Restic is a modern, fast, and secure backup program that supports multiple storage backends including local storage, S3-compatible services, SFTP, and more. It features encryption, deduplication, and incremental backups making it an excellent choice for server backup strategies.
This guide covers installing and configuring Restic on both Ubuntu Server and AlmaLinux (RHEL-compatible) distributions, including repository initialization, automated backups via systemd timers, and best practices for production environments.
Prerequisites
- A Ubuntu Server (20.04/22.04/24.04) or AlmaLinux 8/9 system
- Root or sudo access
- Storage backend (local disk, S3/MinIO, SFTP, etc.)
- Basic familiarity with Linux command line
Installing Restic on Ubuntu Server
Method 1: Official Repository (Recommended)
sudo apt update
sudo apt install restic
Method 2: Latest Version via Binary
# Download latest release
VERSION=0.17.3
wget https://github.com/restic/restic/releases/download/v${VERSION}/restic_${VERSION}_linux_amd64.bz2
bunzip2 restic_${VERSION}_linux_amd64.bz2
sudo install -m 755 restic_${VERSION}_linux_amd64 /usr/local/bin/restic
restic version
Installing Restic on AlmaLinux / RHEL
Method 1: EPEL Repository
sudo dnf install epel-release
sudo dnf install restic
Method 2: Latest Version via Binary
# Same binary method as Ubuntu
VERSION=0.17.3
wget https://github.com/restic/restic/releases/download/v${VERSION}/restic_${VERSION}_linux_amd64.bz2
bunzip2 restic_${VERSION}_linux_amd64.bz2
sudo install -m 755 restic_${VERSION}_linux_amd64 /usr/local/bin/restic
restic version
Initialize a Backup Repository
Before creating backups, you need to initialize a repository. The repository can be local or remote.
Local Repository
export RESTIC_REPOSITORY=/mnt/backup/restic-repo
restic init
S3-Compatible (MinIO, AWS S3, Wasabi, etc.)
export RESTIC_REPOSITORY=s3:https://minio.example.com/bucket-name
export AWS_ACCESS_KEY_ID=your-access-key
export AWS_SECRET_ACCESS_KEY=your-s...stic init
SFTP Repository
export RESTIC_REPOSITORY=sftp:user@backup-server:/path/to/repo
restic init
Note: You’ll be prompted to enter a repository password. Use a strong password and store it securely — you cannot recover data without it!
Create Your First Backup
# Backup /etc and /home
restic backup /etc /home
# Backup with exclusions
restic backup /home --exclude-caches --exclude '*.tmp' --exclude '*.log'
# Backup with custom tag
restic backup /var/www --tag "web-content"
Automate Backups with systemd Timers
Create a systemd service and timer for daily automated backups.
1. Create the service file
sudo tee /etc/systemd/system/restic-backup.service > /dev/null
2. Create the environment file
sudo mkdir -p /etc/restic
sudo tee /etc/restic/env > /dev/null
3. Create the timer
sudo tee /etc/systemd/system/restic-backup.timer > /dev/null
4. Enable and start
sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
systemctl list-timers --all | grep restic
Verify and Restore Backups
List Snapshots
restic snapshots
Verify Repository Integrity
restic check
restic check --read-data # Full data verification (slower)
Restore Files
# Restore latest snapshot to /tmp/restore
restic restore latest --target /tmp/restore
# Restore specific path from specific snapshot
restic restore abc1234 --target /tmp/restore --include /etc/nginx
Pruning Old Backups
Retention policies keep your repository size manageable:
# Keep 7 daily, 4 weekly, 6 monthly snapshots
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
Platform-Specific Considerations
Ubuntu Server
- AppArmor may restrict restic's access to certain paths — configure profiles if needed
- Use
unattended-upgradesto keep restic updated - Consider
resticprofilefor declarative backup configurations
AlmaLinux / RHEL
- SELinux contexts may affect backup/restore — use
restic backup --selinuxflag - EPEL version may be older; prefer binary install for latest features
- Use
dnf-automaticfor package updates - FirewallD: ensure backup port (if using REST server) is allowed
Security Best Practices
- Repository password: Use a password manager; never hardcode in scripts
- Encryption: Restic encrypts by default (AES-256); verify with
restic cat config - Access control: Restrict
/etc/restic/envto root only (600 permissions) - Off-site copies: Replicate to a second location (different region/provider)
- Test restores: Schedule quarterly restore drills to verify backup validity
Monitoring and Alerting
Add a simple health check to your monitoring stack:
#!/bin/bash
# /usr/local/bin/restic-health-check
restic snapshots --latest 1 --json | jq -r '.[0].time' > /tmp/last-backup
AGE=$(( $(date +%s) - $(date -d "$(cat /tmp/last-backup)" +%s) ))
if [ $AGE -gt 90000 ]; then # 25 hours
echo "ALERT: Backup older than 25 hours"
exit 1
fi
exit 0
Conclusion
Restic provides a robust, cross-platform backup solution that works identically on Ubuntu and AlmaLinux. Its encryption, deduplication, and multiple backend support make it suitable for everything from single-server setups to distributed infrastructure. By automating with systemd timers and implementing retention policies, you get a "set and forget" backup system that's actually recoverable when disaster strikes.
For advanced use cases, explore restic mount for browsing snapshots as a FUSE filesystem, restic serve for running your own REST backup server, and resticprofile for YAML-driven backup configurations.

