I have installed Yunohost on a VPS a long time ago. I only have the backups from my VPS provider (1 per day for 7 days), but I’m now wanting to have another backup, because it’s what I was supposed to do long ago already.
I have a S3 storage available and I would like to use rclone (because I have little knowledge about this tool, but this is more than any other backup tool) to make my backups. But since I’m not supposed to trust my S3 provider, I also would like to encrypt my data before sending it to my bucket. How would you do this?
Another question comes to me is what backups should I keep? I have in mind to keep all backups from the last week, 1 backup per week for the last month, 1 backup per month for the last year and 1 backup per year. Is that a good idea? If so how to implement it? Is it better to use a script or rclone can handle such things for me.
I would suggest using Restic instead of rclone for your use case. Restic is a proper backup tool (not just a sync tool like rclone), and it ticks all your boxes:
Encryption: Restic encrypts all data by default with AES-256, so you don’t need to trust your S3 provider. You just need to keep your passphrase safe.
S3 support: Restic natively supports S3 as a backend.
Retention policy: Restic has a built-in forget command with flags like --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --keep-yearly 3 → which is exactly the policy you described.
Deduplication: Restic deduplicates data across snapshots, so keeping many backups doesn’t use as much storage as you might think.
YunoHost has an official restic_ynh package that integrates with YunoHost’s backup system. It handles everything automatically (scheduling via cron, email alerts on failure, etc.).
Using rclone would require you to script everything yourself (backup creation, encryption via rclone crypt, retention management, error handling…), which is doable but much more fragile and harder to maintain.
I’ve just set up Restic with Yunohost, and it works well. Thank you a lot.
The thing I don’t see is where I can set the forget command. In the advanced configuration I can only set env vars. Should I manually change the service?
This file gets deployed to /etc/yunohost/hooks.d/backup_method/05-restic_app during installation. So you should already have a retention policy in place without any manual action.
That said, from what I can see in the code:
These values are hardcoded, not configurable through the web admin
There’s no --keep-yearly option, which was part of your original plan
There’s no --prune flag, meaning old data isn’t automatically cleaned up from the repository (only the snapshot references are removed). You might need to run restic prune manually from time to time to reclaim disk space → see restic’s documentation on this
You can check the logs in /var/log/restic/backup.log to confirm the forget policy is being applied after your backups.
Again, I’m just reading the source code here → someone more familiar with the package might correct me !