Restic already encrypts repository contents client-side. The main risks are weak password/key handling, repository access control, and unsafe prune/forget operations.
¶ 1) Enforce strong repository key handling
- Use long random repository passwords (or key files protected by OS permissions).
- Store credentials outside shell history and repo configs.
- Rotate repository access passwords when operators change.
- Restrict access to password-command scripts.
- Restrict S3/B2/SSH backend credentials to backup service accounts only.
- Enforce bucket/object immutability where available.
- Enable versioning and MFA-delete for cloud object stores.
- Limit egress so backup hosts can only reach approved backend endpoints.
¶ 3) Integrity checks and retention safety
- Run
restic check regularly and alert on repository corruption.
- Use explicit retention policy (
forget --keep-*) and review prune effects.
- Test full restore workflows periodically.
- Protect snapshots from accidental delete by policy and RBAC.
¶ Verification commands
restic version
restic snapshots
restic check --read-data-subset=1/20
grep -R "RESTIC_PASSWORD\|RESTIC_REPOSITORY\|RESTIC_PASSWORD_FILE" /etc /opt 2>/dev/null | head
- Restic design and security: https://restic.net/
- Restic docs (encryption/password): https://restic.readthedocs.io/
- Restic source/advisories: https://github.com/restic/restic/security