Backup Strategies: The 3-2-1 Rule with Restic and Rclone
Implement bulletproof backups using the 3-2-1 rule. Covers restic for incremental encrypted backups, rclone for cloud sync, verification testing, and...
The 3-2-1 Backup Rule
Every backup strategy should follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage media
- 1 offsite copy
Server infrastructure: production and staging environments connected via VLAN with offsite backups.
This protects against hardware failure (redundant copies), media failure (different types), and disasters like fire or theft (offsite).
Restic: Encrypted Incremental Backups
Restic is a modern backup tool that creates encrypted, deduplicated, incremental backups. Think of it as what rsync would be if redesigned today.
Installation
Get more insights on Cloud Infrastructure
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
# Ubuntu/Debian
sudo apt install restic
# Or download the latest binary
wget https://github.com/restic/restic/releases/download/v0.17.3/restic_0.17.3_linux_amd64.bz2
bunzip2 restic_0.17.3_linux_amd64.bz2
chmod +x restic_0.17.3_linux_amd64
sudo mv restic_0.17.3_linux_amd64 /usr/local/bin/restic
Initialize a Repository
# Local repository
restic init --repo /backups/restic-repo
# S3/MinIO repository
export AWS_ACCESS_KEY_ID=your-key
export AWS_SECRET_ACCESS_KEY=your-secret
restic init --repo s3:https://s3.example.com/backups
# SFTP repository
restic init --repo sftp:user@backup-server:/backups/restic
Backup Operations
# Backup a directory
restic -r /backups/restic-repo backup /var/lib/docker/volumes
# Backup with exclusions
restic -r /backups/restic-repo backup /home \
--exclude="*.tmp" \
--exclude=".cache" \
--exclude="node_modules" \
--exclude=".git"
# Backup Docker volumes with tags
restic -r /backups/restic-repo backup \
/var/lib/docker/volumes/postgres_data \
/var/lib/docker/volumes/gitea_data \
--tag docker-volumes
Database replication: the primary handles writes while replicas serve read queries via WAL streaming.
Snapshot Management
You might also like
# List snapshots
restic -r /backups/restic-repo snapshots
# Restore the latest snapshot
restic -r /backups/restic-repo restore latest --target /restore/
# Restore specific paths
restic -r /backups/restic-repo restore latest \
--target /restore/ \
--include "/var/lib/docker/volumes/postgres_data"
# Mount snapshots as a browseable filesystem
mkdir /mnt/restic
restic -r /backups/restic-repo mount /mnt/restic
Retention Policy
# Keep: 7 daily, 4 weekly, 6 monthly, 2 yearly
restic -r /backups/restic-repo forget \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 6 \
--keep-yearly 2 \
--prune
Rclone: Sync to Any Cloud
Rclone is rsync for cloud storage. It supports 70+ providers including S3, Backblaze B2, Google Drive, and SFTP.
Sync Operations
# Sync local restic repo to Backblaze B2
rclone sync /backups/restic-repo backblaze:my-backup-bucket/restic \
--transfers 4 \
--checkers 8 \
--progress
# Sync with bandwidth limit (useful for residential connections)
rclone sync /backups backblaze:my-bucket \
--bwlimit 10M \
--progress
Complete Backup Script
Free Resource
Free Cloud Architecture Checklist
A 47-point checklist covering security, scalability, cost optimization, and disaster recovery for production cloud environments.
#!/bin/bash
# backup-full.sh — Complete 3-2-1 backup implementation
set -euo pipefail
RESTIC_REPO="/backups/restic-repo"
RESTIC_PASSWORD_FILE="/etc/restic-password"
RCLONE_REMOTE="backblaze:my-backup-bucket"
export RESTIC_REPOSITORY="\$RESTIC_REPO"
export RESTIC_PASSWORD_FILE
echo "[\$(date)] Starting backup..."
# Step 1: Database dumps
docker exec postgres pg_dumpall -U postgres > /tmp/all-databases.sql
# Step 2: Restic backup (Copy 1 - local)
restic backup /var/lib/docker/volumes /mnt/projects /tmp/all-databases.sql \
--tag automated --exclude="node_modules"
# Step 3: Apply retention
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
# Step 4: Verify integrity
restic check --read-data-subset=5%
# Step 5: Offsite sync (Copy 2 - cloud)
rclone sync "\$RESTIC_REPO" "\$RCLONE_REMOTE/restic" --transfers 4
# Step 6: Cleanup
rm -f /tmp/all-databases.sql
echo "[\$(date)] Backup complete"
Cloud to self-hosted migration can dramatically reduce infrastructure costs while maintaining full control.
Disaster Recovery Testing
A backup you have never tested is not a backup. Schedule monthly restore tests:
#!/bin/bash
# test-restore.sh
RESTORE_DIR="/tmp/restore-test-\$(date +%Y%m%d)"
mkdir -p "\$RESTORE_DIR"
restic restore latest --target "\$RESTORE_DIR"
ACTUAL_FILES=\$(find "\$RESTORE_DIR" -type f | wc -l)
echo "Restored \$ACTUAL_FILES files successfully"
rm -rf "\$RESTORE_DIR"
At TechSaaS, we follow the 3-2-1 rule religiously. Our infrastructure has automated daily backups with restic, offsite sync to cloud storage via rclone, and ZFS snapshots for instant rollback. We run restore tests weekly and have recovered from failures in under 10 minutes.
Need bulletproof backup infrastructure? Contact [email protected].
Related Service
Cloud Solutions
Let our experts help you build the right technology strategy for your business.
Need help with cloud infrastructure?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.