Use restic on Fedora for encrypted backups

Restic is a fast, efficient, free and open source backup application that secures your data with AES-256 encryption. Restic also utilizes deduplication to help conserve backup space. Additionally, Restic is compatible with most major cloud providers. This tutorial walks through installing Restic on Fedora and setting up backups to a cloud storage provider (in this example, BackBlaze B2 Cloud storage).

Installing Restic

Although you can compile restic from source or download it from the release page, there’s a helpful COPR for this utility.  The Fedora Magazine covered this COPR in one of our previous articles. Do note that COPR provided software isn’t supported by Fedora infrastructure or signed by the project.

To enable the COPR for restic, run these commands:

sudo dnf copr enable copart/restic
sudo dnf install restic

Test your installation by typing the following command. If you see the help screen as output, you are ready to go.

restic

Preparing a new repository

Restic refers to your backup as a repository and can make backups to any B2 bucket on your Backblaze account. First, setup the following environment variables using your B2 credentials. These can also be set in any backup script you may create.

export B2_ACCOUNT_ID=<MY_ACCOUNT_ID>
export B2_ACCOUNT_KEY=<MY_SECRET_ACCOUNT_KEY>

Create the repository by initializing it. If the bucket doesn’t already exist,  restic automatically creates it. A prompt appears for you to type a password for the repository. Do not lose this password because your data is irrecoverable without it.

restic -r b2:bucketname:/ init

For example:

$ restic -r b2:g534fbucket:/ init
enter password for new backend:
enter password again:
created restic backend 93702e3c5f at b2:g534fbucket:/

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

Creating backups

Now it’s time to backup some data. Backups are called snapshots. Run the following command and enter the repository password when prompted.

restic -r b2:bucketname:/ backup files_to_backup

For example:

$ restic -r b2:g534fbucket:/ backup Documents/
enter password for repository: 
scan [/home/curt/Documents]
scanned 1 directories, 3 files in 0:00
[0:04] 0B/s 0B / 0B 4 / 4 items 0 errors ETA 0:00 
duration: 0:04, 0.00MiB/s
snapshot d864c465 saved

Restoring from backups

Now that you’ve backed up some files, it’s time to make sure you know how to restore them. To get a list of all of your backup snapshots, use this command:

restic -r b2:bucketname:/ snapshots

For example:

$ restic -r b2:g534fbucket:/ snapshots
enter password for repository: 
ID Date Host Tags Directory
----------------------------------------------------------------------
d864c465 2018-03-27 15:20:42 client /home/curt/Documents

To restore an entire snapshot, run a command like this:

restic -r b2:bucketname:/ restore snapshotID --target restoreDirectory

For example:

$ restic -r b2:g534fbucket:/ restore d864c465 --target ~
enter password for repository: 
restoring <Snapshot d864c465 of [/home/curt/Documents] at 2018-03-27 15:20:42.833131988 -0400 EDT by curt@client> to /home/curt

If the directory still exists on your system, be sure to specify a different location for the restoreDirectory. For example:

restic -r b2:g534fbucket:/ restore d864c465 --target /tmp

To restore an individual file, run a command like this:

$ restic -r b2:g534fbucket:/restore snapshotID --target restoreDirectory --include filename

For example:

$ restic -r b2:g534fbucket:/ restore d864c465 --target /tmp --include file1.txt
enter password for repository: 
restoring <Snapshot d864c465 of [/home/curt/Documents] at 2018-03-27 15:20:42.833131988 -0400 EDT by curt@client> to /tmp

Photo by Samuel Zeller on Unsplash.

For System Administrators Using Software

18 Comments

  1. Hans Meiser

    So, using export command, I have will have to put my account’s password in clear text? I will be stored in the bash history, as well as in backup scripts. Isn’t there a more secure way of doing that?

    Moreover, it doesn’t work. I get a

    Fatal: create repository at b2:bucketnumber17:/ failed: b2.NewClient: b2_authorize_account: 401: Invalid authorization token

    Where can I get support?

    • Curt Warfield

      Hello Hans,
      I’ll take a closer look for you when I’m back in the office this evening. You can also create a password file with limited permissions that can be called within a bash script . The password is not stored on Backblaze either.

    • Hello Hans,

      You can also create a password file with limited permissions that can be called within a bash script if you do not want to type the repository password. Also keep in mind that Backblaze does not store the password on their servers.

      The error message you are getting sounds like you didn’t export your Backblaze account ID and key.

      export B2_ACCOUNT_ID=
      export B2_ACCOUNT_KEY=

      The account ID and key are NOT the same thing as the repository password that you create.

      To get your account ID and key, you need to log into your Backblaze B2 account and then click on “Buckets”. On that screen you will see the following:

      Show Account ID and Application Key

      When you click on that link, you’ll see your account ID and key that you will need to export.

      Let me know if that helps !

  2. Hans Meiser

    Another question. Does the command line tool work in combination with Two-Factor Verification?

    • Hans,

      If you are referring to the Backblaze two-way authentication, that is for accessing your account on the website, not for your buckets.

  3. Taras

    What are the advantages against duplicity (http://duplicity.nongnu.org/)?

    • Curt Warfield

      Hello Taras,
      I’ll write up a comparison for you when I’m back in the office this evening

    • Brad

      For one thing, restic is statically compiled, so it can be deployed as a single binary, without having to deal with dependencies. Restic can also do fuse mounts, not sure if duplicity does this. Restic is easy to use on windows, mac, linux. There may be other advantages as well.

    • Brad

      Oh yeah, and future versions of restic will use rclone (https://rclone.org/) which will expand access to an even larger number of cloud providers. There are betas with rclone support at beta.restic.net

      • Taras

        Brad and Curt, thanks for additional information!

  4. Juergen

    I don’t see any advantages against DeDup/duplicity, which is available with the Fedora default repositories.

    • Hi Juergen,

      One of the advantages that I’ve seen myself, is restic also supports backing up to Azure cloud storage. Duplicity is suppose to support it but I’ve never gotten it to work.

    • Will

      For me, the main advantage is that restic uses a block-based model for storing data whereas duplicity uses full backup plus deltas model. The recommended way to use duplicity is to make a full backup and then do partial backups off of that. Periodically, you should make a new full backup to limit the size of the partials. With restic, data is broken down into blocks with information about which blocks to glue together to restore snapshots. New snapshots are just more blocks, so there is no notion of full vs. partial backup. If you are backing up to a cloud storage provider, saving the time and bandwidth costs of doing periodic full backups is significant.

  5. If you are looking for a GUI, you could also try backintime that’s in the official repo. It is based on Qt4.

    dnf install backintime

    Or a snapshot is based on Qt5 (backintime-qt):
    dnf copr enable raphgro/backintime-qt
    dnf install backintime-qt

    For encryption, you can optionally use ssh. Filesystem can be encrypted as well, it is recommended to use the internal tools of your system (cryptsetup/luks, btrfs).

  6. nill

    There is one interesting page which gives some ideas: https://github.com/gilbertchen/benchmarking. It compares Duplicity, BorgBackup, Restic and Duplicacy.

    Compared to other three, Duplicity backup lasts longest and utilizes CPU quite heavily. It does not support modern features such as data deduplication and you have to trade-off full vs incremental backup. That’s just my two cents, I have little knowledge about backup.

    I would seriously consider Restic after it supports compression. It is a planned feature on their list: https://github.com/restic/restic/issues/21. There is quite a lengthy discussion with concerns as how compression might possibly compromise encryption in some cases.

  7. Eddie G.

    Seeing as how COPR provided software isn’t supported by Fedora, I don’t think I would install anything from there. Granted, I realize Fedora IS a literal “proving ground” for lots of packages and applications that, eventually make their way into a Red Hat Linux environment, but on the premise that I use Fedora as my daily driver for both my desktop and laptops, I’m not willing to risk anything unforeseeable happening to my machines. So….sorry, I’ll have to take a pass on this.

    • Hi Eddie,

      If you’re concerned about installing software from COPR, you can always grab the pre-compiled binary from restic without having to actually install anything. You simply just run the binary .

  8. Backups of this sort are too complex for many users. Encryption is cool but there is a risk you might forget.

    I prefer to use a straight file copy from my computer to my NAS, using Beyond Compare. I know which files are backed up, and restoring is easy.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions