use multiple credentials

This commit is contained in:
cvlc12 2024-10-03 21:18:23 +02:00
parent 0da21cd4cb
commit c100b5bded
3 changed files with 16 additions and 9 deletions

View File

@ -232,10 +232,10 @@ properties:
passcommand/repokey/keyfile encryption. Note that if both
encryption_passcommand and encryption_passphrase are set, then
encryption_passphrase takes precedence. Defaults to not set.
This can also be used to access an encrypted systemd service
credential (stored in /etc/credstore.encrypted/borgpw).
This can also be used to access encrypted systemd service
credentials (stored in /etc/credstore.encrypted/borgpw/).
example: "secret-tool lookup borg-repository repo-name"
example: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
example: "cat ${CREDENTIALS_DIRECTORY}/borgpw_backupserver1"
encryption_passphrase:
type: string
description: |

View File

@ -31,18 +31,25 @@ encryption_passcommand: pass path/to/borg-repokey
### Using systemd service credentials
Borgmatic supports using [credentials](https://systemd.io/CREDENTIALS/).
Borgmatic supports using encrypted [credentials](https://systemd.io/CREDENTIALS/).
Save your password as an encrypted credential to `/etc/credstore.encrypted/borgpw`:
Save your passwords as encrypted credentials to `/etc/credstore.encrypted/borgpw/`, e.g.,
```
# systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgpw
# mkdir /etc/credstore.encrypted/borgpw
# systemd-ask-password -n | systemd-creds encrypt --name=borgpw_backupserver1 - /etc/credstore.encrypted/borgpw/backupserver1
# systemd-ask-password -n | systemd-creds encrypt --name=borgpw_backupserver2 - /etc/credstore.encrypted/borgpw/backupserver2
...
```
Ensure that the file names, (e.g. backupserver1) match the corresponding part of the `--name` option *after* the underscore (_),
and that the folder name matches the part *before* the underscore.
Then uncomment or use the following in your configuration file:
```yaml
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw_backupserver1"
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw_backupserver2"
...
```
### Environment variable interpolation

View File

@ -9,8 +9,8 @@ ConditionACPower=true
[Service]
Type=oneshot
# Load encrypted credentials
LoadCredentialEncrypted=borgpw
# Load encrypted credentials.
LoadCredentialEncrypted=borgpw:/etc/credstore.encrypted/borgpw
# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see