merge one and multiple passwords
This commit is contained in:
parent
aefc9d61ba
commit
75119f4044
@ -233,9 +233,10 @@ properties:
|
||||
encryption_passcommand and encryption_passphrase are set, then
|
||||
encryption_passphrase takes precedence. Defaults to not set.
|
||||
This can also be used to access encrypted systemd service
|
||||
credentials (stored in /etc/credstore.encrypted/borgpw/).
|
||||
credentials (stored as "/etc/credstore.encrypted/borgpw", or as
|
||||
files in "/etc/credstore.encrypted/borg/").
|
||||
example: "secret-tool lookup borg-repository repo-name"
|
||||
example: "cat ${CREDENTIALS_DIRECTORY}/borgpw_backupserver1"
|
||||
example: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
|
||||
encryption_passphrase:
|
||||
type: string
|
||||
description: |
|
||||
|
@ -33,23 +33,32 @@ encryption_passcommand: pass path/to/borg-repokey
|
||||
|
||||
Borgmatic supports using encrypted [credentials](https://systemd.io/CREDENTIALS/).
|
||||
|
||||
Save your passwords as encrypted credentials to `/etc/credstore.encrypted/borgpw/`, e.g.,
|
||||
Save your password as an encrypted credential to `/etc/credstore.encrypted/borgpw`, e.g.,
|
||||
|
||||
```
|
||||
# mkdir /etc/credstore.encrypted/borgpw
|
||||
# systemd-ask-password -n | systemd-creds encrypt --name=borgpw_backupserver1 - /etc/credstore.encrypted/borgpw/backupserver1
|
||||
# systemd-ask-password -n | systemd-creds encrypt --name=borgpw_backupserver2 - /etc/credstore.encrypted/borgpw/backupserver2
|
||||
# systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgpw
|
||||
```
|
||||
|
||||
Note that the name `borgpw` is hardcoded in the systemd service file.
|
||||
|
||||
|
||||
If you use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borg/`, e.g.,
|
||||
|
||||
```
|
||||
# mkdir /etc/credstore.encrypted/borg
|
||||
# systemd-ask-password -n | systemd-creds encrypt --name=borg_backupserver1 - /etc/credstore.encrypted/borg/backupserver1
|
||||
# systemd-ask-password -n | systemd-creds encrypt --name=borg_pw2 - /etc/credstore.encrypted/borg/pw2
|
||||
...
|
||||
```
|
||||
Ensure that the file names, (e.g. backupserver1) match the corresponding part of
|
||||
the `--name` option *after* the underscore (_), and that the folder name matches
|
||||
the part *before* the underscore.
|
||||
Ensure that the file names, (e.g. `backupserver1`) match the corresponding part of
|
||||
the `--name` option *after* the underscore (_). The `borg` folder is hardcoded in the systemd service file.
|
||||
|
||||
Then uncomment or use the following in your configuration file. Adjust `borgpw_backupserver1`
|
||||
Then uncomment or use one of the following in your configuration file. Adjust `borg_backupserver1`
|
||||
according to the name given to the credential.
|
||||
|
||||
```yaml
|
||||
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw_backupserver1"
|
||||
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
|
||||
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borg_backupserver1"
|
||||
```
|
||||
|
||||
### Environment variable interpolation
|
||||
|
@ -10,7 +10,8 @@ ConditionACPower=true
|
||||
Type=oneshot
|
||||
|
||||
# Load encrypted credentials.
|
||||
LoadCredentialEncrypted=borgpw:/etc/credstore.encrypted/borgpw/
|
||||
LoadCredentialEncrypted=borg:/etc/credstore.encrypted/borg/
|
||||
LoadCredentialEncrypted=borgpw
|
||||
|
||||
# Security settings for systemd running as root, optional but recommended to improve security. You
|
||||
# can disable individual settings if they cause problems for your use case. For more details, see
|
||||
|
Loading…
x
Reference in New Issue
Block a user