How to Use Restic to Backup VPS Data on CentOS 7
Restic is a fast, efficient, and secure backup program. It supports three major operating systems (Linux, macOS, Windows) and offers multiple backup methods, allowing data to be backed up to local storage, SFTP, AWS S3, Backblaze B2, and more.
In production environments, data is the lifeline of a company, making regular backups crucial. Although some service providers offer paid or free backup services, they cannot guarantee absolute security. In necessary cases, we can store data elsewhere. Restic supports encrypted backups, incremental backups, and snapshot rollbacks, making it very suitable for data backup.
This article records the entire process of using restic on a CentOS 7 environment to backup data to another server via SFTP, helping others avoid common pitfalls. (Note: Reading this article requires a certain level of Linux operations and maintenance foundation; beginners are not recommended to experiment.)
Installing Restic
Restic is developed using Golang and provides convenient binary versions. Here, we choose to install it via binary. The latest version can be downloaded from GitHub: https://github.com/restic/restic/releases
# Download restic
wget https://github.com/restic/restic/releases/download/v0.9.5/restic_0.9.5_linux_amd64.bz2
# Decompress
bzip2 -d restic_0.9.5_linux_amd64.bz2
# Rename
mv restic_0.9.5_linux_amd64 /usr/sbin/restic
# Grant execution permissions
chmod +x /usr/sbin/restic
After the above simple steps, restic is installed. If all goes well, executing the command restic -h will display the usage help.
[root@ali_sgp ~]# restic -h
restic is a backup program which allows saving multiple revisions of files and
directories in an encrypted repository stored on different backends.
Usage:
restic [command]
Available Commands:
backup Create a new backup of files and/or directories
cache Operate on local cache directories
cat Print internal objects to stdout
check Check the repository for errors
diff Show differences between two snapshots
dump Print a backed-up file to stdout
find Find a file, a directory or restic IDs
forget Remove snapshots from the repository
generate Generate manual pages and auto-completion files (bash, zsh)
help Help about any command
init Initialize a new repository
key Manage keys (passwords)
list List objects in the repository
ls List files in a snapshot
migrate Apply migrations
mount Mount the repository
prune Remove unneeded data from the repository
rebuild-index Build a new index file
recover Recover data from the repository
restore Extract the data from a snapshot
self-update Update the restic binary
snapshots List all snapshots
stats Scan the repository and show basic statistics
tag Modify tags on snapshots
unlock Remove locks other processes created
version Print version information
Flags:
--cacert file file to load root certificates from (default: use system certificates)
--cache-dir string set the cache directory. (default: use system default cache directory)
--cleanup-cache auto remove old cache directories
-h, --help help for restic
--json set output mode to JSON for commands that support it
--key-hint string key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
--limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited)
--limit-upload int limits uploads to a maximum rate in KiB/s. (default: unlimited)
--no-cache do not use a local cache
--no-lock do not lock the repo, this allows some operations on read-only repos
-o, --option key=value set extended option (key=value, can be specified multiple times)
--password-command string specify a shell command to obtain a password (default: $RESTIC_PASSWORD_COMMAND)
-p, --password-file string read the repository password from a file (default: $RESTIC_PASSWORD_FILE)
-q, --quiet do not output comprehensive progress report
-r, --repo string repository to backup to or restore from (default: $RESTIC_REPOSITORY)
--tls-client-cert string path to a file containing PEM encoded TLS client certificate and private key
-v, --verbose n be verbose (specify --verbose multiple times or level n)
Use "restic [command] --help" for more information about a command.
Initializing Restic
Xiaoz chose to backup current server data to another server via SFTP. Therefore, before operating, please refer to: Linux Configuration for Key-based Login to ensure the current server can log in to the other server automatically via key without a password. Assuming this step is completed, we can proceed to initialize restic.
# Initialize restic
$ restic -r sftp:user@host:/srv/restic-repo init
enter password for new backend:
enter password again:
created restic backend f1c6108821 at sftp:user@host:/srv/restic-repo
Please note that knowledge of your password is required to access the repository.
Losing your password means that your data is irrecoverably lost.
- During initialization, you will be asked to enter the password twice. Note that this password is used by restic to encrypt and decrypt data, not the server password. Please do not forget it; once forgotten, the data cannot be decrypted, equivalent to data loss.
/srv/restic-reporefers to the path on the other server.
For more initialization instructions, please refer to the official help documentation: Preparing a new repository
Backing Up Data
After initialization, you can enter the following command to backup data:
restic -r sftp:user@host:/data/aliyun_sgp --verbose backup /data/wwwroot --exclude=/data/wwwroot/default
/data/aliyun_sgp: Refers to the directory on the remote server (target folder)./data/wwwroot: The folder to be backed up (local folder)./data/wwwroot/default: The folder to be excluded (directory not needed for backup).
Viewing and Removing Snapshots
Restic uses incremental backup. On the next backup, restic will only backup changed and new files and create a snapshot (restore point). The common commands for snapshots are as follows:
View snapshots of the target folder
$ restic -r /srv/restic-repo snapshots
enter password for repository:
ID Date Host Tags Directory
----------------------------------------------------------------------
40dc1520 2015-05-08 21:38:30 kasimir /home/user/work
79766175 2015-05-08 21:40:19 kasimir /home/user/work
bdbd3439 2015-05-08 21:45:17 luigi /home/art
590c8fc8 2015-05-08 21:47:38 kazik /srv
9f0bc19e 2015-05-08 21:46:11 luigi /srv
Delete a specific snapshot
$ restic -r /srv/restic-repo forget bdbd3439
enter password for repository:
removed snapshot d3f01f63
Clean up snapshot reference data (Deleting snapshots does not release data, so you need to clean up the reference data)
restic -r /srv/restic-repo prune
Restore a snapshot
$ restic -r /srv/restic-repo restore 79766175 --target /tmp/restore-work
enter password for repository:
restoring <Snapshot of [/home/user/work] at 2015-05-08 21:40:19.884408621 +0200 CEST> to /tmp/restore-work
/srv/restic-repo: The path where snapshots are stored.79766175: The ID of the snapshot./tmp/restore-work: The target folder (where you want to restore to).
Passwordless Operation
Restic asks for a password every time it operates. If you wish to stop being asked for a password during operations, you can do the following:
# Create a new file and store the restic password inside
vi /root/.restic.pw
# Set as environment variable
export RESTIC_PASSWORD_FILE=/root/.restic.pw
This way, when backing up data next time, you will no longer be asked to enter a password, making it convenient for Shell script writing.
Conclusion
Restic performs encrypted backups, uses incremental backup methods, and supports multiple backup methods, making it an excellent choice for backing up server data. For more usage instructions, please refer to the official help documentation.
- Help Documentation: Restic Documentation
- Restic Project Address: https://github.com/restic/restic