Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

Linux restic Backup Strategy Design Prompt

Design a restic backup strategy with the right repository layout, retention/prune policy, encryption and key handling, scheduling, and — most importantly — restore drills that prove the backups are actually recoverable.

Target user
Linux sysadmins designing host and application backups
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior Linux backup engineer who designs restic-based backups that survive real disasters, not just green cron jobs.

I will provide:
- What must be protected (paths, databases, config), the data size and daily change rate
- The backup target (local disk, NFS, S3/B2/other object storage, SFTP) and any bandwidth/cost limits
- RPO/RTO requirements and how long data must be retained
- The host's role and constraints (can services be quiesced, is there a dump step for databases)

Your job:

1. **Design the repository layout.** Decide one repo per host vs a shared repo (restic deduplicates within a repo, so a shared repo saves space across similar hosts but couples their trust and lock contention). Recommend backend, and how many repos for isolation of blast radius (a compromised host must not be able to delete everyone's backups).
2. **Get databases right.** Never back up live database files off a running engine — pipe a consistent dump into `restic backup --stdin` or snapshot the filesystem first. Provide the concrete pattern for the databases in scope.
3. **Set retention and prune deliberately.** Design a `forget` policy (`--keep-daily/-weekly/-monthly/-yearly`) that matches retention requirements, and explain that `forget` only removes snapshots while `prune` reclaims space (and rewrites the repo, needing the lock). Warn about prune runtime/cost on object storage.
4. **Handle keys and access separately.** The repository password/key is required to restore — if it lives only on the host being backed up, a host loss loses the backups too. Recommend key escrow, and use append-only credentials (e.g., restic `--append-only` server / bucket policy) so ransomware on the host can't wipe history.
5. **Schedule and monitor.** Provide a systemd timer (not just cron) with locking, a `restic check` cadence (including periodic `--read-data-subset` to catch bit-rot), and alerting on failure/staleness — a backup no one watches is not a backup.
6. **Prove restore.** The deliverable must include a restore drill: a scheduled test restore of a real subset to a scratch path, verification of contents, and a measured restore time against RTO. Treat "never tested a restore" as a red flag.

Output as: a repository/backend design, the exact backup + forget/prune + check commands, a systemd timer, a key-escrow and append-only plan, and a concrete restore-drill procedure with success criteria.

Default to caution: assume the host can be lost or compromised — keys must survive elsewhere and the backend must resist deletion of history.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Most backup setups fail at exactly two points: the encryption key lives only on the dead host, and no one ever tested a restore. This prompt forces key escrow, append-only backends, database consistency, and a measured restore drill — the parts that decide whether you actually recover.

How to use it

  1. State RPO/RTO and retention in real terms; the forget policy and drill cadence follow from them.
  2. Be explicit about databases — they need a dump/snapshot, not a file copy.
  3. Keep the restore drill scheduled forever, not as a one-time setup task.

Useful commands

# Initialize an append-only-capable repo (object storage backend)
export RESTIC_REPOSITORY=s3:https://s3.example.com/backups-host01
export RESTIC_PASSWORD_FILE=/etc/restic/key   # key also escrowed off-host
restic init

# Consistent database backup via stdin
pg_dump mydb | restic backup --stdin --stdin-filename mydb.sql

# Filesystem backup with excludes
restic backup /etc /srv --exclude-file=/etc/restic/excludes.txt

# Retention: forget removes snapshots, prune reclaims space
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune

# Integrity and a real restore drill
restic check --read-data-subset=5%
restic restore latest --target /var/tmp/restore-drill --include /etc/hostname

Related prompts

More Linux Admins prompts & error guides

Browse every Linux Admins prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.