
Now save and close the file with
Ctrl + X, Y and Enter.
Initialize the Restic Repository
Now we load the file we just created into our shell environment with
To test if it works you can print one of the variables with
echo $RESTIC_REPOSITORY. If everything is setup correctly that command should print the URL of your S3 bucket.
If everything works correctly you can run
restic init to initialize the repository. That should return a confirmation and a notice about how important your password is for access. Losing your password means your data is irrecoverably lost!
Making a Backup
You can now backup any file or directory on your server, encrypt it and store it on your S3 bucket.
To make a backup of a folder on your server you can run
restic backup <folder>.
I wouldn't recommend backing up the entire server since that would also include your entire Linux installation.
I want to backup my
/var folders as these are the most important. I also want to keep a list of all the applications installed on my server.
I added text for when it starts and ends including a timestamp to make reading the logs easier.
echo 'Started' date +'%a %b %e %H:%M:%S %Z %Y' . /home/jurn/.restic-env dpkg --get-selections > dpkg.list /usr/local/bin/restic backup -q /srv /usr/local/bin/restic backup -q /etc /usr/local/bin/restic backup -q /home /usr/local/bin/restic backup -q /var /usr/local/bin/restic forget -q --prune --keep-weekly 4 date +'%a %b %e %H:%M:%S %Z %Y' echo 'Finished'
One line 3 I have replaced 'source' with '.' as source does not exist in bash and for the backup command I include the whole path to the program.
I have also added the
-q to suppress status output from Restic since you won't be around to read this anyway.
I end with a
forget command to keep the last 4 monthly backups and remove all backups older than one month. You can also use hourly or daily depending on how much your data changes.
You can save this in a
.sh file in your
/srv directory (or another folder). I saved it as
Now we run this file to make sure it works by running
Depending on the size of these folders on your server it might take a while the first time you run it. You will notice it's much faster the next time as Restic will use de-duplication to only save new/changed files. This will also keep your AWS bill low as an added bonus.
If everything ran without errors, you can move on to automating your backups.
Automate Your Backups
To automate your backups we will need to setup a cronjob to run this script automatically.
To add this cronjob we first run
sudo crontab -e. This will open up a text editor with your scheduled cronjobs, add the following line in this file:
@weekly /srv/backupToS3.sh > /srv/backupToS3.txt.
This will run your backup script every week and save the logs in a text file so you can check if it ran correctly.
You can also use
@monthly or use the more advanced scheduling available for cronjobs depending on your needs.
For now, this server isn't running super important things but I'll likely change this to daily/hourly when I move Screely to my own server.
Restoring a Snapshot
Your backups aren't worth much if you can't restore them. To make sure restoring a snapshot works, let's run a little test and restore one to a temporary folder.
To display your snapshots you can run
restic snapshots. Copy the ID of the snapshot you want to restore and run
restic restore <ID> --target /tmp/restore.
You can now move into that directory
cd /tmp/restore and list its contents with
ls -al. You should the contents of your snapshot there!
Now that we've verified it works, remove that folder by running
cd .. && rm -r restore.
Backups are incredibly important and keeping multiple backups in multiple locations is vital. Now you have an extra backup that is completely automated and encrypted!