🩺 Vitals
- 🟢 Last active: 2026-07-15
- 📦 Latest release: v0.19.1 (2026-07-05)
- 🐞 Open issues: 552
- 🌟 Stars: 35k
What do these metrics mean?
- Last active: when code was last pushed, as of our last check. The dot is green when that was recent, grey otherwise. A long gap can mean a tool is finished and stable, not only unmaintained.
- Latest release: the most recent tagged, packaged version the maintainers published. Not every healthy project tags releases.
- Open issues: unresolved reports and requests. A high number is normal for a popular project and is not a warning on its own.
- Stars: how many people bookmarked the project on its forge. A rough popularity signal, not a measure of quality.
🏗️ Profile
- Official: restic.net
- Source: github.com/restic/restic
- License: BSD-2-Clause
- Deployment: Single Binary
- Data Model: Content-addressed encrypted repository (AES-256, deduplicated)
- Jurisdiction: Germany 🇩🇪, EU 🇪🇺 (Community Project)
- Compliance (SaaS): N/A (No SaaS offering)
- Compliance (Self-Hosted): GDPR Ready | HIPAA Eligible
- Complexity: Low (2/5) - Single static binary, CLI-driven, no daemon or database
- Maintenance: Low (2/5) - Simple binary updates; restore-testing and prune discipline is the real work
- Enterprise Ready: Moderate (3/5) - Encryption, WORM/append-only and dedup are built in; scheduling, GUI and central management need wrappers
1. The Executive Summary
What is it? Restic is a command-line backup program that encrypts and deduplicates data on the client before a single byte leaves the machine, then writes it to a storage backend you choose: S3, Backblaze B2, Azure, Google Cloud, SFTP, a self-hosted REST server, or a local disk. Because encryption is client-side and zero-knowledge, the backend stores only ciphertext it cannot read, and because deduplication is content-defined, repeated backups store only changed blocks. Higher-level platforms build on this engine: the Kubernetes operator K8up is built directly on restic, and Velero can use it as a volume data mover. Restic itself is the de facto standard for modern Linux and server backups.
The Strategic Verdict:
- 🔴 For Teams Wanting a Turnkey Console: Caution. Restic is an engine, not a managed product. Scheduling, a web dashboard, multi-user roles and reporting are not built in — you script them with cron and systemd, or adopt a wrapper such as Backrest or Relica. Teams expecting a single pane of glass out of the box should budget for that layer.
- 🟢 For Sovereign, Encrypted Backup Across Mixed Storage: Strong Buy. Restic encrypts and deduplicates client-side, holds the keys with you, and targets almost any backend on the same open repository format. With no per-agent licensing and immutable append-only mode for ransomware resistance, it is the pragmatic backbone for backing up servers, workstations and data you cannot afford to lose to a vendor.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Veeam (Proprietary) | Restic (Self-Hosted) |
|---|---|---|
| Licensing | Per-instance or per-socket subscription | BSD-2, no license fee, no agent count limit |
| Backup Storage | Your storage, vendor-guided | Any backend you own: S3, B2, SFTP, local disk |
| Encryption | Tiered across editions | AES-256, client-side, your keys, always on |
| Lock-in | Proprietary backup format and catalog | Open repository format, restore anywhere, no vendor |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: Restic ships as a single static binary for Linux, macOS, Windows and BSD, packaged in most distributions and available as a container image. Basic use needs no server or database: you initialize a repository on a storage backend and run backups. For immutable, multi-client setups, the companion
rest-serveradds an--append-onlyREST backend so clients can write new snapshots but cannot delete existing ones. - Scalability: Content-defined deduplication keeps repository growth and bandwidth low even across hundreds of machines writing to a shared backend. Retention is governed by
forgetandprunepolicies, and integrity is verified withcheck. The real operational discipline is scheduling prunes and regularly testing restores — a backup that has never been restored is a hypothesis, not a guarantee.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & Backend Inheritance: Restic is a German-originated community project under a permissive BSD-2 license, outside US CLOUD Act reach at the source. But as a local CLI tool with no vendor control plane, the jurisdiction that actually matters is wherever you point the repository — a restic backup to a US hyperscaler bucket inherits that bucket's jurisdiction. Client-side encryption is the mitigation: the provider holds only ciphertext it cannot decrypt, so a foreign-government data request yields nothing usable. Data residency of the backend itself remains your design choice.
- The Compliance Shift: Restic supplies strong technical primitives for GDPR Ready and HIPAA Eligible backups: AES-256 encryption, a zero-knowledge key model, and WORM-style immutability through append-only mode or S3 Object Lock. The boundary is sharp. Restic secures the data at rest and in transit, but access controls, key management, audit logging and restore validation are entirely your responsibility. A backup repository is a complete copy of everything you hold, which makes it a high-value target that warrants the same governance as production systems.
- License & Governance: License risk is nil. BSD-2-Clause is fully permissive — no copyleft, no network clause, no commercial restriction — and there is no open-core split: every feature, including encryption and append-only WORM, lives in the one free binary. The honest caveat is structural rather than legal. Stewardship rests with a small maintainer team led by the original author, not a neutral foundation such as the CNCF or Apache. The large community and permissive license make a community fork trivially possible if maintenance ever lapsed, but there is no foundation backstop in place today.
4. Market Landscape
🏢 Proprietary Incumbents
- Veeam: The enterprise backup standard, licensed per instance or socket. Teams adopt restic to escape per-agent subscription costs and to keep backups in storage and formats they fully control, accepting a CLI engine in place of Veeam's managed console.
- Acronis Cyber Protect: An all-in-one backup-and-security suite with per-workload licensing and a proprietary vault. Restic trades the bundled console and endpoint security bolt-ons for a free, scriptable engine and an open, portable repository format.
🤝 Open Source Ecosystem
- Kopia: The closest peer and the standard cross-shop. Kopia matches restic's model (client-side encryption, deduplication, many backends) but adds a built-in desktop GUI and a multi-client server, where restic stays a pure CLI engine. Reach for Kopia when a graphical or multi-user workflow matters; restic when scriptable minimalism does.
- Plakar: A younger, EU-domiciled entrant built on the immutable Kloset format. Plakar leads with immutability-by-design and a paid control plane for fleet management; restic is the more mature, fully-open, community-governed choice.