TheArchive/restic
1
0
Fork 0
mirror of https://github.com/restic/restic.git synced 2025-08-23 05:47:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5389 from fronesis47/patch-3

Browse Source 
Update passwords section of FAQ
This commit is contained in:
rawtaz
2025-05-11 20:35:20 +02:00
committed by GitHub
parent 5eb4f5af61 e732bdbfb8
commit 126ad04568
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
doc/faq.rst
View File

@@ -110,9 +110,8 @@ How can I specify encryption passwords automatically?
When you run ``restic backup``, you need to enter the passphrase on When you run ``restic backup``, you need to enter the passphrase on
the console. This is not very convenient for automated backups, so you the console. This is not very convenient for automated backups, so you
can also provide the password through the ``--password-file`` option, or one of can also provide the password through the ``--password-file`` option, or one of
the environment variables ``RESTIC_PASSWORD`` or ``RESTIC_PASSWORD_FILE``. the environment variables: ``RESTIC_PASSWORD``, ``RESTIC_PASSWORD_FILE``,
A discussion is in progress over implementing unattended backups happens in or ``RESTIC_PASSWORD_COMMAND``.
:issue:`533`.
.. important:: Be careful how you set the environment; using the env .. important:: Be careful how you set the environment; using the env
command, a `system()` call or using inline shell command, a `system()` call or using inline shell
@@ -124,10 +123,33 @@ A discussion is in progress over implementing unattended backups happens in
`accessible only to that user`_. Please make sure that `accessible only to that user`_. Please make sure that
the permissions on the files where the password is the permissions on the files where the password is
eventually stored are safe (e.g. `0600` and owned by eventually stored are safe (e.g. `0600` and owned by
root). root). Note also that ``RESTIC_PASSWORD_COMMAND`` is
safe because it does not export the password itself to
the environment.
.. _accessible only to that user: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009 .. _accessible only to that user: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009
On platforms with an available keychain, keyring or similar secret store, a
user can add and then dynamically retrieve passwords, cloud credentials,
repository paths, or any other data deemed sensitive. Here's an example of
part of a shell script using the `built-in`_ ``security`` command on macOS
to retrieve credentials from the system's Keychain before running various
``restic`` commands:
.. _built-in: https://ss64.com/mac/security.html
::
export GOOGLE_PROJECT_ID=$(security find-generic-password -a resticGCS -s restic_project_ID -w)
export GOOGLE_APPLICATION_CREDENTIALS=$(security find-generic-password -a resticGCS -s restic_key -w)
export RESTIC_REPOSITORY=$(security find-generic-password -a resticGCS -s restic_repo_path -w)
export RESTIC_PASSWORD_COMMAND='security find-generic-password -a resticGCS -s restic_pwd -w'
How to prioritize restic's IO and CPU time How to prioritize restic's IO and CPU time
------------------------------------------ ------------------------------------------