A backup is only of use if it is tested, or something like that.

I’ve been using restic for backups for a while now, after deciding that my rsync-based approached wasn’t quite what I needed.

I like restic.

It’s simple to use, encrypts the backup at rest (and I transmit the backups over ssh when I backup to a remote server), easy to script, and has in-built functionality for version control, retention periods, and purging.

Plus, restic’s documentation is good, with plenty of examples.

And as well as being open source, there is a detailed reference guide to the repository format so, if the restic project was abandoned, the door is open for others to pick it up.

I still use rsync, including for backing up my backups, but now, when I provision a new server, I set up restic scripts as part of it, for both online and offline (i.e. shuffling USB drives around) backups.

I’ve recently migrated a couple of servers to new hardware, and so I took the opportunity to test my backups again, creating the new servers from my restic backups.

And… it worked.

This is good from the point of view that it gives me increased confidence that my backups are fit for purpose, but, even better, it showed me that I had overlooked backing up some bits which, while not essential, would nevertheless be useful: php configs, crontabs, and the like.

Since I had the “old” servers still running, I could easily grab those as part of the migration, and now I’ve added them to my restic backup routine.

Now here’s the embarrassing part.

As part of a migration, I wasn’t paying quite enough attention to what I was doing, and I wiped out the home directory on the machine from which I was coordinating the migration.

Again, I turned to restic, and within about 15 minutes - the time it took to restore the “latest” version of the backup for that machine, which thankfully was only a couple of hours beforehand - I had everything back the way it had been.

So, yes, I’m quite pleased with restic.

I want to look further into how to use it - perhaps in combination with controls on the receiving server end - to provide additional mitigations against ransomware attacks for online backups.

What I have at the moment would go some way towards it, but if someone managed to obtain access to the machine being backed up, and was sufficiently motivated to do so, they could delete my remote restic repository for that machine. So something for me to work on.

There have been a couple of discussions about donating to restic - I want to support the Free software that I use, because I value it - but it doesn’t look like that’s an option at the moment.