Restic Backup & Restore Workflow

• Overview

  • This project provides a fully automated, portable, and secure backup and restore system using Restic, with the following features:
  • Single editable source script (restic_backup_src.sh)
  • Encrypted production scripts (restic_backup.sh, restore.sh)
  • Argon2-based Restic password file
  • Logging of backups
  • Snapshot selection with human-readable timestamps
  • Automatic cron setup for unattended backups
  • Portable folder structure — no hardcoded paths
  • Restore script auto-generated by the backup script
  • Secure encryption of scripts using a passphrase-free SSH RSA key

• Folder Structure

   restic-scripts/                 # Main folder (portable)
   ├── src/                        # Editable source
   │   └── restic_backup_src.sh    # Single editable source
   ├── restic_backup.sh            # Encrypted launcher stub
   ├── restic_backup.sh.enc        # Encrypted backup logic
   ├── restore.sh                  # Encrypted launcher stub
   ├── restore.sh.enc              # Encrypted restore logic
  

    - src/ contains the editable restic_backup_src.sh script.
    - Running restic_backup_src.sh generates all production scripts in the parent folder.
    - The entire folder is portable; cron jobs and scripts work using relative paths.
  

• Initial Setup

  • Install Required Apps:

    • Linux: sudo apt update && sudo apt install restic openssh-client argon2 -y
    • MacOS: brew install restic argon2

  • Generate RSA key without passphrase/password

    • ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
      • -t rsa specifies the type of key to create (RSA).
      • -b 4096 specifies the number of bits in the key (4096 bits is recommended for security).
      • -C your_email@example.com adds a label to the key, usually your email.
      • press Enter to accept the default location (~/.ssh/id_rsa)
      • When prompted to enter a passphrase, simply press Enter twice to leave it empty.

  • Clone or copy the restic-scripts folder to your home directory:

    • cd /../restic-scripts
    • sudo chmod -R 700 src
    • sudo chmod +x src/restic_backup_src.sh
    • cd .. # OR cd /../restic-scripts
    • git branch -M main
    • git remote add origin git@github.com:cryptCEE/restic-scripts.git
    • git remote -v
    • git add .
    • git commit -S -m "Test commit with GPG signing"
    • git push -u origin main
  • Make the source script executable:
    • chmod +x ~/restic-scripts/src/restic_backup_src.sh
    • Edit the source script to configure:
      • BACKUP_PATHS: directories/files to back up
      • EXCLUDES: patterns to exclude from backups
      • RESTIC_REPOSITORY: location for the Restic repository
      • PLAIN_PASSWORD / SALT / Argon2 parameters

• The Backup

  • Preparing the Backup Script

    • Run the editable source to perform a backup and generate encrypted scripts:
      • cd ~/restic-scripts/src
      • ./restic_backup_src.sh
      • What happens:
        • Restic repository initialized if not present
        • Argon2 password file created (or reused)
        • Backup runs with specified paths and excludes
        • Old snapshots are pruned according to retention rules
        • Logs written to $RESTIC_REPOSITORY/logs/backup_YYYY-MM-DD.log
        • Cron job automatically installed (runs daily at 2 AM)
        • Restore script (restore.sh) is auto-generated and encrypted
        • Production scripts (restic_backup.sh and restore.sh) are encrypted and ready for use

  • Running Encrypted Production Scripts

    • Backup:
      • ~/restic-scripts/restic_backup.sh
    • Restore:
      • ~/restic-scripts/restore.sh
      • Restore Behavior:
        • Displays available snapshots (latest first) with timestamps
        • Ask for confirmation (default: Y)
        • Restores to $HOME/restic_restore by default

• Cron Integration

  • The backup script automatically installs a cron job:
    • 0 2 * * * /home/<user>/restic-scripts/restic_backup.sh
  • Uses relative paths; works even if the folder is moved
  • Runs unattended using the SSH RSA key for decryption
  • Logs written to $RESTIC_REPOSITORY/logs

• Security

  • Scripts are encrypted using a passphrase-free SSH RSA key (~/.ssh/id_rsa)
  • Argon2-based password file (restic_pass) used by Restic
  • Backup and restore operations require only the presence of the private key

• Editing & Maintenance

  • Only edit src/restic_backup_src.sh
  • Running the source regenerates all production scripts
  • Do not manually edit restore.sh or .enc files — changes will be overwritten

• Tips & Best Practices

  • Test backup and restore on a small directory first.
  • Keep your SSH private key secure; it is required to run encrypted scripts.
  • Check logs for backup success/failures:
  • less $RESTIC_REPOSITORY/logs/backup_YYYY-MM-DD.log
  • Move the restic-scripts folder as needed — all paths are relative.
  • Make sure restic and jq are installed on your system.

• Quick Commands Reference

  • Backup

    • Run the source script (generates encrypted scripts and runs backup):
      • cd ~/restic-scripts/src
      • ./restic_backup_src.sh
    • Run the encrypted production backup script:
      • ~/restic-scripts/restic_backup.sh

  • Restore

    • Run the encrypted restore script:
      • ~/restic-scripts/restore.sh
    • Displays snapshots (latest first)
    • Confirm with Y or just press Enter to restore
    • Restores to $HOME/restic_restore by default

  • Logs

    • Check the latest backup log:
      • less $RESTIC_REPOSITORY/logs/backup_$(date '+%F').log

  • Cron

    • Backup is scheduled automatically at 2 AM daily:
      • crontab -l | grep restic_backup.sh
    • Edit cron manually if needed:
      • crontab -e