The backup software "restic" (https://restic.net) earns its tagline "Backups done right!" as a safe and easy cross-platform command-line utility for backing up file systems.
It is not a “single namespace” kind of client like s3cmd or rclone, where the named streams in Swarm match the names of the original files. Restic stores all directories and files in 5MB deduped and client-side encrypted blobs. While it uses the S3 protocol it does not use S3 multipart uploads. It does not support compression (https://github.com/restic/restic/issues/21) or adjustable block sizes (https://github.com/restic/restic/issues/1071).
As you’d expect restic performs incremental backups and lets you make and recover snapshots and tags.
By default the encryption keys are kept on the server alongside the data, so you don’t have to worry about managing those keys. But the keys are encrypted with a password you enter when you run "restic init". Remember this is warrant-proof storage — if you forget the password you won’t be able to recover any backups!
A killer feature on Linux and macOS is that restic lets you mount your backups to a local virtual (FUSE) directory. This lets you e.g. verify your backup by mounting it then doing a simple recursive diff.
Restic configuration is via environment variables for the access key, secret key, and domain endpoint.