What Restic Does
- Encrypted: AES-256 encryption — backups are secure even on untrusted storage
- Deduplicated: Content-defined chunking means only changed data is stored
- Fast: Parallel processing for backup and restore operations
- Verifiable: Cryptographic integrity verification of all backed-up data
- Incremental: After initial backup, only changes are transmitted
- Snapshots: Each backup creates a snapshot that can be individually browsed and restored
- Cross-Platform: Single binary for Linux, macOS, Windows, FreeBSD
- Multiple Backends: Local, SFTP, S3, B2, GCS, Azure, MinIO, Rclone, REST server
Architecture
Source Files
→ Content-defined chunking (CDC)
→ Deduplicate (skip known chunks)
→ Compress (zstd, since v0.14)
→ Encrypt (AES-256-CTR + Poly1305)
→ Upload to repository backend
Repository Layout:
├── config — encrypted repo config
├── data/ — encrypted data blobs
├── index/ — chunk index files
├── keys/ — master key (encrypted with password)
├── locks/ — exclusive lock files
└── snapshots/ — snapshot metadataStorage Backends
# Local directory
restic -r /mnt/backup init
# SFTP
restic -r sftp:user@host:/backup init
# Amazon S3
restic -r s3:s3.amazonaws.com/my-bucket init
# Backblaze B2
restic -r b2:my-bucket:path init
# Google Cloud Storage
restic -r gs:my-bucket:/ init
# Azure Blob
restic -r azure:my-container:/ init
# MinIO (S3-compatible)
restic -r s3:http://minio:9000/backup init
# Rclone (any rclone backend)
restic -r rclone:remote:path init
# REST server (restic's own server)
restic -r rest:http://host:8000/ initCommon Workflows
Daily Backup Script
#!/bin/bash
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/my-backups"
export RESTIC_PASSWORD_FILE="/etc/restic/password"
export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"
# Backup
restic backup /home /etc /var/lib/postgresql
--exclude="*.tmp"
--exclude=".cache"
--exclude="node_modules"
--tag daily
# Prune old snapshots
restic forget
--keep-daily 7
--keep-weekly 4
--keep-monthly 12
--keep-yearly 3
--prune
# Verify integrity
restic check
# Notify
echo "Backup completed: $(restic snapshots --latest 1 --json | jq -r '.[0].short_id')"Browse & Restore
# List all snapshots
restic snapshots
# Browse snapshot contents
restic ls latest
# Restore entire snapshot
restic restore latest --target /tmp/restore
# Restore specific files
restic restore latest --target /tmp/restore --include "/home/user/documents"
# Mount snapshot as filesystem (read-only)
restic mount /mnt/restic-mount &
ls /mnt/restic-mount/snapshots/latest/Retention Policies
restic forget
--keep-last 5 # Keep 5 most recent
--keep-daily 7 # Keep 1 per day for 7 days
--keep-weekly 4 # Keep 1 per week for 4 weeks
--keep-monthly 12 # Keep 1 per month for 12 months
--keep-yearly 5 # Keep 1 per year for 5 years
--prune # Actually delete unreferenced dataPerformance
Initial backup of 100GB:
→ ~30 minutes (depends on disk/network speed)
Incremental backup (2GB changed):
→ ~2 minutes (only new/changed chunks)
Deduplication ratio (typical):
→ 10 daily backups of 100GB ≈ 110GB stored (not 1TB)Restic vs Alternatives
| Feature | Restic | BorgBackup | Duplicati | Rclone |
|---|---|---|---|---|
| Language | Go | Python/C | C# | Go |
| Encryption | AES-256 (always) | AES-256 | AES-256 | Crypt |
| Deduplication | CDC chunks | CDC chunks | Block-level | None |
| Compression | zstd (v0.14+) | lz4/zstd | Zip/7z | None |
| Backends | 20+ | Local/SSH | 20+ (GUI) | 40+ |
| GUI | No (CLI) | No (CLI) | Web UI | Web UI |
| Platform | All | Linux/macOS | All | All |
| Mount snapshots | Yes (FUSE) | Yes (FUSE) | No | Yes |
常见问题
Q: Restic 和 BorgBackup 怎么选? A: 两者都是优秀的去重备份工具。Restic 优势:Go 单二进制、原生支持 20+ 云存储后端、跨平台。Borg 优势:压缩更成熟(zstd 更早支持)、性能略高。如果需要备份到云端,选 Restic。如果只备份到本地/SSH,两者皆可。
Q: 密码丢失怎么办? A: 无法恢复。Restic 使用密码派生加密密钥,没有"忘记密码"功能。建议将密码存储在密码管理器中(如 Vaultwarden),并在安全位置保留纸质备份。
Q: 可以自动化执行吗?
A: 是的。使用 cron 定时执行备份脚本。密码通过 RESTIC_PASSWORD_FILE 环境变量提供。也可以使用 resticprofile 工具简化配置管理。
来源与致谢
- GitHub: restic/restic — 33K+ ⭐ | BSD-2-Clause
- 官网: restic.net