Backup Strategy in Practice: Restic, Backblaze B2, rclone, and Actually Testing Restores
Most people set up backups after their first data loss. That is the wrong order.
The hard part is not the tooling — the tooling is excellent and mostly free. The hard part is convincing yourself, before anything bad happens, that the hour spent configuring and testing a backup system is worth more than the hour spent building the next feature, adding the next service, or doing anything else that feels more immediately productive. It is. By a large margin.
This guide covers the full picture: the philosophy behind a real backup strategy, the 3-2-1 rule and its modern extensions, Restic as the backbone for encrypted deduplicated backups, Backblaze B2 as the best-value cloud storage target, rclone for multi-cloud flexibility, complete production automation scripts, healthcheck monitoring, and — most importantly — how to verify your backups actually work before you need them.
Part 1: The Backup Mindset
Before any tooling, some hard truths.
It’s Not a Backup Until You’ve Tested the Restore
This phrase gets repeated so often it risks becoming a cliche, but it keeps being true. Backup software has bugs. Filesystems have corruption. Repositories get partial writes. The only way to know your backup is valid is to restore from it and verify the result.
There are three distinct failure modes for backups:
- No backup exists. Obvious, but more common than it should be. “I meant to set that up.”
- A backup exists but is unrestorable. The worst failure mode because it creates false confidence. Your backup job ran for six months, but the repository password is wrong, or the files are zero bytes, or a software bug silently corrupted the data.
- A backup exists and is valid, but recovery takes too long. You have a working restore process, but it takes 18 hours and your business can only survive 4 hours of downtime. The backup technically works but it fails your recovery objective.
All three kill you. Testing addresses the second and surfaces the third.
Recovery Objectives: RTO and RPO
The third failure mode — a valid backup that recovers too slowly — is really a failure to plan against two numbers. Every backup strategy is implicitly a bet on them, so make the bet explicit:
- RPO (Recovery Point Objective): how much data you can afford to lose, measured in time. If you back up once a day, your RPO is up to 24 hours — a disaster at 1:59am, one minute before the 2am run, loses almost a full day of changes. If you cannot tolerate that, you need more frequent backups or continuous replication.
- RTO (Recovery Time Objective): how long you can afford to be down. This is the wall-clock time from “disaster” to “service restored,” including provisioning hardware, downloading the backup, importing databases, and bringing applications up. A backup that takes 18 hours to restore fails a 4-hour RTO no matter how valid the data is.
RPO drives backup frequency; RTO drives backup architecture. The cheaper your recovery needs to be, the longer it takes — restoring 2TB from cold cloud storage is slower than failing over to a warm standby. Decide the targets first, then build backwards to a schedule and topology that meet them:
| Required RPO | Strategy implied |
|---|---|
| < 1 hour | Continuous replication or streaming WAL/binlog shipping |
| < 1 day | Daily automated backups (the default for most homelabs) |
| < 1 week | Weekly backups — acceptable only for rarely-changing data |
Part 8 covers how to measure your real RTO during a restore drill — the number you assume is almost always optimistic.
Backup vs. Sync: A Critical Distinction
Sync tools — rsync, cloud sync clients, RAID — are not backups. They are mirrors. When you delete a file, the mirror deletes it too. When ransomware encrypts your data, the sync propagates the encrypted versions to the mirror within minutes.
A backup is a separate, point-in-time copy that retains historical versions. If you accidentally delete /var/lib/postgres today, you need to restore from a snapshot made before the deletion. A sync would have already destroyed that snapshot.
This matters in practice: if your “backup” is a cron job that rsyncs to a NAS, and that NAS is always mounted as a network share, ransomware will encrypt both in the same sweep. You need immutable, versioned, offline copies.
Why Cloud Storage Alone Isn’t a Backup
Storing data in Dropbox, Google Drive, or S3 is not a backup strategy. Cloud providers expose you to:
- Accidental deletion: You delete a file; the change syncs everywhere
- Account termination: ToS violations, billing failures, or provider-side errors can lock or delete your data with minimal notice
- Ransomware propagation: Sync clients faithfully upload your encrypted files
- No historical versions (unless you pay for version history, which is not default everywhere)
Cloud storage is a component of a backup strategy. It is not a substitute for one.
Part 2: The 3-2-1 Rule and Its Modern Extensions
The 3-2-1 rule is decades old but still the clearest mental model for backup architecture.
Original 3-2-1:
- 3 total copies of your data
- 2 different storage media types
- 1 copy offsite
Applied practically for a home server or VPS:
| Copy | Location | Example |
|---|---|---|
| Copy 1 | Live data | /data on your server |
| Copy 2 | Local backup | External drive, second NAS, local Restic repo |
| Copy 3 | Offsite cloud | Backblaze B2, Wasabi, AWS S3 |
The offsite copy is what protects you from physical disasters: fire, flood, theft, or a power event that takes out all your local hardware simultaneously.
The 3-2-1-1-0 Extension
The modern extension adds two more requirements:
- +1 offline or air-gapped copy (not reachable over the network during normal operation)
- +0 errors verified (the backup has been validated, not just written)
The offline copy protects against ransomware that can reach network-attached storage. If your backup destination is always mounted, it can be encrypted along with the rest of your system. An offline copy — a drive that is physically disconnected between backup runs, or a cloud bucket with Object Lock enabled — cannot be encrypted by malware that doesn’t have those credentials.
Backblaze B2 Object Lock (compliance mode) is the practical implementation of the air-gap for cloud backups. Once data is written with a lock period, it cannot be deleted or overwritten — not by you, not by an attacker who compromises your backup credentials, not by Backblaze — until the lock expires.
Offline Drive Rotation
For a truly air-gapped local copy, a simple rotation schedule works:
- Keep 2-3 external drives labeled A, B, C
- Each week or month: connect the next drive in rotation, run a backup, disconnect it, store it offsite (or in a fireproof safe)
- The drive not currently connected is your offline copy
This sounds like overhead but takes about 15 minutes per cycle and protects against scenarios that no cloud solution addresses.
Immutable Backups with Object Lock
When configuring a Backblaze B2 bucket for Restic, enable Object Lock in compliance mode:
Lock mode: Compliance (not Governance — governance can be overridden by admin)
Default retention: 30 days (adjust based on your retention policy)
With compliance mode active, even a compromised application key with full write permissions to the bucket cannot delete objects within the lock period. This is the cloud equivalent of a write-once tape.
Full, Incremental, and Differential Backups
Classic backup theory defines three strategies, and it is worth understanding them because every backup tool is an answer to the trade-off between them:
- Full backup: a complete copy of all data every run. Simplest to restore (one copy has everything) but the slowest to create and the most storage-hungry.
- Incremental backup: only the data that changed since the previous backup of any kind. Fast and small to write, but a restore must replay the last full backup plus every incremental in the chain — and if one link is missing or corrupt, the chain breaks.
- Differential backup: only the data that changed since the last full backup. A restore needs just the full plus the single latest differential, so recovery is simpler than incremental, but each differential grows larger until the next full.
| Strategy | Backup speed/size | Restore complexity | Failure exposure |
|---|---|---|---|
| Full | Slow, large | Trivial (one copy) | None beyond that copy |
| Incremental | Fast, small | Full + every increment | Whole chain breaks if one link is lost |
| Differential | Moderate | Full + latest differential | Only that pair must be intact |
Restic — the backbone of this guide — sidesteps the choice. Its content-addressed deduplication means every snapshot is logically a full backup (you can restore any one directly, with no chain to replay) while being physically incremental (only changed chunks are uploaded and stored). You get the restore simplicity of full backups with the speed and storage efficiency of incrementals, and no fragile chain to corrupt. That is why the rest of this post stops talking about the taxonomy and starts talking about snapshots.
Part 3: Restic — Encrypted, Deduplicated Backups
Restic is the best general-purpose backup tool available today. It is open source, written in Go (single binary, no dependencies), and its design choices are exactly right.
What Makes Restic Excellent
Encryption by default. Every backup is encrypted with AES-256-CTR before leaving your system. There is no option to create an unencrypted repository. Your cloud provider, anyone with access to the bucket, and Backblaze employees cannot read your data.
Content-addressed deduplication. Restic splits files into variable-size chunks and addresses each chunk by its SHA-256 hash. If a 10GB virtual machine image changes by 100MB, only the changed chunks are uploaded — not the whole 10GB. Across snapshots, identical chunks are stored exactly once. This makes storage efficient and keeps backup times fast after the initial run.
Any backend. Local filesystem, SFTP, S3 and S3-compatible (B2, Wasabi, MinIO), Azure Blob Storage, Google Cloud Storage, or any provider accessible via rclone. One tool for all destinations.
Snapshots, not file copies. Each restic backup creates a snapshot — a point-in-time consistent view of the backed-up data. You can restore any snapshot, browse its contents, mount it as a filesystem, and diff between snapshots.
Installation
|
|
Initial Repository Setup
Store credentials in an environment file rather than passing them on the command line:
|
|
Generate a strong password: openssl rand -base64 32
Store this password somewhere safe and separate from the backup itself. A password manager, a printed copy in a fireproof safe, or a secrets manager. If you lose the repository password, the backup is permanently unreadable.
Initialize the repository:
|
|
Core Commands
Back up a directory:
|
|
Back up with excludes:
|
|
Back up stdin (database dumps, generated archives):
|
|
List snapshots:
|
|
Browse a snapshot:
|
|
Mount the repository as a filesystem (requires FUSE):
|
|
Full restore:
|
|
Partial restore (specific paths):
|
|
Diff between snapshots:
|
|
Retention Policy: forget and prune
Restic accumulates snapshots over time. The forget and prune commands manage retention.
forgetremoves snapshot metadata according to your policy but does not delete datapruneremoves unreferenced data chunks from the repository
Run them together:
|
|
This keeps: the last 3 snapshots regardless of age, one snapshot per day for the past 7 days, one per week for 4 weeks, one per month for a year, and one per year for 3 years. Everything else is removed.
Add --dry-run to see what would be removed before committing.
If you have multiple hosts or tags in the same repository, scope forget to them:
|
|
Tags for Organization
Tag backups at creation time to enable scoped listing and retention:
|
|
Integrity Checking
|
|
A passing restic check means the repository metadata is consistent. --read-data-subset=10% downloads and verifies a random 10% of pack files, giving you statistical confidence that the data itself is intact without consuming the full bandwidth of a complete verification.
Part 4: Backblaze B2 — Best-Value Cloud Storage for Backups
Backblaze B2 is S3-compatible object storage at a fraction of the cost of AWS S3.
Cost Comparison
| Storage | Price/GB/month | 100 GB/mo | 500 GB/mo | 1 TB/mo | 5 TB/mo |
|---|---|---|---|---|---|
| Backblaze B2 | $0.006 | $0.60 | $3.00 | $6.00 | $30.00 |
| Wasabi | $0.0068 | $0.68 | $3.40 | $6.80 | $34.00 |
| AWS S3 Standard | $0.023 | $2.30 | $11.50 | $23.00 | $115.00 |
| AWS S3 Glacier | $0.004 | $0.40 | $2.00 | $4.00 | $20.00 |
B2 egress to the Cloudflare network is free (Bandwidth Alliance). If your restore traffic routes through Cloudflare, you pay nothing for downloads. This is a meaningful cost difference for large restores.
Creating a B2 Bucket
Via the web console:
- Log in to backblaze.com and navigate to B2 Cloud Storage
- Create Bucket: choose a globally unique name, set Private (never public for backup data)
- Enable Object Lock if you want immutable backups (cannot be enabled after creation)
- Enable versioning (required for Object Lock)
Via the B2 CLI:
|
|
Application Keys: Principle of Least Privilege
Create a bucket-specific application key for each backup host — not your master key. If a server is compromised, the attacker can only reach that bucket.
In the B2 console: App Keys → Add a New Application Key:
- Name:
myserver-backup-key - Buckets: Select your backup bucket only
- Capabilities:
readFiles, writeFiles, deleteFiles, listFiles, listBuckets(Restic needs list and write; restrict delete if using Object Lock) - File name prefix: optional, useful for multi-tenant buckets
With Object Lock in compliance mode, you can safely grant deleteFiles to the backup key — the lock prevents actual deletion within the retention period.
Connecting Restic to B2
B2 is S3-compatible. Use the S3 backend with B2’s S3-compatible endpoint:
|
|
The region-specific endpoint matters — using the wrong one will fail or route traffic inefficiently. Find the correct endpoint for your bucket in the B2 console under Bucket Details.
Monitoring B2 Usage
|
|
Part 5: rclone — The Swiss Army Knife of Cloud Storage
rclone is a command-line tool that supports over 70 cloud storage providers with a consistent interface. Where Restic specializes in encrypted deduplicated backups, rclone specializes in raw file synchronization and cloud-to-cloud transfers.
In a complete backup strategy, rclone fills the gaps Restic doesn’t:
- Syncing a raw directory to B2 (no encryption or dedup needed — e.g., already-encrypted archives)
- Mirroring between cloud providers (B2 → Wasabi for geographic redundancy)
- Acting as a transport layer for Restic when the backend is not natively supported
- Mounting cloud storage as a local filesystem
Installation and Configuration
|
|
The rclone config wizard walks you through adding a remote. For Backblaze B2:
Type: Backblaze B2
Account: your-account-id
Key: your-application-key
This creates an entry in ~/.config/rclone/rclone.conf (or /root/.config/rclone/rclone.conf for root). Protect this file:
|
|
The config file contains your storage credentials in plaintext. Consider using rclone config password to encrypt it with a password if the host may be compromised.
Common Commands
|
|
rclone for Multi-Cloud Redundancy
Mirror your B2 bucket to a second provider (Wasabi, S3, another B2 region) for geographic redundancy:
|
|
This gives you a second cloud copy without any additional complexity in your Restic workflow. Run it weekly or nightly after your Restic backup completes.
rclone crypt: Encrypting Any Provider
If you need to use a provider that Restic doesn’t support natively, or you want a second layer of encryption, rclone’s crypt remote encrypts files transparently:
|
|
Now use b2-encrypted: like any other remote — rclone encrypts before upload, decrypts on download. You can then point Restic at this crypt remote:
|
|
Key Flags
| Flag | Effect |
|---|---|
--transfers 4 |
Parallel file transfers (increase for many small files) |
--checkers 8 |
Parallel checksum checkers |
--bwlimit 10M |
Bandwidth limit (10M = 10 MB/s) |
--dry-run |
Show what would happen without doing it |
--progress |
Real-time progress display |
--log-file /path/to/log |
Write logs to file |
--log-level INFO |
Log level (DEBUG, INFO, NOTICE, ERROR) |
--checksum |
Use checksums instead of size+mod time for comparison |
--ignore-existing |
Skip files already on destination |
Part 6: Automated Backup Scripts
The backup only runs if it’s automated. Here are production-ready scripts you can drop in and adapt.
The Core Backup Script
Save as /usr/local/bin/backup.sh, chmod 700, owned by root.
|
|
The Excludes File
# /etc/restic/excludes
*.tmp
*.log
*.pid
*.sock
*.swp
*~
.DS_Store
Thumbs.db
lost+found
proc
sys
dev
run
tmp
.Trash
.trash
Cache
cache
.cache
node_modules
.venv
__pycache__
*.pyc
.gradle
.m2
target
build
dist
.terraform
*.tfstate.backup
Systemd Timer (Preferred Over Cron)
Create the service unit at /etc/systemd/system/backup.service:
|
|
Create the timer unit at /etc/systemd/system/backup.timer:
|
|
Enable and start:
|
|
Cron Alternative
If you prefer cron or are on a system without systemd:
|
|
Part 7: Healthchecks — Knowing Your Backups Actually Ran
Automated backups fail silently. The job exits with an error, cron doesn’t email you because nobody configured mail, and you don’t notice for six months — until you need the backup.
The dead man’s switch pattern solves this: the backup pings a monitoring service on success. If the ping doesn’t arrive within the expected window, the monitoring service alerts you. Silence is the failure signal.
Healthchecks.io
Healthchecks.io is the canonical service for this pattern. Free tier allows 20 checks with 1-month log retention. It’s also open-source and self-hostable if you prefer.
Setup:
- Create an account, click New Check
- Set schedule: Daily, Grace period: 1 hour (buffer for backup duration variance)
- Copy the ping URL:
https://hc-ping.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - Add to
/etc/restic/env:export HEALTHCHECK_URL="https://hc-ping.com/your-uuid"
The backup script above uses ping_healthcheck "/start" at the beginning and ping_healthcheck "" on success. Healthchecks.io records both, letting you see backup duration over time.
For failures, the script calls ping_healthcheck "/fail" which marks the check as failed immediately rather than waiting for the deadline.
Self-Hosted Alternative: Uptime Kuma
Uptime Kuma supports push monitoring (the reverse of its primary use case). Add a push monitor, copy the URL, use it exactly like the healthchecks.io URL. Combine with its notification integrations for Slack, Discord, email, Telegram, and more.
What to Monitor
Beyond the alive/dead signal:
- Last successful backup timestamp: alert if more than 25 hours old
- Backup size trends: a sudden large increase may indicate a misconfiguration backing up unwanted data; a sudden decrease may indicate files went missing
- Repository check results: alert immediately if
restic checkexits non-zero - Storage cost trends: unusual cost spikes indicate something unexpected is being uploaded
Part 8: Testing Restores — The Step Everyone Skips
Every sysadmin who has ever been paged during a crisis because of a backup that “definitely should have worked” will tell you the same thing: test your restores on a schedule, not at 3am.
Types of Restore Tests
File restore test (weekly automation): Restore a specific file from the latest snapshot and compare its SHA-256 checksum against the live copy. This verifies the repository is readable and the data is intact.
Application restore test (monthly, manual): Restore a database dump to a staging instance and verify the application starts and data looks correct. This catches issues that a file checksum doesn’t surface — a dump that restores but contains corrupt data, a missing migration, a dependency on a config file that wasn’t included in the backup.
Full restore test (quarterly): Provision a new VM or server, restore everything from the backup, and verify all services come up correctly. Time this — that duration is your actual RTO. Document the procedure so that whoever is on-call during a real disaster has a step-by-step runbook.
Automated File Restore Test Script
Save as /usr/local/bin/test-restore.sh, add to a weekly systemd timer or cron:
|
|
Add a weekly systemd timer for this script using the same pattern as the backup timer, but scheduled for Sunday morning after the integrity check.
Running a Repository Integrity Check
|
|
Measuring Your Actual RTO
When you run your quarterly full restore test, time it explicitly:
|
|
Also time:
- Database import time
- Application startup and health check passing
- DNS propagation (if restoring to a new IP)
Document the total time. That is your actual RTO. If it exceeds your recovery objective, you have work to do — either faster storage, a parallel restore process, or a pre-provisioned warm standby.
Chaos Backup Testing
Once a year, deliberately corrupt a non-production environment and run through a full recovery. The goal is not to verify that the backup software works — it’s to verify that your runbook is complete, your credentials are accessible, and the recovery procedure works when you’re stressed and it’s the middle of the night.
Document every step that required guessing or looking something up. Those gaps are documentation debt. Fill them before the next real incident.
Part 9: What to Back Up (and What Not To)
Backing up everything wastes storage and makes restores slower. Backing up too little means you can’t recover. Here is the practical breakdown.
Back Up
- Home directories: user configs, documents, projects, SSH keys
- Application data:
/var/lib, service-specific data directories - Database dumps: always dump databases separately and pipe to Restic — don’t try to back up raw database files with the database running
- Configuration files:
/etc, application configs,.envfiles, docker-compose files - Docker named volumes:
restic backup /var/lib/docker/volumes - TLS certificates and private keys: especially if using custom PKI
- Secrets and credentials: encrypted, ideally via a secrets manager that has its own backup
- Crontabs and systemd units: the automation config that runs your systems
Don’t Back Up
- Operating system files: reinstall from scratch — it’s faster and cleaner than restoring an OS
node_modules,.venv,.gradle,target/,build/,dist/— restore from package manager- Docker image layers: pull from the registry; back up only the config that defines what to pull
- Temporary files, caches:
/tmp,~/.cache, browser caches - Your backup destination: don’t include the directory where local backups live in your backup job
- Reproducible build artifacts: anything that can be deterministically regenerated from source and a lock file
.resticignore Example (Server)
# /etc/restic/excludes — server configuration
# Package manager caches
/var/cache/apt
/var/cache/dnf
/var/cache/yum
# Logs (use a log shipper instead)
/var/log
/home/*/.pm2/logs
# Containers
/var/lib/docker/overlay2
/var/lib/docker/image
/var/lib/containerd
# Temporary
/tmp
/var/tmp
/run
# Already-offsite data
/mnt/b2
# Build artifacts
**/node_modules
**/.venv
**/target
**/dist
**/build
**/__pycache__
**/*.pyc
.resticignore Example (Developer Workstation)
# ~/.config/restic/excludes — developer workstation
# Package and build caches
node_modules
.venv
env
venv
.gradle
.m2
.ivy2
target
dist
build
__pycache__
*.pyc
*.pyo
.mypy_cache
.pytest_cache
.ruff_cache
# IDEs
.idea
*.iml
.vscode/extensions
# macOS
.DS_Store
.Spotlight-V100
.Trashes
.TemporaryItems
# Large media (back up separately or accept the loss)
~/Downloads
~/Movies
# Browser caches
*/Chrome/*/Cache
*/Firefox/*/Cache
*/Safari/Caches
# Vagrant, Docker local volumes not worth backing up
.vagrant
Part 10: Backup Strategy by System Type
Linux Server (VPS or Bare Metal)
The standard setup described throughout this guide:
- systemd timer running
backup.shat 2am - Restic to B2 with daily/weekly/monthly retention
- Database dumps piped directly to Restic stdin
- Weekly
restic check --read-data-subset=10% - Healthchecks.io for monitoring
Encryption means your VPS provider can’t read your backups. Deduplication means the second backup of a largely-unchanged system uploads in seconds.
NAS (Synology / QNAP)
Synology:
- Hyper Backup is the native solution — solid, supports B2 as a destination
- For Restic: install via Synology’s package manager or run in a Docker container
rclone syncis excellent for bulk media that doesn’t need encryption or versioning
QNAP:
- Hybrid Backup Sync supports B2 natively
- Restic available as a QPKG or Docker container
For a NAS, consider a cross-backup between two NAS units at different physical locations — each backs up to the other over WireGuard VPN, plus each backs up to B2. That gives you three copies in three locations without relying entirely on cloud.
Proxmox VMs and LXC Containers
- Proxmox Backup Server (PBS): runs on a separate machine (or VM), handles incremental VM and LXC backups, stores deduplicated snapshots
- vzdump: built-in Proxmox backup, outputs to local storage or NFS
- rclone:
rclone sync /mnt/pbs-datastore b2:my-proxmox-backupto push PBS data offsite - Per-application: inside each VM, run the standard Restic backup in addition to VM-level backups
Don’t rely solely on VM snapshots for application data. A VM snapshot at the hypervisor level does not protect against accidental deletion inside the VM, and restoring an entire VM when you only need one database table is wasteful.
Docker Compose Stacks
The key insight: your Docker Compose config is code — keep it in git. Only the named volumes contain state that isn’t reproducible.
|
|
For services that can take a hot backup:
|
|
The compose files themselves — back them up in a git repository and push to a remote (GitHub, Gitea, etc). That copy is separate from your Restic backup chain and gives you immediate access to service definitions without restoring anything.
macOS Workstation
- Time Machine: local backup to an external drive or Time Capsule — fast, easy, built-in
- Restic to B2: offsite copy of the things Time Machine has but that can’t travel home with you
|
|
Time Machine handles the “restore my entire Mac from last Tuesday” scenario. Restic handles the “my laptop was stolen and I need my SSH keys and project code on a new machine in 30 minutes” scenario.
Kubernetes
- Velero: the standard tool for Kubernetes cluster backup — backs up cluster state (all resources) and persistent volume data to S3/B2
- Application-level backups: still needed — database dumps from pods, application-specific export tools
- etcd backup: critical for control plane recovery, separate from Velero
Kubernetes adds complexity: you need to back up both the cluster state (what should be running) and the data (what your applications have stored). Velero handles the cluster state. Application-level backups handle the data.
Putting It All Together
A complete backup strategy for a Linux homelab or production server, using everything above:
| Layer | Tool | Destination | Schedule |
|---|---|---|---|
| Local encrypted backup | Restic | Local external drive or NAS | Daily |
| Offsite encrypted backup | Restic | Backblaze B2 | Daily |
| Multi-cloud mirror | rclone | Wasabi (from B2) | Weekly |
| Offline air-gap | B2 Object Lock | Same B2 bucket, locked 30 days | Always-on |
| Monitoring | Healthchecks.io | Push notification | Each backup |
| Restore verification | test-restore.sh | Automated check | Weekly |
| Full recovery drill | Manual | New VM/server | Quarterly |
Start simple: Restic to B2, a healthcheck, and a weekly file restore test. That alone puts you ahead of 90% of setups. Add the rest as your comfort and infrastructure complexity grow.
The emotional reality is that most people configure their first real backup strategy after losing data. Don’t be that person. Spend the two hours now. Run restic restore latest --target /tmp/test and verify what comes back. Then sleep better knowing that when something breaks — and it will — you have a tested path to recovery.
Further reading: Restic documentation — the official docs are unusually good. Backblaze B2 S3-compatible API — covers every endpoint and authentication detail. rclone documentation — comprehensive guides for every supported provider.
Comments