Automated encrypted backups for $18/yr

return to homepage


This is a tutorial for creating automated, versioned, deduplicated and encrypted remote backups on a linux machine. Let's define our assumptions and all 'em big words.



Here are some things we want to achieve:

  1. backups happen automatically (we will use systemd to schedule them. But anacron or cron work too)
  2. We don't want to delete a file in our system, then back it up, the file gets deleted in our backup. ... but oops! A day later we realize we needed that file. This often happens with Dropbox or with similar systems. (note that Dropbox Rewind lets you find previous versions of the file up to 30 or 180 days).
  3. We don't want to upload all the files every time we do a backup. We only want to upload changes.
  4. our backups should be encrypted by our local computer. We have the key, no one else! (unlike Dropbox, Google Drive, etc ... who can read your files)


Therefore our backups are:


To achieve this we will use restic, and backup to using their special discount for restic.


The general idea is simply to run this command regularly:

followed by the maintenance operations of restic forget and the occasional restic prune.

Now, with the full details, these commands can become too wordy:


So we are going to separate it into 3 files:


The Nitty-Gritty

Let's do it:

There, create 3 files:



using the env command, a system() call or using inline shell scripts (e.g. RESTIC_PASSWORD=password restic …) might expose the credentials in the process list directly and they will be readable to all users on a system. Using export in a shell script file should be safe, however, as the environment of a process is accessible only to that user. Please make sure that the permissions on the files where the password is eventually stored are safe (e.g. 0600 and owned by root).

The repository will be different for you, of course. But we will come back to it.




or check the docs for excluding.


Initial Steps

Before we keep going, do the installations and signing-up.

Install restic:

sign up at:

you will get a user with format NNNNN and a server with format or something similar.

Your restic repository will now live at:, so make sure you update your config file above. Then follow their instructions to get ssh access with a key.


You are now ready to initialize the repo. Chose a name for it, here myrepo and run in your local shell:

Chose your password and store it in your config file.

You can check that it works, for example with a small file:

followed by:



Now we need to tell our computer to do this regularly.

note that user is not your username, it's the actual string user.

inside that directory create this file:


as well as:


Ok. All the infrastructure is set. We now need to start it:


Now, the backup should happen daily at the chosen time, or at the next available time if the computer is off. You can do the same process to prune your restic repos. You will create a restic-prune.service and a restic-prune.timer , with the only major difference being in:

which calls the same configuration file.


I have also set this backup system to make an encrypted backup to my external hard drives. To make it easier to create manual backups, I also created a bash script as seen below:


Of course, we haven't talk about restoring your backups, but restic makes it very easy. To check the consistency of your backup:

To fully restore:

But much more granular recovery of files and repos can be done.



Useful links:

systemd time format

return to homepage