Credential Patterns and Environment Variables
Restic uses environment variables so you can run the same commands manually, in cron, or in systemd.
warning
Do not hardcode secrets in scripts. Avoid putting passwords or access keys in your shell history.
Required Variables (Almost Always)
| Variable | Purpose |
|---|---|
RESTIC_REPOSITORY | where backups are stored |
RESTIC_PASSWORD_FILE | repository password file location |
Common Variables
restic-env.sh
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/my-company-backups/restic/prod/app-01"
export RESTIC_PASSWORD_FILE="/etc/restic/password"
export AWS_ACCESS_KEY_ID="REDACTED"
export AWS_SECRET_ACCESS_KEY="REDACTED"
export AWS_DEFAULT_REGION="us-east-1"
tip
For production, store these values in a root-only environment file and load it in your backup script.
Systemd-Friendly Approach
/etc/default/restic-app01
RESTIC_REPOSITORY=s3:s3.amazonaws.com/my-company-backups/restic/prod/app-01
RESTIC_PASSWORD_FILE=/etc/restic/password
AWS_DEFAULT_REGION=us-east-1
Common Mistakes
| Mistake | Result | Fix |
|---|---|---|
Wrong RESTIC_REPOSITORY | backups go to the wrong place | echo the variable before running backup |
| Password file too open | secret exposure | chmod 600 /etc/restic/password |
| Logging env vars | secrets appear in logs | never print full environment |
warning
Do not log full environment output in backup jobs. Keep secrets masked in CI and system logs.