Backup & Recovery with Restic on Blimp + ZS3 Server
A Step-by-Step Guide to Encrypted, Deduplicated Snapshots and Daily Restores
In this guide, we’ll show you how to leverage Blimp’s intuitive UI alongside the ZS3 Server S3-compatible gateway to build a robust, versioned backup and recovery pipeline for your business. Blimp lets you spin up and manage Züs allocations with a few clicks, while ZS3 Server translates those allocations into standard S3 endpoints—so you can keep using your favorite tools (AWS CLI, MinIO Client, Restic, etc.) without learning anything new.
By combining ZS3 Server’s decentralized, blockchain-anchored storage with Restic’s source-dedupe, encryption, and versioning, Blimp delivers an enterprise-grade backup solution that is standards-based (S3 API), auditable, performant, and cost-effective. This solution would be helpful for small-to-mid-size businesses and enterprises running Linux servers that need daily, off-site backups.
Create an S3 Allocation
Step 1: Navigate to the S3 Tab
Open the Blimp UI and navigate to the S3 tab. Click on the Create New Allocation button to start the process of setting up a new allocation.

Step 2: Fill in Allocation Details
In the form that appears, enter the required details about your allocation.
Once all fields are completed, click the Confirm button to proceed.

Step 3: Select Storage Providers
By default, Blobbers are automatically chosen based on geodiversity. Optionally, manually select up to five sharded providers if needed.
After finalizing your provider selection, click on the Pay with USD button. Or if you want to pay in ZCN, click the text "Pay with ZCN" located to the right of the header.

Step 4: Complete Payment (in ZCN)
You can pay using ZCN from your existing balance. If you do not have sufficient ZCN in your wallet, you have the option to purchase more ZCN by connecting your Metamask or Coinbase wallet.


Upon successful payment, the allocation with be created.
Deploy your Blimp ZS3 Gateway
Step 0: Have Access to a Public-facing Linux Server
Your ZS3 gateway needs to run on a machine that:
Has a publicly reachable IP
Runs a Linux distro (Ubuntu, Debian, CentOS, Amazon Linux, etc.)
Allows SSH access on port 22 (for deploying the script)
Has ports 80 & 443 open (so Caddy can obtain and serve TLS certificates)
Has Key Pairs to enable access into SSH
Firewall rules for HTTP(S)
Inbound
TCP
22
YOUR·IP/32
SSH (from your location)
Inbound
TCP
80
0.0.0.0/0, ::/0
HTTP (for ACME HTTP-01)
Inbound
TCP
443
0.0.0.0/0, ::/0
HTTPS (Caddy + S3 gateway)
Outbound
ALL
ALL
0.0.0.0/0, ::/0
Allow your instance to reach the Internet for Docker pulls, ACME, etc.
In this example, we use an AWS EC2 Instance:
AMI: Ubuntu Server 22.04 LTS (HVM)
Instance: t3.medium (2 vCPU, 4GB RAM)
Storage: 20 GiB root + 50–100 GiB gp3 data volume
Step 1: Identify your IP address
Find your server's IP address. In AWS, go to the EC2 Instance Dashboard. Select the instance you are using and look for the Public IPv4 address in your Details>Instance Summary.

Step 2: Generate the Script
Click "Manage Allocations". Find the allocation you would like to work with and click the ellipses at the last column of your allocation row. Once drop down opens, click "Setup".

Enter your server's IP address in the provided field within the Blimp UI. Click on the Generate Script button.

A modal will then pop out to set the password for the S3 deployment. This will be used to access your Blimp S3 server allocation

Note you cannot use special characters in this password. It will cause future errors such as : "The request signature we calculated does not match the signature you provided. Check your key and signing method."
Step 3: Execute the Script
Start by accessing your server using your key pair .pem or .ppk file. As an example, you can ssh into your terminal by typing:
ssh -i ~/.ssh/yourkey.pem ubuntu@your-ec2-public-ip
Once inside, copy the cURL Script from the S3 server setup page. Looks something like this:
curl -fSsL https://raw.githubusercontent.com/0chain/zcnwebappscripts/main/blimp.sh | sed 's/0chainminiousername/<blimp-username>/; s/0chainminiopassword/MySecretPa55word/; s/0chainallocationid/<s3-allocation-id>/; s/0chainblockworker/https:\/\/mainnet.zus.network\/dns\//; s/0chainminiotoken/12345/; s/blimpdomain/blimp8fbfl.zus.network/; s/0chainwalletid/<wallet-id>/; s/0chainwalletpublickey/<public-key>/; s/0chainwalletprivatekey/<private-key>/; s/0chainmnemonics/<mnemonic-if-not-using-split-key>/ '| bash

Run the script on your server terminal

Once the script runs successfully, Blimp will automatically detect your server and guide you to the next step.
If you clear your browser cache (or use private/incognito mode) and click Setup again for the same allocation, Blimp will generate a brand-new deployment script. That script won’t match your existing ZS3 Server, so you’ll have to run it again on your host and effectively redeploy the gateway.
Tip: Only run Setup once per allocation—unless you want to reset and redeploy your server.
Step 4: Create a Bucket
Create a Bucket: Select Create Bucket from the Type of Request menu.

Enter your desired bucket name. Click on Run cURL Request.

The response will be displayed in the right-hand panel.

List Existing Buckets: Choose Buckets from the List Operations section under the Type of Request menu. Click on Run cURL Request to view the list of buckets.

By completing this step, you have successfully deployed the ZS3 server, created the S3-compatible allocation, and performed basic S3 operations. To learn more about the ZS3 server, check out the docs here.
Note: The ZS3 gateway embeds your wallet credentials when you deploy it. If you later add that wallet to Vault for split-key management (or make any other change to it), your existing cURL/API credentials will no longer match and requests will fail. To fix this, simply go back to the allocation "setup", regenerate the deploy script, and run it again so the gateway picks up your updated wallet.
Extract Blimp ZS3 Server Endpoint
When you generate and execute the deployment script using Blimp, it provides an endpoint URL for accessing your deployed ZS3 server. This endpoint is dynamically configured within the curl
command.
Going back to the script you used to deploy the ZS3 server, the script includes various parameters such as authentication credentials, location IDs, and domain configurations.
In the provided example, the executed command is:
curl -fSsL https://raw.githubusercontent.com/0chain/zcnwebappscripts/main/blimp.sh | sed 's/0chainminiousername/<blimp-username>/; s/0chainminiopassword/MySecretPa55word/; s/0chainallocationid/<s3-allocation-id>/; s/0chainblockworker/https:\/\/mainnet.zus.network\/dns\//; s/0chainminiotoken/12345/; s/blimpdomain/blimp8fbfl.zus.network/; s/0chainwalletid/<wallet-id>/; s/0chainwalletpublickey/<public-key>/; s/0chainwalletprivatekey/<private-key>/; s/0chainmnemonics/<mnemonic-if-not-using-split-key>/ '| bash
In your cURL code, look for the "blimpdomain".
s/blimpdomain/blimp8fbfl.zus.network/;
This indicates that blimp8fbfl.zus.network
is the assigned ZS3 endpoint for your deployed ZS3 instance.
Restic is an open-source, cross-platform CLI tool that creates encrypted, deduplicated snapshots of local files and stores them on S3-compatible backends. In this section, we will use Restic to initialize a repository on our Blimp + ZS3 Server endpoint, run daily backups of our server data, and demonstrate restoring from those snapshots.
Backup with Restic
Step 1: Install Restic
To get started, make sure you are still within your Linux server. Using the terminal, we will update your apt
function then install restic
for your current OS release:
sudo apt update -y
sudo apt install restic -y
Afterwards, download the newest official Restic binary from GitHub. It will verify its signature and replace the /usr/bin/restic
with the fresh build:
sudo restic self-update
The output should look like this :
Output
writing restic to /usr/bin/restic
find latest release of restic at GitHub
latest version is 0.19.0
download SHA256SUMS
download SHA256SUMS.asc
GPG signature verification succeeded
download restic_0.18.0_linux_amd64.bz2
downloaded restic_0.18.0_linux_amd64.bz2
saved 29765816 bytes in /usr/bin/restic
successfully updated restic to version 0.18.0
When seeing "successfully updated restic to version x.xx.x", you have properly installed restic
.
Step 2: Get Environment Variables
The ACCESS_KEY is your blimp username and the SECRET_KEY is the password recorded when generating the deployment script.
If you do not recall them, you can go back to the "Conduct S3 operations" page and look at your "Using CLI" cURL. It may look something like this:
curl -X GET https://blimp8fbfl.zus.network/minioclient/?action=listBuckets&accessKey=rikachet&secretAccessKey=MySecretPa55word

At the end of the cURL you can see two items:
accessKey = rikachet ---> ACCESS_KEY
secretAccessKey = MySecretPa55word ---> SECRET_KEY
You can extract your ACCESS_KEY and SECRET_KEY from here.
Step 3: Set Environment Variables
Inside of your server terminal, or in this case the AWS EC2 instance, run each line separately:
export AWS_ACCESS_KEY_ID=<ACCESS_KEY>
export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>
export RESTIC_REPOSITORY="s3:https://<endpoint>/<blimp-bucket>"
## An example of what it could look like ##
export AWS_ACCESS_KEY_ID=rikachet
export AWS_SECRET_ACCESS_KEY=MySecretPa55word
export RESTIC_REPOSITORY="s3:https://blimp8fbfl.zus.network/s3-backup-recovery"
Step 4: Initialize the Repository
To initiate a new restic repository, use:
restic init
Following this, you will be prompted to create a password. Note, this will be your password for RESTIC_PASSWORD and will be used to access your repository.
When completed, you will see:
Output
created restic repository XXXXXXXXXX at s3:https://<endpoint>/<blimp-bucket>
Please note that knowledge of your restic password is required to access the repository. Losing your password means your data is irrecoverably lost.
Step 5: Run a Backup
To run a back up for a specific directory on your server, you will need your blimp endpoint and the path to your directory you would like to back up.
restic -r s3:https://<endpoint>/<blimp-bucket> --verbose backup <path-to-directory-to-be-backedup>
If successfully backed up, you will see a similar output as the following:
Output
...
processed X files, XXX MiB in X:XX
snapshot 2a6902ec saved

You can also check your blimp allocation for the snapshot by going into your s3 allocation "Home" > your bucket > snapshots. You should be able to see your snapshots here.

Step 6: List Snapshots
To check your snapshots through your server terminal, you can run this:
restic -r s3:https://<endpoint>/<bucket> snapshots
Paste your restic password. Once the script is complete, you may see an output like this:

Step 7: Automate via Crontab (Optional)
Create a small wrapper script (e.g. /home/ubuntu/run-restic-backup.sh) :
#!/bin/bash
set -euo pipefail
# Environment
export AWS_ACCESS_KEY_ID=<Access-Key>
export AWS_SECRET_ACCESS_KEY=<Secret-Key>
export RESTIC_REPOSITORY="s3:https://<endpoint>/<bucket>"
export RESTIC_PASSWORD='your-restic-password'
# Backup command
/usr/bin/restic backup /home/ubuntu/test-files
Make it executable:
chmod +x /home/ubuntu/run-restic-backup.sh
Edit your crontab:
crontab -e
Add this line to run it at 2 AM daily :
0 2 * * * /home/ubuntu/run-restic-backup.sh
Verify your crontab:
crontab -l
The output should show your crontab entries.
Step 8: Restore Snapshot
If you want to restore your latest snapshot saved in blimp, run this line:
restic \
-r s3:https://<endpoint>/<bucket> \
--verbose \
restore latest \
--target <path-to-directory>
The output should look similar to this :
Output
repository 3f44df87 opened (version 2, compression level auto)
[0:00] 100.00% 1 / 1 index files loaded
restoring snapshot 2a6902ec of [/home/ubuntu/test-files] at 2025-04-29 21:02:01.044981857 +0000 UTC by ubuntu@ip-172-31-15-36 to /home/ubuntu/restore-test
Summary: Restored 7 files/dirs (113.679 MiB) in 0:02
That is it! Congrats on backing up and recovering with Restic on Blimp and ZS3 Server!
If you're interested in using Veeam for backup instead, check out the steps here!
Last updated