Using restic for backups

restic is a nice piece of software I am currently using to backup my personal files. I also used it before to backup some production data at work.

In this post I will show you how to use restic to backup data to Wasabi.

restic supports different storage backends. Currently I am using S3-compatible cloud storage provider Wasabi. The main advantage of Wasabi over AWS is that the outgoing traffic is free: if all of a sudden you need to download 200Gb of data from Wasabi, it will be free, when in case of AWS it would cost approximately $20 in data transfer charges. The only disadvantage of Wasabi I see is that the minimal monthly charges are $6.

Create a new bucket

E.g. “gt-test-backup1”.

create-new-bucket

Create IAM policy that will allow creation of backups, but not removal

  • Go to IAM, Policies, Create Policy
  • give it a name, e.g. “gt-test-backup1”
  • give it following policy, replace “gt-test-backup1” with the desired bucket name:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::gt-test-backup1/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::gt-test-backup1/restic/locks/*"
    },
    {
      "Sid": "Stmt1457617230000",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": [
        "arn:aws:s3:::gt-test-backup1",
        "arn:aws:s3:::gt-test-backup1/*"
      ]
    }
  ]
}

Such policy will allow the user, who uses the policy, to add new backups, retrieve existing ones, but not to remove them. With such a policy we can be sure that the backups will not be accidentally removed.

add-policy

Create a separate user for performing backups

  • Go to IAM, Users, Creat User
  • give it a name, e.g. “gt-test-backuper1”
  • choose Access = Programmatic (create API key)
  • attach policy created in the previous step to this user
  • copy Access Key and Secret Key of the new user

add-user add-policy-to-user

Create a backup script

#!/bin/bash
#
# Backup files to Wasabi using restic.
#
# Usage:
#   restic-backup-wasabi.sh init
#   restic-backup-wasabi.sh backup PATH_TO_FOLDER_OR_FILE
#   restic-backup-wasabi.sh snapshots
#   restic-backup-wasabi.sh restore SNAPSHOT_ID --target LOCAL_DIR

export AWS_ACCESS_KEY_ID=REPLACE_ME
export AWS_SECRET_ACCESS_KEY=REPLACE_ME
export RESTIC_PASSWORD=REPLACE_ME
RESTIC_REPO=s3:https://s3.eu-central-1.wasabisys.com/gt-test-backup1/restic

restic -r $RESTIC_REPO $*

Init the restic repository

$ restic-backup-wasabi.sh init
created restic repository d5ae9a1eae at s3:https://s3.eu-central-1.wasabisys.com/gt-test-backup1/restic

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.

Now you are ready to backup and restore your data

To backup a directory or file:

$ restic-backup-wasabi.sh backup PATH

To list available backups:

$ restic-backup-wasabi.sh snapshots

To restore a backup:

$ restic-backup-wasabi.sh restore SNAPSHOT_ID --target LOCAL_DIR