Backup public ssh keys but do not backup private ssh keys

I’m trying to create a backup of the /home filesystem. Basically, I do need the whole filesystem, but not the private ssh keys. So I run something like restic backup /home and I’d like to exclude some files.

  • --exclude=".ssh" … excludes too much
  • --exclude=".ssh/*.pub" … probably excludes the wrong files (I’d like to backup the pub keys)

So what I need is a way to specify: Do a backup of everything but skip those files not ending with .pub
when within a .ssh folder. Is this possible somehow?

I don’t think you can do that easily as it is now using just excludes. You could build a list of files and feed it to --files-from* but that will give you a different set of paths when the files change so it’s not ideal. Using excludes isn’t something where I see how you’d do this without hardcoding the private key filenames, except if you try the PR below:

One option, that would be great if you could try, is to use the PR at filter: ability to use negative patterns by vincentbernat · Pull Request #2311 · restic/restic · GitHub . With it I imagine that you could exclude something like !$HOME/.ssh/*.pub, !$HOME/.ssh/config and !$HOME/.ssh/authorized_keys which should let you back up the *.pub, config and authorized_keys files in that folder (note that everything else would be excluded, in case you have more files than those and the private key ones).


Hey @rawtaz , I compiled a restic version which includes the PR you mentioned. I’ve created an exclusion pattern file containing these lines:


It works as expected for me: For all .ssh folders, all files are skipped for the backup with the exception of .pub, config and authorized_keys. They are included in the backup. Exactly what I want.

Now I’d vote for the PR to be included into mainline :wink:

Thx! Best regards, Uli


Hey, nice work building this yourself, and I’m glad it worked out. Yes, the PR will be included eventually.