Offsite backups using Restic

I'm probably not the first person to say this, but backups are important. A simple search on the web for "importance of backups" can explain this point much better than I can. Hard drives can be moody, so it just makes sense to prepare for the case when they're in a bad mood.

As a responsible citizen, I've been making weekly backups of my data for a few years now. All this while I've kept things rather simple. I've had a 1TB HD connected to a spare Raspberry Pi at home connected to the local network. Every now and then I would just run a simple shell script that would rsync my entire ~ directory over to this HD. This was simple, quick to setup, and worked quite well in practice.

Every now and then though, I've had troubles mounting/unmounting this disk to other machines. I can't exactly put a finger on what it was. Maybe it's my tendency to misinterpret the "you can now safely eject the USB disk" message from the operating system. Or maybe the fact that between my wife and I, we use Windows, Mac, and Linux, so this disk has had to do a fair bit of context switching. Or, who knows, maybe the disk was just plain moody.

This always made me feel slightly uneasy. There's no point of having backups when your backup destination is unstable, right? So a few weeks ago, I started looking for options.

Turns out that the only other alternative is storing your data on the cloud someone else's computer. This does have the potential to make one feel a little uneasy. But if you throw encryption into the equation, it's actually not all that bad. It turns the whole thing into a question of probability. Yes, your data lives on the cloud someone else's computer, but given the computing resources we have today, and given good enough encryption, the probability that a bad actor can look through your data is quite low.

Which then means that finding a good offsite backup solution boils down to finding a piece of software whose encryption implementation you can trust. While I do understand the high/medium-level of what encryption involves, I'm not an expert on the specifics. But if someone who does understand the lower levels can recommend a particular piece of software, that's good enough for me.

That's how I found Restic.

Restic is a fast and secure backup program. Its design goals are explicitly stated on its website, but the ones that appealed to me the most were ease-of-use and secure cryptography.

Here are a few more reasons why I decided to use it to make backups of my own data.

  1. Restic assumes that the storage target is an untrusted environment. When you have something like that as an assumption, I don't think you can do much wrong there.
  2. The design is open, and all the source code is freely available on Github.
  3. The encryption that Restic uses is well documented, and also reviewed by others who understand encryption much better than I do.
  4. Most storage providers are natively supported, which is super nice and makes it really easy to get started.
  5. It's extremely well documented.

I have a personal AWS account, so I decided to set up an S3 bucket in the Frankfurt region to use as the storage backend. I also had to generate AWS access credentials that Restic needed to read/write to the S3 bucket. But obviously you only have to do this if you decide to use S3. Different storage backends have different preliminary steps you need to perform.

After setting that tiny bit of infrastructure up, the process of setting up Restic itself was relatively straight-forward. I mostly just followed the documentation step by step and could get everything to work in hardly any time, and without any hiccups. Having worked with software for close to a decade now, I love it when this happens!

I first used restic init to initialize the storage backend (S3 in my case), after which Restic was ready to start adding data. I then used the restic backup command to add data to the backups. That was basically it.

Every now and then it's a good idea to run restic prune so it can clean things up internally, and/or remove older backups which are not needed anymore, but for regular use, restic backup is probably the only command you'll end up using.

And since backups are pointless if you can't easily restore them, the restic restore command restores your encrypted backups to your local disk to a location of your choice.

So far I'm pretty happy with this setup. Restic's design goals are exactly what I would look for in a backup program, and the design choices it has made along the way makes the backup-process not just easy, but borderline fun.

If you're looking for a backup solution, this is highly recommended!