Restic Backup for Windows Client

2021 Feb 21 - Brian Kloppenborg

Completing my series on restic backup solutions, this post describes how to automate Restic backups on Windows. The technique I present below uses Windows Task Scheduler to automatically execute a PowerShell script at a designated time. The primary script and its configuration are kept as separate files to permit use of the configuration in both interactive and non-interactive modes.

Configuration file

The configuration file, config.ps1 mirrors the setup I’ve used on my Linux systems in previous posts. The configuration file specifies the username, password, repository, and server for the rest-server where the backups are hosted. This information is used to construct the RESTIC_REPOSITORY environmental variable. The user also has to specify the password for the restic database. On Linux systems the RESTIC_PASSWORD variable can be populated from a keying query. I haven’t figured out if there is an equivalent command on Windows.

The configuration file appears as follows:

$REST_USER=""
$REST_PASS=""
$REST_REPO=""
$REST_SERV=""
    
# Restic repository credentials
$Env:RESTIC_REPOSITORY="rest:http://${REST_USER}:${REST_PASS}@${REST_SERV}:8000/${REST_REPO}"
$Env:RESTIC_PASSWORD=""

Personally I don’t like this format because both the username and password for the REST API will be transmitted in clear text, but that is a limitation of how I have my server configured.

Backup Script

The backup script is quite simple. It loads the configuration file, and calls the restic executable that is presumed to reside in the same directory as the script itself:

# load the configuration file
. $PSScriptRoot\config.ps1

# indicate the script is running
Write-Output "Running Restic backup script for $env:UserName from $PSScriptRoot"

# start the backup script
Start-Process "$PSScriptRoot\restic.exe" -Wait -NoNewWindow `
    -ArgumentList "backup C:\Users\$env:UserName\"

Note that the use of -Wait and -NoNewWindow makes the restic output appear in the PowerShell window when the script executes. If that is not desirable, you can also redirect stdout and stderr to files. See the Start-Process documentation for further details.

Enable PowerShell scripts

Next we need to permit the scripts to execute. By default, Windows (10+) disables the execution of all PowerShell scripts for security reasons. According to the documentation of Set-ExecutionPolicy we can change the execution policy for individual scripts using the Unblock-File command. To do so, open a PowerShell window as administrator, cd into the relevant directory, and issue the following commands:

Unblock-File -Path .\config.ps1
Unblock-File -Path .\restic-backup.ps1

Automate execution using Task Scheduler

The last step in this process is to automate the execution of the above script using Windows Task Scheduler. There are several tutorials online that discuss how to use this tool so I won’t repeat those items here. The key points are that you need to create a “Start a Program” action with the following command and arguments:

Command: powershell.exe
Arguments: -NonInteractive -NoLogo -NoProfile -Command C:\Users\...\restic-backup.ps1

where you will need to populate the ellipsis (…) with the relevant path. Once complete, try executing the script manually. If it fails to execute you may wish to add the -NoExit parameter to the argument list to keep the PowerShell window from closing.