What is Restic?

Quick Summary

Restic is a modern, fast, and secure backup program. It breaks your files into small, encrypted chunks and stores them in a repository. Because it uses content-addressable deduplication, it only stores each unique chunk once—regardless of how many times that file appears in your history or on different servers.

Why Every Server Administrator Needs Restic

While rsync is perfect for mirroring data, Restic solves the problem of history and security:

Ransomware Protection — All data is encrypted at rest. Even if a hacker steals your backup bucket, they cannot read a single byte without the key.
Efficient History — Keep hourly backups for the last year. Thanks to deduplication, 100 snapshots of a 1TB server often typically take up only ~1.2TB of space, not 100TB.
Single-File Restore — Mount the entire backup history as a virtual filesystem and drag-and-drop a single lost file from 3 months ago.
Backend Agnostic — Back up to local disk, SFTP, AWS S3, Backblaze B2, Azure, or Google Cloud using the exact same commands.
Verification — restic check proves your data is actually readable, detecting "bit rot" before you need to restore.

How Deduplication Works

Traditional backup tools copy files. Restic backs up content. It chunks files into blobs, hashes them, and stores the blob. If you change 1MB of a 100GB file, Restic only uploads that new 1MB blob.

┌──────────────────────────────────────────────────────────────────┐
│ Traditional Backup (tar, zip, cp)                                │
│ ┌──────────────┐      ┌──────────────┐                           │
│ │  10 GB File  │ ───→ │  10 GB Sent  │ Every single day          │
│ └──────────────┘      └──────────────┘                           │
│                                                                  │
│ Restic (Content-Addressable Deduplication)                       │
│ ┌──────────────┐      ┌──────────────┐                           │
│ │  10 GB File  │ ───→ │  50 MB Sent  │ Only the changed chunks   │
│ │ (Small Edit) │      └──────────────┘                           │
│ └──────────────┘                                                 │
└──────────────────────────────────────────────────────────────────┘

This effectively means that full backups look like incremental backups in terms of size and speed, but they act like full backups during restore.

Core Command Structure

Every Restic command interacts with a repository (the storage location).

restic [OPTIONS] COMMAND [ARGS]

Part	Meaning
`COMMAND`	The action: `backup`, `restore`, `forget`, `check`
`-r / --repo`	The storage location (e.g., `/srv/repo` or `s3:bucket`)
`--password-file`	Path to the file containing your encryption key
`--verbose`	Show details of what is happening

Practical Examples for Server Management

Backup a Web Application to S3

export RESTIC_REPOSITORY="s3:s3.amazonaws.com/my-bucket"
export RESTIC_PASSWORD_FILE="/etc/restic/password"

# Back up the entire web directory
restic backup /var/www/html --tag web-server

Restore a Database Dump from Yesterday

# Find the snapshot ID
restic snapshots --tag database

# Restore it
restic restore a1b2c3d4 --target /tmp/restore-db

Mount Backups to Browse History

This is the "killer feature" for recovering specific configuration files.

mkdir /mnt/restic
restic mount /mnt/restic

# Now simply browse with ls
ls /mnt/restic/snapshots/latest/etc/nginx/

When to Use Restic vs Other Tools

Scenario	Best Tool	Why
Mirroring a directory	`rsync`	Faster for 1:1 copies; no repository overhead
Cloud Migration	`rclone`	Native API support for purely moving objects
Versioned Backups	restic	Encryption + Deduplication + Retention Policies
System Imaging	`dd` / `clonezilla`	Block-level copy for bare-metal hygiene

Restic vs Borg

Restic is often compared to BorgBackup.

Restic is a single binary, works natively on Windows/Mac/Linux, and speaks S3 natively.
Borg is faster on local disks but requires a "borg serve" binary on the remote end or SSHFS, and doesn't support S3 natively without messy workarounds. For modern cloud-native backups, Restic is generally preferred.

Best Practices

Environment Variables — Don't type your password or repo URL every time. Use RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE.
Automate check — A backup you haven't checked is just a wish. Run restic check weekly.
Tags are Mandatory — Always tag your backups (--tag mysql, --tag www). It makes retention policies (keep last 7 daily) safe and easy.
Exclusive Locks — Operations like prune lock the repository. Schedule them when backups aren't running.
3-2-1 Rule — Restic is your "2" (different media) and "3" (offsite) solution. Don't rely on it as your only copy of data.

What's Next

Now that you understand the power of deduplication, continue with:

Installation and Setup — Get the single-binary setup running
Professional Strategy — Design a Grandfather-Father-Son retention policy
Core Commands — Master backup, restore, and check

Why Every Server Administrator Needs Restic​

How Deduplication Works​

Core Command Structure​

Practical Examples for Server Management​

Backup a Web Application to S3​

Restore a Database Dump from Yesterday​

Mount Backups to Browse History​

When to Use Restic vs Other Tools​

Best Practices​

What's Next​