From ArchWiki

This page discusses the restic[1] backup tool including providing a quick start guide and suggesting best practices in the context of Arch Linux.

The main features and benefits are:

  • encrypted backups
  • remote backups
  • built-in support for compression
  • efficient storage (chunk based increments, data is not duplicated)
  • gives flexibility to use a custom scheduling solution like cron or systemd
  • written in go so stand-alone binaries


Install restic, then initialise a repository in an empty directory (for local backups) with:

$ restic init --repo /path/to/backup/directory/

See official tutorial[2].


Restic uses symmetric encryption for repositories. This introduces some issues with scheduled backups[3][4], as the key would generally have to be stored in plain text for an automated process to be able to create the backup.

Restic does support the idea of a script to fetch the password (--password-command option), e.g. from a key vault of some sort. But to be able to unlock the key vault or secret store you would also likely have to hard-code credentials somewhere. Ideally there would be asymmetric encryption that allows to create snapshots with a public key (used in an automated script by restic) yet only decrypt the snapshot with a private key, but this is not supported.

This article or section needs expansion.

  • Mention restic key management
  • If a second-factor like a FIDO key is mentioned, it is more secure to use its secrets directly as a restic key, e.g. a FIDO2 resident-key setup for restic or (simpler) HMAC-SHA challenge-response to use directly or to unlock a password-store and retrieve the restic secret (e.g. with keepassxc-cli, pass) at runtime.
(Discuss in Talk:Restic)

If the system/data partitions to be backed up are not encrypted at rest, you may work around exposing the plain text repository password by storing it in a file on a LUKS encrypted volume. The volume would be decrypted on boot using a passphrase or FIDO key (see Universal 2nd Factor) such as YubiKey provided by the user. You can configure it in crypttab (see dm-crypt) and fstab.

Note: Restic repositories (backups) do not need to be encrypted with LUKS. Restic encrypts data by default.


Systemd timers

Unlike other tools like timeshift[5], restic does not include a scheduling capability. You are expected to either use cron or systemd timers.

You can use a ready project like restic-automatic-backup-scheduler or follow this example that creates local (full) system backups and should be run as the root user.

The example assumes there is an existing directory where an existing restic repository has been initialised (see #Installation).

Create separate volume

This step is optional, but it is a good idea to mount a separate volume there to prevent the automated backup process from potentially consuming all space available to the OS.

The first restic backup will have to clone the entire OS, so the minimum amount of space required is equal to the space taken up by the OS (subject to path exclusions described below) or any other directory that you decide to backup.

Of course, you need space for any additional incremental changes in the future so it is a good idea to create a volume with 2 or even 3 times the size of the data being backed up. E.g. if / takes up 55G then you can create /mnt/restic with 110G.

Systemd Service

You will need a service unit. Create one:

Description=Backup system

ExecStart=systemd-inhibit /usr/local/bin/restic-backup
Note: The service will be invoked by the timer below but can also be started on demand for any unplanned snapshots. systemd-inhibit(1) is optional but recommended to prevent accidental shutdown of the system while a backup is being created.
Configuring resource constraints

Using systemd gives you the option to put resource constraints on the backup process. E.g. you can limit the amount of memory and / or CPU. This is something you would configure in the systemd service unit. See systemd.resource-control(5).

Another way to constrain the resources used by restic is to use the GOMAXPROCS environment variable as described in the official documentation.

Systemd timer

You will also need a timer unit (this one runs every 15 min):

Description=Timer for full system backups



Backup script

You will also want to create a small shell script to pass in all the required options, for example:


if [[ -n $(pgrep 'restic' | grep 'restic backup') ]]; then
  echo 'restic is already running...' 1>&2
  exit 0

set -e
set -v

export RESTIC_REPOSITORY='/mnt/restic'
export RESTIC_PASSWORD_COMMAND='/usr/local/bin/get-restic-password'
export RESTIC_CACHE_DIR=~/.cache/restic

mkdir -p "${RESTIC_CACHE_DIR}"

restic unlock 
restic backup / --exclude-file=/etc/restic/excludes.txt --tag scheduled 
restic check --with-cache --read-data-subset=5G
restic forget --prune --keep-hourly 24 --keep-daily 30 --keep-monthly 6 --keep-weekly 4 --keep-yearly 3
echo VerySecurePassword123
# chmod 744 /usr/local/bin/restic-backup
# chmod 700 /usr/local/bin/get-restic-password

You might want to consider enabling compression in restic to save space if you are backing up data that is not already compressed (like large text files).

Snapshot retention

Adjust the restic forget --prune --keep-hourly 24 --keep-daily 30 --keep-monthly 6 --keep-weekly 4 --keep-yearly 3 values in the script above if wanted.

Configuring niceness

You may also wish to tweak niceness of the backup process. If you are running backups often you will likely want to reduce the resource usage to prevent it from affecting interactive use. However, you should check how long the backups are taking and make sure they are not overlapping (i.e. a new backup being started when the previous one has not finished).

You can do that with nice(1). You may want to adjust the backup scrip by adding nice to the beginning of the resource intensive commands e.g.:

# nice -n 19 restic backup ...
# nice -n 19 restic check ...

Alternatively if you are using ananicy-cppAUR you may want to ensure that the niceness is configured in its configuration file(s) under /etc/ananicy.d/.

{"name": "restic", "type": "file-sync"}

Refer to the restic FAQ for more information.

Excludes list

Add the excludes file under /etc/restic e.g.:



Do not forget to enable the restic-backup.timer.