Simple Encrypted Backups on Hetzner with Restic

Your server is a collection of important bits. Configuration files code user uploads and maybe a database. Losing any of it can be catastrophic. Most people know they should have backups. But they often set up something complicated that breaks or they do nothing at all.

There is a simple modern way to handle backups. It is a tool called Restic. It is fast secure and easy to automate. This guide will show you how to set up robust encrypted backups for your Hetzner server using Restic and a Hetzner Storage Box.

What is Restic

Restic is a backup program that is smart about how it stores your data. It does three things very well.

First it encrypts everything before it leaves your server. This means your data is unreadable to anyone without your password even the storage provider.

Second it deduplicates your data. When you run a backup Restic only uploads the parts of files that have changed. This saves a lot of space and makes subsequent backups very fast.

Third it organizes backups into snapshots. A snapshot is a point in time view of your data. You can have many snapshots and easily browse or restore files from any of them.

Your Hetzner Storage Box

You need a place to store your backups. You should not store them on the same server you are backing up. If the server fails your backups fail with it.

Hetzner offers a cheap and reliable product called a Storage Box. It is basically a large amount of storage you can access over various protocols like SFTP or Samba. We will use SFTP because it is secure and Restic supports it natively.

Go to your Hetzner account and order a Storage Box. Once it is active find the login details. You will need the server address your username and your password. You should also enable SSH support in the Storage Box settings if it is not already on.

Installing and Initializing Restic

First you need to install Restic on your server. On most Linux systems like Debian or Ubuntu you can install it with the package manager.

sudo apt update
sudo apt install restic

Next you need to create a backup repository. This is the directory on your Storage Box where Restic will store all the encrypted data. You only do this once.

You will need to set your repository location and password as environment variables. This is better than typing them on the command line where they might be saved in your shell history.

Replace uXXXXXX with your Storage Box username and server address.

export RESTIC_REPOSITORY='sftp:uXXXXXX@uXXXXXX.your-storagebox.de:./my-server-backups'
export RESTIC_PASSWORD='your-very-strong-password'

Now initialize the repository.

restic init

Restic will connect to your Storage Box create the repository and confirm it is ready. Keep your password safe. If you lose it you lose your backups.

Your First Backup

Now you can back up a directory. Let’s say you want to back up all your configuration files in /etc and your web application code in /var/www.

The backup command is simple.

restic backup /etc /var/www

Restic will scan the directories encrypt the data and upload it. The first backup will be slow because it has to upload everything. Subsequent backups will be much faster.

You can see a list of all your snapshots with the snapshots command.

restic snapshots

This will show you a list of backups with an ID time and the paths that were included.

Automating Backups with a Script and Cron

Backups are only useful if they happen regularly. The best way to do this is with a cron job that runs a simple script.

First create a file to hold your secrets so you do not have to put them directly in your script.

sudo nano /etc/restic/env

Add your repository and password to this file.

RESTIC_REPOSITORY='sftp:uXXXXXX@uXXXXXX.your-storagebox.de:./my-server-backups'
RESTIC_PASSWORD='your-very-strong-password'

Make sure this file is only readable by root.

sudo chmod 600 /etc/restic/env

Now create the backup script itself.

sudo nano /usr/local/bin/run-backup.sh

Put the following content in the script. This script loads the environment variables and runs the backup command.

#!/bin/bash
set -e

# Load environment variables
source /etc/restic/env

# Backup important directories
restic backup /etc /var/www /root

# Clean up old snapshots according to a policy
# This keeps the latest 7 daily 4 weekly and 12 monthly snapshots
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune

echo “Backup finished successfully”

The restic forget command is important. It cleans up old snapshots so your repository does not grow forever. The --prune option reclaims the space from the forgotten snapshots.

Make the script executable.

sudo chmod +x /usr/local/bin/run-backup.sh

Finally create a cron job to run this script every night. Open the root crontab editor.

sudo crontab -e

Add this line to run the script at 2:30 AM every day.

30 2 * * * /usr/local/bin/run-backup.sh > /var/log/backup.log 2>&1

This will run your backup and save the output to a log file. You should check this log file occasionally to make sure everything is working.

Restoring Files

Backups are useless if you cannot restore them. Restic makes this easy.

Let’s say you accidentally deleted /etc/nginx/nginx.conf. To restore it you can use the restore command. You need to specify a snapshot ID. Use latest to get the most recent one. You also need a target directory where the file will be restored.

restic restore latest --target /tmp --path /etc/nginx/nginx.conf

This will restore the file to /tmp/etc/nginx/nginx.conf. You can then inspect it and copy it back to its original location.

This setup gives you automated encrypted and efficient backups stored safely off-site. It takes less than an hour to configure and gives you peace of mind.

Now think about your own server. What’s the one directory you would back up first?

— Rishi Banerjee
September 2025