System Backup and Restore on MikroTik RouterOS

System Backup and Restore on MikroTik RouterOS

RouterOS Version: 7.x+ Difficulty: Beginner Estimated Time: 20 minutes

TL;DR (Quick Start)

For the impatient: here’s the 30-second version.

# Create encrypted backup
/system backup save name=router-backup password=SecureBackupPassword123

# Restore from backup (router will reboot)
/system backup load name=router-backup password=SecureBackupPassword123

Overview

System backup and restore in RouterOS provides two fundamentally different approaches to configuration management: binary backups for complete system cloning and text exports for selective configuration sharing. Understanding when and how to use each method is critical for effective network management and disaster recovery.

This guide explains both approaches, their strengths and limitations, and the essential practices that separate reliable backup strategies from data loss disasters.

The Two Backup Paradigms

1. Binary Backup (.backup files)

A binary backup creates a complete snapshot of the router’s configuration in RouterOS’s internal format. It’s designed for exact restoration to the same device.

Use when: You need to restore the complete configuration to the same router model after hardware failure, RouterOS corruption, or before major changes.

2. Text Export (.rsc files)

A text export generates human-readable RouterOS commands that recreate specific parts of the configuration. It’s designed for selective restoration and cross-device migration.

Use when: You need to copy specific configurations between different devices, create templates, or maintain version-controlled configuration snippets.

The Critical Difference

Binary backups preserve everything including MAC addresses, certificates, and device-specific data, but only work reliably on the same RouterOS version and similar hardware.

Text exports are portable and version-flexible but exclude sensitive data like passwords, certificates, and some system-specific settings.

Understanding RouterOS Backup Architecture

RouterOS stores configuration in multiple layers:

Key insight: Binary backups capture the complete state, while exports only capture user-modified configuration. Default system entries (marked with * flag) are recreated automatically on import.

Binary Backup Deep Dive

Encryption and Security

Since RouterOS v6.43, backup encryption behavior changed significantly:

• No password provided: Backup is unencrypted (major security risk)
• Password provided: Backup encrypted with AES-256-SHA256
• Legacy RC4: Available for compatibility with older versions (insecure)

What’s Included vs. Excluded

Included in binary backup:

• Complete router configuration
• User accounts (usernames only, not passwords)
• Interface settings and IP configuration
• All RouterOS package configurations
• Device MAC addresses and identity
• Installed certificates and keys

Excluded from binary backup:

• The Dude database (separate export required)
• User Manager database (separate export required)
• Log files and temporary data
• Package files themselves (.npk files)

Version Compatibility

Binary backups are version-sensitive:

• Same version: Full compatibility guaranteed
• Minor version difference: Usually works but test thoroughly
• Major version difference: High risk of failure or corruption
• Downgrade: Generally not supported

Configuration Steps

This section demonstrates creating and restoring a basic encrypted backup.

Step 1: Create Encrypted Backup

Create a backup with strong encryption:

/system backup save name=router-backup password=SecureBackupPassword123

Step 2: Verify Backup Creation

Check that the backup file was created successfully:

/file print where name~"backup"

Verification

Confirm the backup was created and is properly encrypted:

/file print where name~"router-backup"

Expected Output:

# NAME                TYPE     SIZE      CREATION-TIME
0 router-backup.backup backup   15.2KiB   jan/09/2026 10:30:15

Check backup details:

/system backup print

Advanced Backup Strategies

Automated Backup with Email

Set up automatic daily backups sent via email:

# Configure email settings
/tool e-mail set address=smtp.gmail.com port=587 tls=yes user=your-email@gmail.com password=app-password

# Create backup script
/system script add name=daily-backup source={
    /system backup save name=("backup-" . [/system clock get date])
    :delay 5s
    /tool e-mail send to=admin@company.com subject="Daily Backup" body="Daily backup attached" file=("backup-" . [/system clock get date] . ".backup")
}

# Schedule daily execution
/system scheduler add name=backup-schedule start-time=02:00:00 interval=1d on-event=daily-backup

Cloud Backup Integration

RouterOS v6.44+ supports MikroTik Cloud backup:

# Enable cloud backup (requires MikroTik account)
/ip cloud set ddns-enabled=yes update-time=yes
/ip cloud backup-settings set enabled=yes

Multi-Device Backup Strategy

For managing multiple routers:

# Standardized naming convention
/system backup save name=([/system identity get name] . "-" . [/system clock get date]) password=CompanyBackupPassword2024

# Include device info in filename
/system backup save name=([/system routerboard get model] . "-" . [/system identity get name] . "-" . [/system clock get date])

Text Export Strategies

Selective Configuration Export

Export specific configuration sections:

# Export only firewall configuration
/ip firewall export file=firewall-config

# Export only interface configuration
/interface export file=interface-config

# Export everything except sensitive data
/export file=full-config show-sensitive=no

Template Creation

Create reusable configuration templates:

# Export base configuration for new sites
/export compact file=site-template show-sensitive=no

# Export specific service configurations
/ip dhcp-server export file=dhcp-template
/routing ospf export file=ospf-template

Version Control Integration

Export configurations for version control:

# Create timestamped exports
/export file=("config-" . [/system clock get date] . "-" . [/system clock get time]) compact show-sensitive=no

# Export with verbose comments for documentation
/export file=config-documented verbose

Restoration Procedures

Binary Backup Restoration

Critical: Always test restoration on non-production devices first.

# Load backup (router will reboot automatically)
/system backup load name=router-backup password=SecureBackupPassword123

# Confirm restoration
Restore and reboot? [y/N]: y

Post-restoration checklist:

1. Verify all interfaces are operational
2. Check routing table and connectivity
3. Confirm services are running (DHCP, DNS, etc.)
4. Validate firewall rules are active
5. Test remote access methods

Text Export Import

# Import complete configuration
/import file-name=full-config.rsc

# Import with verbose mode for debugging
/import file-name=config.rsc verbose=yes

# Dry-run import to check for errors
/import file-name=config.rsc verbose=yes dry-run=yes

Selective Import

Import only specific sections:

# Reset to defaults first (optional)
/system reset-configuration no-defaults=yes skip-backup=yes

# Import base configuration
/import file-name=base-config.rsc

# Import site-specific settings
/import file-name=site-specific.rsc

Disaster Recovery Scenarios

Complete Hardware Failure

1. Obtain replacement hardware (same model recommended)
2. Install matching RouterOS version
3. Restore from binary backup:

   /system backup load name=latest-backup password=YourPassword

4. Update device-specific settings if hardware differs
5. Verify all functionality

RouterOS Corruption

1. Boot from Netinstall if necessary
2. Install clean RouterOS
3. Restore configuration:

   /system backup load name=pre-corruption-backup

Partial Configuration Loss

1. Identify affected sections
2. Import selective exports:

   /import file-name=firewall-backup.rsc
   /import file-name=routing-backup.rsc

Cross-Platform Migration

When moving to different hardware:

1. Export configuration from old device:

   /export file=migration-config compact show-sensitive=no

2. Review and edit .rsc file for hardware differences
3. Import to new device:

   /import file-name=migration-config.rsc verbose=yes

4. Reconfigure device-specific settings

Security Best Practices

Backup Encryption

Always encrypt backups containing sensitive data:

# Use strong, unique passwords
/system backup save name=secure-backup password=ComplexPassword123!@#

# Verify encryption
/file print detail where name~"backup"

Secure Storage

• Local storage: Store on secure, encrypted media
• Network storage: Use encrypted protocols (SFTP, not FTP)
• Cloud storage: Use MikroTik Cloud or encrypted third-party services
• Physical security: Protect backup media from unauthorized access

Access Control

# Limit backup access to specific users
/user group add name=backup-admins policy=read,write,policy,test,password,sniff,sensitive,romon

# Create dedicated backup user
/user add name=backup-user group=backup-admins password=BackupUserPassword

Backup Verification

Regularly test backup integrity:

# Test restore on lab device
/system backup load name=test-backup password=TestPassword

# Verify export syntax
/import file-name=test-export.rsc dry-run=yes verbose=yes

Troubleshooting

”Backup file is corrupted”

Causes:

• Interrupted backup process
• Storage media failure
• File transfer corruption

Solutions:

1. Recreate backup from source device
2. Use file integrity checking during transfers
3. Maintain multiple backup copies

”Cannot restore backup - version mismatch”

Causes:

• RouterOS version incompatibility
• Hardware platform differences

Solutions:

1. Upgrade/downgrade RouterOS to match backup version
2. Use text export instead of binary backup
3. Manually recreate configuration on target version

”Import failed - command not found”

Causes:

• Missing RouterOS packages
• Version-specific command differences
• Syntax errors in .rsc file

Solutions:

1. Install required packages before import
2. Edit .rsc file to remove incompatible commands
3. Use verbose import to identify specific failures

”Lost access after restore”

Causes:

• IP address conflicts
• Firewall rule blocking access
• Interface configuration mismatch

Solutions:

1. Connect via serial console
2. Reset to defaults and restore incrementally
3. Use safe mode during restoration testing

Backup Validation Checklist

Pre-Backup Verification

• Router is stable and fully configured
• All services are operational
• No pending configuration changes
• Sufficient storage space available

Post-Backup Verification

• Backup file created successfully
• File size is reasonable (not 0 bytes)
• Backup is encrypted (if password provided)
• Backup stored in secure location

Restoration Testing

• Test restore on lab device
• Verify all interfaces come up
• Check routing and connectivity
• Validate service functionality
• Confirm security policies active

Common Configurations Reference

Basic Backup Script

/system script add name=create-backup source={
    :local backupname ("backup-" . [/system identity get name] . "-" . [/system clock get date])
    /system backup save name=$backupname password=YourSecurePassword
    :log info ("Backup created: " . $backupname)
}

Scheduled Export

/system script add name=weekly-export source={
    :local exportname ("export-" . [/system clock get date])
    /export file=$exportname compact show-sensitive=no
    :log info ("Export created: " . $exportname)
}
/system scheduler add name=weekly-export-schedule start-time=03:00:00 interval=7d on-event=weekly-export

Emergency Reset Script

/system script add name=emergency-reset source={
    :log warning "Emergency reset initiated"
    /system backup save name=emergency-backup password=EmergencyPassword
    :delay 5s
    /system reset-configuration skip-backup=yes
}

Related Topics

Before Making Changes

• User Management - ensure proper access
• IP Address Configuration - document current addressing

Automation

• Scheduler - automate regular backups
• Email Tool - email backup notifications

Related System Topics

• RouterOS Package Installation - backup before upgrades
• Reset Configuration - restore to defaults
• Logging - track backup operations

References

• MikroTik Backup Documentation
• Configuration Management
• MikroTik Cloud Services
• File Management