Hi,

is an unencrypted connection to a remote (S3) repository unsafe?
Does restic first pull the whole encrypted metadata onto the server and before decrypt it (if cache is disabled)?

Thanks in advanced

restic encrypts/decrypts all data in the client - the server (and everything in between) only sees encrypted data. Using an unencrypted connection exposes your login credentials but not the backup itself.