How To Securely Manage Secrets with HashiCorp Vault on Ubuntu 16.04


Restic is a protected and efficient client that is backup in the Go language. It can backup local files to a number of different backend repositories such as a directory that is local an SFTP host, or an S3-compatible item storage space solution.

In this guide we shall install Restic and initialize a repository on an item storage space solution. We are going to then backup some files towards repository. Finally, we will automate our backups to just take snapshots that are hourly immediately prune old snapshots whenever necessary.


For this guide, you’ll need a computer that is UNIX-based some files you’d like to back up. The commands and techniques used in this tutorial will only work on MacOS and Linux.( though Restic is available for Mac, Linux, and Windows*******)

Restic calls for a amount that is good of to operate, and that means you needs to have 1GB or even more of RAM in order to avoid getting mistakes.

You will even need to find out the details that are following your item storage space solution:

  • Access Key
  • Secret Key
  • Server URL
  • Bucket Name

If you’re utilizing the DigitalOcean Spaces item storage space solution, it is possible to set a Space up and obtain all of the above information by after our tutorial how exactly to produce a DigitalOcean area and API Key.

Once you have got your item storage space information, go to the section that is next install the Restic pc software.

Installing the Restic Backup Customer

Restic can be obtained as a executable that is precompiled many platforms. This means we can download a file that is single run it, no package supervisor or dependencies necessary.

To get the file that is right down load, first make use of your internet browser to navigate to Restic’s launch web page on GitHub. You will discover a listing of files underneath the Downloads header.

For a 64-bit Linux system (the most typical host environment) you need the file closing in _linux_amd64.bz2.

For MacOS, search for the file with _darwin_amd64.bz2.

Right-click regarding the file that is correct one’s body, then choose Copy website link Address (the wording could be somewhat various within web browser). This can duplicate the down load URL towards clipboard.

Next, in a terminal session using the pc you are burning (then download the file with curl🙁 if it’s a remote machine you may need to log in via SSH first), make sure you’re in your home directory,*******)

  • cd ~
  • curl -LO

Unzip the file we downloaded:

Then copy the file to /usr/local/bin and upgrade its permissions making it executable. We are going to need certainly to make use of sudo of these two actions, as a user that is normalnot have authorization to create to /usr/local/bin:

  • sudo cp restic* /usr/local/bin/restic
  • sudo chmod a+x /usr/local/bin/restic

Test your installation had been effective by calling the restic demand without any arguments:

Some assistance text should print towards display screen. In that case, the restic binary is set up correctly. Next, we will produce a configuration declare Restic, initialize our object then storage space repository.

Creating a Configuration File

Restic must understand our access key, secret key, item storage space connection details, and repository password so that you can initialize a repository we could then backup to. We will get this to given information offered to Restic making use of environment factors.

Environment factors are components of information you run that you can define in your shell, which are passed along to the programs. For instance, every program you run on the command line can see your $PWD environment variable, which contains the path of the directory that is current

It's typical training to place tokens that are sensitive passwords in environment variables, because specifying them on the command line is not secure. Since we're going to be automating our backups later on, we'll save this given information in a file in which our script can get access to it.

First, available a file at home directory:

This will start an file that is empty the nano text editor. When we're done, the file will consist of four export commands. These export statements define environment variables and make them available to any programs you run in the ( that is future*******)


export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export RESTIC_REPOSITORY="s3:server-url/bucket-name"
export RESTIC_PASSWORD="a-strong-password"

The access and key secrets may be supplied by your item storage space solution. You might want to produce a set that is unique of simply for Restic, to ensure that access can be simply revoked just in case the secrets are lost or compromised.

An instance RESTIC_REPOSITORY value is: If you want to connect with a host on a port that is non-standard over unsecured HTTP-only, consist of that information into the URL like therefore s3:http://example-server:3000/example-bucket.

RESTIC_PASSWORD describes a password that Restic use to encrypt your backups. This encryption occurs in your area, to help you backup to an offsite that is untrusted without worrying all about the articles of one's files exposure.

You should select a password that is strong, and copy it somewhere safe for backup. One way to generate a strong password that is random to make use of the openssl demand:



This outputs a 24-character random sequence, which you are able to duplicate and paste to the setup file.

Once all of the factors are done correctly, save yourself and shut the file.

Initializing the Repository

To load the setup into our shell environment, we source the file we simply created:

You can check always to ensure this worked by printing away among the factors:

Your repository Address should print away. Now we could initialize the Restic command:( to our repository*******)


created restic backend 57f73c1afc at Please be aware that understanding of your password is needed to access the repository. Losing your password implies that important computer data is irrecoverably destroyed.

The repository has become willing to get data that are backup. We are going to deliver that information next.

Backing Up a Directory

Now which our object that is remote storage is initialized, we can push backup data to it. In addition to encryption, Restic does diffing, and de-duplication while backing up. This means that our backup that is first will a full back-up of all of the files, and subsequent backups is only going to must transfer brand new files and modifications. Also, duplicate information may be detected and never written towards backend, which saves area.

Before we backup, if you should be testing things on a system that is bare require some instance files to backup, produce a straightforward text file at home directory:

  • echo "sharks have no organs for producing sound" >> ~/facts.txt

This will generate a facts.txt file. Now straight back it, combined with the remainder of your property directory:


scan [/home/sammy] scanned 4 directories, 14 files in 0:00 [0:04] 100.00per cent 2.558 MiB/s 10.230 MiB / 10.230 MiB 18 / 18 things 0 mistakes ETA 0:00 length: 0:04, 2.16MiB/s snapshot 427696a3 conserved

Restic is useful for somewhat, showing you reside status updates on the way, then output the snapshot that is new ID (highlighted above).

Note: If you would like backup a directory that is different substitute the ~ above with the path of the directory. You may need to use sudo in front of restic backup if the target directory is not owned by your user. It again when restoring the snapshot, otherwise you may get some errors about not being able to properly set permissions.
( if you need sudo to back up, remember to use*******)

Next we will discover ways to discover more information regarding the snapshots kept within our repository.

Listing Snapshots

To list out of the backups kept into the repository, make use of the snapshots subcommand:


ID Date Host Tags Directory ---------------------------------------------------------------------- 427696a3 2017-10-23 16:37:17 restic-test /home/sammy

You can easily see the snapshot ID we received during our backup that is first timestamp for whenever snapshot had been taken, the hostname, tags, additionally the directory which was supported.

Our Tags line is blank, because we did not make use of any inside instance. You could add tags to a snapshot by including a --tag banner followed closely by the label title. It is possible to specify tags that are multiple saying the --tag choice.

Tags can be handy to filter snapshots afterwards if you are establishing retention policies, or whenever looking by hand for a snapshot that is particular restore.

The Host is roofed into the listing as you can deliver snapshots from numerous hosts to a repository that is single. You'll need to copy the repository password to each machine. You can also set up multiple passwords for your repository to have more access control that is fine-grained. You will find away additional information about handling repository passwords into the formal Restic docs.

Now that individuals've got a snapshot uploaded, and learn how to record our repository contents out, we will make use of our snapshot ID to try restoring a back-up.

Restoring a Snapshot

Weare going to restore an snapshot that is entire a temporary directory to verify that everything is working properly. Use a snapshot ID from the listing in the step that is previous. We are going to deliver the restored files to a directory that is new /tmp/restore:

  • restic restore 427696a3 --target /tmp/restore


restoring <Snapshot 427696a3 of [/home/sammy] at 2017-10-23 16:37:17.573706791 +0000 UTC by [email protected]> to /tmp/restore

Change towards directory and list its articles:

You should start to see the directory we supported. Within instance it will be an individual sammy's house directory. Enter the restored list and directory out of the files inside:


facts.txt restic_0.7.3_linux_amd64

Our facts.txt file will there be, combined with the binary that is restic we removed at the start of the guide. Print facts.txt towards display screen to ensure it is that which we expected:

You should start to see the shark undeniable fact that we devote the file formerly. It worked!

Note: you can use the --include and --exclude options to fine-tune your selection if you don't want to restore all the files in a snapshot. Browse the Restore portion of the Restic documents to learn more.

Now that individuals understand back-up and restore is working, let us automate the creation of the latest snapshots.

Automating Backups

Restic includes a forget demand to simply help keep a archive that is running of. You can use restic forget --prune to set policies on how many backups to keep daily, hourly, weekly, and so on. Backups that don't fit the policy shall be purged through the repository.

We use the cron system solution to operate a task that is backup hour. First, open your user up's crontab:

You could be prompted to decide on a text editor. Pick your preferred — or nano then press ENTER if you have no opinion —. The default crontab for your user shall start within text editor. It might have some comments explaining the crontab syntax. At the end of the file, add the following to a line:

that is new


. . .
42 * * * * . /home/sammy/.restic-env; /usr/local/bin/restic backup/( that is-q; /usr/local/bin/restic forget -q --prune --keep-hourly 24 --keep-daily 7

Let's action through this demand. The 42 * * * * defines whenever cron should run the duty. In cases like this, it'll run into the 42nd minute of each and every hour, day, month, and day of week. To learn more about this syntax, read our tutorial utilizing Cron To Automate Tasks.

Next, . /home/sammy/.restic-env; is the same as source ~/.restic-env which we went formerly to load our secrets and passwords into our shell environment. It has the effect that is same our crontab: subsequent commands with this line could have usage of these records.

/usr/local/bin/restic backup/( that is-q; is our Restic backup command. We use the path that is full the restic binary, since the cron solution won’t immediately try /usr/local/bin for commands. Likewise, we show the house folder course clearly with /home/sammy as opposed to utilizing the ~ shortcut. You need to be because explicit that you can whenever composing a command for cron. We make use of the -q banner to suppress status production from Restic, it.( since we wont be around to read*******)

Finally, /usr/local/bin/restic forget -q --prune --keep-hourly 24 --keep-daily 7 will prune old snapshots which can be no more required on the basis of the specified retention flags. Within instance, we are maintaining 24 hourly snapshots, and 7 snapshots that are daily. There are also options for weekly, monthly, yearly, and policies that are tag-based

whenever you've updated the demand to suit your requirements, save the file and leave the written text editor. The crontab shall be installed and activated. After a hours that are few restic snapshots once more to validate that brand new snapshots are now being uploaded.


In this guide, we have developed a setup declare Restic with your item storage space verification details, utilized Restic to initialize a repository, supported some files, and tested the back-up. Finally, we automated the method with cron.

Restic has more freedom and much more features than had been talked about right here. For more information about Restic, take a good look at their formal documents or ebsite that is main

Using Authentic Photography in Web Design

Previous article

How exactly to Install a MongoDB Sharded Cluster on CentOS 7

Next article

You may also like


Leave a Reply

More in DigitalOcean