Backups (restic, duplicity...)

4 min

Backups are essential for disaster recovery but they are not trivial to manage. Using Garage as your backup target will enable you to scale your storage as needed while ensuring high availability.

Borg Backup

Borg Backup is very popular among the backup tools but it is not yet compatible with the S3 API. We recommend using any other tool listed in this guide because they are all compatible with the S3 API. If you still want to use Borg, you can use it with rclone mount.


git-annex supports synchronizing files with its S3 special remote.

Note that git-annex requires to be compiled with Haskell package version aws-0.24 to work with Garage.

garage key new --name my-key
garage bucket create my-git-annex
garage bucket allow my-git-annex --read --write --key my-key

Register your Key ID and Secret key in your environment:


Within a git-annex enabled repository, configure your Garage S3 endpoint with the following command:

git annex initremote garage type=S3 encryption=none host=my-garage-instance.mydomain.tld protocol=https bucket=my-git-annex requeststyle=path region=garage signature=v4

Files can now be synchronized using the usual git-annex copy or get commands.

Note that for simplicity - this example does not enable encryption for the files sent to Garage - please refer to the git-annex encryption page for how to configure this.


Create your key and bucket:

garage key create my-key
garage bucket create backups
garage bucket allow backups --read --write --key my-key

Then register your Key ID and Secret key in your environment:


Configure restic from environment too:

export RESTIC_REPOSITORY="s3:http://localhost:3900/backups"

echo "Generated password (save it safely): $(openssl rand -base64 32)"
export RESTIC_PASSWORD=xxx # copy paste your generated password here

Do not forget to save your password safely (in your password manager or print it). It will be needed to decrypt your backups.

Now you can use restic:

# Initialize the bucket, must be run once
restic init

# Backup your PostgreSQL database
# (We suppose your PostgreSQL daemon is stopped for all commands)
restic backup /var/lib/postgresql

# Show backup history
restic snapshots

# Backup again your PostgreSQL database, it will be faster as only changes will be uploaded
restic backup /var/lib/postgresql

# Show backup history (again)
restic snapshots

# Restore a backup
# (79766175 is the ID of the snapshot you want to restore)
mv /var/lib/postgresql /var/lib/postgresql.broken
restic restore 79766175 --target /var/lib/postgresql

Restic has way more features than the ones presented here. You can discover all of them by accessing its documentation from the link below.

Files on Android devices can also be backed up with restic-android.

External links: Restic Documentation > Amazon S3


External links: Duplicity > man (scroll to "URL Format" and "A note on Amazon S3")


External links: Duplicati Documentation > Storage Providers

The following fields need to be specified:

Storage Type: S3 Compatible
Use SSL: [ ] # Only if you have SSL
Server: Custom server url (s3.garage.localhost:3900)
Bucket name: bucket-name
Bucket create region: Custom region value (garage) # Or as you've specified in garage.toml
AWS Access ID: Key ID from "garage key info key-name"
AWS Access Key: Secret key from "garage key info key-name"
Client Library to use: Minio SDK

Click Test connection and then no when asked The bucket name should start with your username, prepend automatically?. Then it should say Connection worked!.


External links: Knoxite Documentation > Storage Backends


External links: Kopia Documentation > Repositories

To create the Kopia repository, you need to specify the region, the HTTP(S) endpoint, the bucket name and the access keys. For instance, if you have an instance of garage running on

kopia repository create s3 --region=garage --bucket=mybackups --access-key=KEY_ID --secret-access-key=SECRET_KEY

Or if you have an instance running on localhost, without TLS:

kopia repository create s3 --region=garage --bucket=mybackups --access-key=KEY_ID --secret-access-key=SECRET_KEY --endpoint=localhost:3900 --disable-tls

After the repository has been created, check that everything works as expected:

kopia repository validate-provider

You can then run all the standard kopia commands: kopia snapshot create, kopia mount... Everything should work out-of-the-box.