diff --git a/borgmatic/config/schema.yaml b/borgmatic/config/schema.yaml index 847ca6f5..f5782b7d 100644 --- a/borgmatic/config/schema.yaml +++ b/borgmatic/config/schema.yaml @@ -231,7 +231,10 @@ properties: key. Only use on repositories that were initialized with passcommand/repokey/keyfile encryption. Note that if both encryption_passcommand and encryption_passphrase are set, then - encryption_passphrase takes precedence. Defaults to not set. + encryption_passphrase takes precedence. This can also be used to + access encrypted systemd service credentials (see "https://torsion\ + .org/borgmatic/docs/how-to/provide-your-passwords/#using-systemd-\ + service-credentials"). Defaults to not set. example: "secret-tool lookup borg-repository repo-name" encryption_passphrase: type: string diff --git a/docs/how-to/provide-your-passwords.md b/docs/how-to/provide-your-passwords.md index 320c7778..8abf9131 100644 --- a/docs/how-to/provide-your-passwords.md +++ b/docs/how-to/provide-your-passwords.md @@ -29,6 +29,37 @@ For example, to ask the *Pass* password manager to provide the passphrase: encryption_passcommand: pass path/to/borg-repokey ``` +### Using systemd service credentials + +Borgmatic supports using encrypted [credentials](https://systemd.io/CREDENTIALS/). + +Save your password as an encrypted credential to `/etc/credstore.encrypted/borgmatic.pw`, e.g., + +``` +# systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgmatic.pw +``` + +Note that the name `borgmatic.pw` is hardcoded in the systemd service file. + +If you use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g., + +``` +# mkdir /etc/credstore.encrypted/borgmatic +# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_backupserver1 - /etc/credstore.encrypted/borgmatic/backupserver1 +# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_pw2 - /etc/credstore.encrypted/borgmatic/pw2 +... +``` +Ensure that the file names, (e.g. `backupserver1`) match the corresponding part of +the `--name` option *after* the underscore (_). The `borgmatic` folder is hardcoded in the systemd service file. + +Then uncomment or use one of the following in your configuration file. Adjust `borgmatic_backupserver1` +according to the name given to the credential. + +```yaml +encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw" +encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic_backupserver1" +``` + ### Environment variable interpolation New in version 1.6.4 borgmatic diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service index 3ec9710e..80165be7 100644 --- a/sample/systemd/borgmatic.service +++ b/sample/systemd/borgmatic.service @@ -9,6 +9,10 @@ ConditionACPower=true [Service] Type=oneshot +# Load encrypted credentials. +LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/ +LoadCredentialEncrypted=borgmatic.pw + # Security settings for systemd running as root, optional but recommended to improve security. You # can disable individual settings if they cause problems for your use case. For more details, see # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html