Backups with Restic on OtterStorage

Restic is a fast, encrypted, deduplicated backup tool that can use any S3-compatible storage as a repository. In this guide you'll see how to connect Restic to an OtterStorage bucket to create backups, list snapshots, restore data, apply retention policies, and protect your copies with immutability.

Prerequisites

• Restic installed on your system (run restic version to check).
• A bucket created in OtterStorage; in these examples we call it mi-bucket.
• The bucket credentials: an access key and a secret key. In OtterStorage, credentials are issued per bucket, so you can isolate each backup repository.

Connection details used in this guide:

• S3 endpoint: https://es-mad-1.s3.otterstorage.io
• Region: eu-mad

1. Export the credentials and the region

Restic reads S3 credentials from the standard AWS environment variables. Export them before running any command. On Linux or macOS:

export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export AWS_DEFAULT_REGION="eu-mad"

On Windows (PowerShell):

$env:AWS_ACCESS_KEY_ID    = "YOUR_ACCESS_KEY"
$env:AWS_SECRET_ACCESS_KEY = "YOUR_SECRET_KEY"
$env:AWS_DEFAULT_REGION    = "eu-mad"

These variables only live in the current session. To automate backups, it's best to define them in the environment of the service or cron job that runs Restic.

2. Initialize the repository

A Restic repository is referenced with the syntax s3:ENDPOINT/BUCKET. Initialize it once:

restic -r s3:https://es-mad-1.s3.otterstorage.io/mi-bucket init

Restic will ask for a repository password. This password encrypts all of your data end to end: without it, nothing can be read or restored, not even with access to the bucket. Keep it somewhere safe, because it is not recoverable.

To avoid typing it manually for every command, export RESTIC_PASSWORD (or use RESTIC_PASSWORD_FILE pointing to a protected file):

export RESTIC_PASSWORD="una-contraseña-larga-y-secreta"

You can also set the repository in RESTIC_REPOSITORY to omit the -r flag on every call:

export RESTIC_REPOSITORY="s3:https://es-mad-1.s3.otterstorage.io/mi-bucket"

3. Create a backup

With the repository initialized, create a backup of one or more directories:

restic -r s3:https://es-mad-1.s3.otterstorage.io/mi-bucket backup /var/www /etc

The first backup uploads all the data; subsequent ones only transfer the new blocks thanks to deduplication, which makes them much faster. You can exclude paths and add tags to organize your snapshots:

restic backup /var/www \
  --exclude="/var/www/**/cache" \
  --tag web --tag produccion

4. List and inspect snapshots

Each backup produces a snapshot. To view the history:

restic -r s3:https://es-mad-1.s3.otterstorage.io/mi-bucket snapshots

You'll see a short identifier per snapshot, along with the date, host, and tags. To review what changed relative to an earlier backup, use diff with two identifiers:

restic diff 1a2b3c4d 5e6f7a8b

You can also check the repository's integrity at any time:

restic check

5. Restore data

To restore a full snapshot to a target directory, specify its identifier (or latest for the most recent one):

restic -r s3:https://es-mad-1.s3.otterstorage.io/mi-bucket restore latest --target /tmp/restauracion

If you only need to recover a portion, filter with --include:

restic restore 1a2b3c4d --target /tmp/restauracion --include /var/www/config

Another option is to mount the repository as a read-only filesystem and browse the snapshots with your usual tools:

restic mount /mnt/backups

6. Retention: forget and prune

Accumulating snapshots indefinitely wastes space. The retention policy is applied with forget, which marks which snapshots to keep, and --prune, which removes from the repository the data no longer referenced by any snapshot:

restic forget --prune \
  --keep-daily 7 \
  --keep-weekly 4 \
  --keep-monthly 12

That example keeps the last 7 daily, 4 weekly, and 12 monthly backups, and deletes the rest. With OtterStorage we don't bill for requests or deletions, so you can run prune as often as you like with no per-operation cost: you only pay for the storage you actually use after deduplication.

To preview what the policy would do without touching anything, add --dry-run:

restic forget --prune --keep-daily 7 --dry-run

7. Immutability with Object Lock

To protect yourself against ransomware or accidental deletions, enable Object Lock on the OtterStorage bucket. With Object Lock, objects cannot be modified or deleted until the configured retention period expires, which turns your backups into truly immutable (WORM) copies.

Restic supports repositories on buckets with Object Lock enabled. Keep in mind that with immutability active, any prune operation that tries to delete data before the lock expires will fail: plan the bucket's retention period to be consistent with your Restic forget policy.

Object Lock must be enabled when the bucket is created. See the specific steps in the OtterStorage documentation.

8. Automate the backups

Once you've validated the workflow, automate it with cron or a systemd timer. A typical script might look like this:

#!/bin/sh
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
export AWS_DEFAULT_REGION="eu-mad"
export RESTIC_REPOSITORY="s3:https://es-mad-1.s3.otterstorage.io/mi-bucket"
export RESTIC_PASSWORD_FILE="/etc/restic/password"

restic backup /var/www /etc --tag diario
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 12

Because requests and deletions are not billed, you can schedule frequent backups and regular prunes without worrying about per-operation cost.

Summary

• Export AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION=eu-mad.
• Initialize with restic -r s3:https://es-mad-1.s3.otterstorage.io/mi-bucket init and store the password safely (RESTIC_PASSWORD).
• Create backups with backup, review them with snapshots, and recover them with restore.
• Control growth with forget --prune and your retention policy.
• Enable Object Lock for immutable backups and take advantage of the fact that OtterStorage doesn't charge for requests or deletions.