Backup & Recovery with Restic on Blimp + ZS3 Server
A Step-by-Step Guide to Encrypted, Deduplicated Snapshots and Daily Restores
Last updated
A Step-by-Step Guide to Encrypted, Deduplicated Snapshots and Daily Restores
Last updated
In this guide, we’ll show you how to leverage Blimp’s intuitive UI alongside the ZS3 Server S3-compatible gateway to build a robust, versioned backup and recovery pipeline for your business. Blimp lets you spin up and manage Züs allocations with a few clicks, while ZS3 Server translates those allocations into standard S3 endpoints—so you can keep using your favorite tools (AWS CLI, MinIO Client, Restic, etc.) without learning anything new.
By combining ZS3 Server’s decentralized, blockchain-anchored storage with Restic’s source-dedupe, encryption, and versioning, Blimp delivers an enterprise-grade backup solution that is standards-based (S3 API), auditable, performant, and cost-effective. This solution would be helpful for small-to-mid-size businesses and enterprises running Linux servers that need daily, off-site backups.
Step 1: Navigate to the S3 Tab
Open the Blimp UI and navigate to the S3 tab. Click on the Create New Allocation button to start the process of setting up a new allocation.
Step 2: Fill in Allocation Details
In the form that appears, enter the required details about your allocation.
Once all fields are completed, click the Confirm button to proceed.
Step 3: Select Storage Providers
By default, Blobbers are automatically chosen based on geodiversity. Optionally, manually select up to five sharded providers if needed.
After finalizing your provider selection, click on the Pay with USD button. Or if you want to pay in ZCN, click the text "Pay with ZCN" located to the right of the header.
Step 4: Complete Payment (in ZCN)
You can pay using ZCN from your existing balance. If you do not have sufficient ZCN in your wallet, you have the option to purchase more ZCN by connecting your Metamask or Coinbase wallet.
Upon successful payment, the allocation with be created.
Your ZS3 gateway needs to run on a machine that:
Has a publicly reachable IP
Runs a Linux distro (Ubuntu, Debian, CentOS, Amazon Linux, etc.)
Allows SSH access on port 22 (for deploying the script)
Has ports 80 & 443 open (so Caddy can obtain and serve TLS certificates)
Has Key Pairs to enable access into SSH
Firewall rules for HTTP(S)
Inbound
TCP
22
YOUR·IP/32
SSH (from your location)
Inbound
TCP
80
0.0.0.0/0, ::/0
HTTP (for ACME HTTP-01)
Inbound
TCP
443
0.0.0.0/0, ::/0
HTTPS (Caddy + S3 gateway)
Outbound
ALL
ALL
0.0.0.0/0, ::/0
Allow your instance to reach the Internet for Docker pulls, ACME, etc.
In this example, we use an AWS EC2 Instance:
AMI: Ubuntu Server 22.04 LTS (HVM)
Instance: t3.medium (2 vCPU, 4GB RAM)
Storage: 20 GiB root + 50–100 GiB gp3 data volume
Find your server's IP address. In AWS, go to the EC2 Instance Dashboard. Select the instance you are using and look for the Public IPv4 address in your Details>Instance Summary.
Step 2: Generate the Script
Click "Manage Allocations". Find the allocation you would like to work with and click the ellipses at the last column of your allocation row. Once drop down opens, click "Setup".
Enter your server's IP address in the provided field within the Blimp UI. Click on the Generate Script button.
A modal will then pop out to set the password for the S3 deployment. This will be used to access your Blimp S3 server allocation
Note you cannot use special characters in this password. It will cause future errors such as : "The request signature we calculated does not match the signature you provided. Check your key and signing method."
Step 3: Execute the Script
Start by accessing your server using your key pair .pem or .ppk file. As an example, you can ssh into your terminal by typing:
Once inside, copy the cURL Script from the S3 server setup page. Looks something like this:
Run the script on your server terminal
Once the script runs successfully, Blimp will automatically detect your server and guide you to the next step.
If you clear your browser cache (or use private/incognito mode) and click Setup again for the same allocation, Blimp will generate a brand-new deployment script. That script won’t match your existing ZS3 Server, so you’ll have to run it again on your host and effectively redeploy the gateway.
Tip: Only run Setup once per allocation—unless you want to reset and redeploy your server.
Create a Bucket: Select Create Bucket from the Type of Request menu.
Enter your desired bucket name. Click on Run cURL Request.
The response will be displayed in the right-hand panel.
List Existing Buckets: Choose Buckets from the List Operations section under the Type of Request menu. Click on Run cURL Request to view the list of buckets.
Note: The ZS3 gateway embeds your wallet credentials when you deploy it. If you later add that wallet to Vault for split-key management (or make any other change to it), your existing cURL/API credentials will no longer match and requests will fail. To fix this, simply go back to the allocation "setup", regenerate the deploy script, and run it again so the gateway picks up your updated wallet.
When you generate and execute the deployment script using Blimp, it provides an endpoint URL for accessing your deployed ZS3 server. This endpoint is dynamically configured within the curl command.
Going back to the script you used to deploy the ZS3 server, the script includes various parameters such as authentication credentials, location IDs, and domain configurations.
In the provided example, the executed command is:
In your cURL code, look for the "blimpdomain".
This indicates that blimp8fbfl.zus.network is the assigned ZS3 endpoint for your deployed ZS3 instance.
Restic is an open-source, cross-platform CLI tool that creates encrypted, deduplicated snapshots of local files and stores them on S3-compatible backends. In this section, we will use Restic to initialize a repository on our Blimp + ZS3 Server endpoint, run daily backups of our server data, and demonstrate restoring from those snapshots.
To get started, make sure you are still within your Linux server. Using the terminal, we will update your apt function then install restic for your current OS release:
Afterwards, download the newest official Restic binary from GitHub. It will verify its signature and replace the /usr/bin/restic with the fresh build:
The output should look like this :
When seeing "successfully updated restic to version x.xx.x", you have properly installed restic.
The ACCESS_KEY is your blimp username and the SECRET_KEY is the password recorded when generating the deployment script.
If you do not recall them, you can go back to the "Conduct S3 operations" page and look at your "Using CLI" cURL. It may look something like this:
At the end of the cURL you can see two items:
accessKey = rikachet ---> ACCESS_KEY
secretAccessKey = MySecretPa55word ---> SECRET_KEY
You can extract your ACCESS_KEY and SECRET_KEY from here.
Inside of your server terminal, or in this case the AWS EC2 instance, run each line separately:
To initiate a new restic repository, use:
Following this, you will be prompted to create a password. Note, this will be your password for RESTIC_PASSWORD and will be used to access your repository.
When completed, you will see:
Please note that knowledge of your restic password is required to access the repository. Losing your password means your data is irrecoverably lost.
To run a back up for a specific directory on your server, you will need your blimp endpoint and the path to your directory you would like to back up.
If successfully backed up, you will see a similar output as the following:
You can also check your blimp allocation for the snapshot by going into your s3 allocation "Home" > your bucket > snapshots. You should be able to see your snapshots here.
To check your snapshots through your server terminal, you can run this:
Paste your restic password. Once the script is complete, you may see an output like this:
Create a small wrapper script (e.g. /home/ubuntu/run-restic-backup.sh) :
Make it executable:
Edit your crontab:
Add this line to run it at 2 AM daily :
Verify your crontab:
The output should show your crontab entries.
If you want to restore your latest snapshot saved in blimp, run this line:
The output should look similar to this :
That is it! Congrats on backing up and recovering with Restic on Blimp and ZS3 Server!
By completing this step, you have successfully deployed the ZS3 server, created the S3-compatible allocation, and performed basic S3 operations. To learn more about the ZS3 server, check out the docs .
If you're interested in using Veeam for backup instead, check out the steps !
