Load systemd encrypted credentials (#902).
Some checks failed
build / docs (push) Blocked by required conditions
build / test (push) Has been cancelled

Reviewed-on: #902
Reviewed-by: Dan Helfman <witten@torsion.org>
This commit is contained in:
Dan Helfman 2024-10-22 15:58:41 +00:00
commit ed957a940a
3 changed files with 39 additions and 1 deletions

View File

@ -232,7 +232,10 @@ properties:
key. Only use on repositories that were initialized with
passcommand/repokey/keyfile encryption. Note that if both
encryption_passcommand and encryption_passphrase are set, then
encryption_passphrase takes precedence. Defaults to not set.
encryption_passphrase takes precedence. This can also be used to
access encrypted systemd service credentials (see "https://torsion\
.org/borgmatic/docs/how-to/provide-your-passwords/#using-systemd-\
service-credentials"). Defaults to not set.
example: "secret-tool lookup borg-repository repo-name"
encryption_passphrase:
type: string

View File

@ -29,6 +29,37 @@ For example, to ask the *Pass* password manager to provide the passphrase:
encryption_passcommand: pass path/to/borg-repokey
```
### Using systemd service credentials
Borgmatic supports using encrypted [credentials](https://systemd.io/CREDENTIALS/).
Save your password as an encrypted credential to `/etc/credstore.encrypted/borgmatic.pw`, e.g.,
```
# systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgmatic.pw
```
Note that the name `borgmatic.pw` is hardcoded in the systemd service file.
If you use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g.,
```
# mkdir /etc/credstore.encrypted/borgmatic
# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_backupserver1 - /etc/credstore.encrypted/borgmatic/backupserver1
# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_pw2 - /etc/credstore.encrypted/borgmatic/pw2
...
```
Ensure that the file names, (e.g. `backupserver1`) match the corresponding part of
the `--name` option *after* the underscore (_). The `borgmatic` folder is hardcoded in the systemd service file.
Then uncomment or use one of the following in your configuration file. Adjust `borgmatic_backupserver1`
according to the name given to the credential.
```yaml
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw"
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic_backupserver1"
```
### Environment variable interpolation
<span class="minilink minilink-addedin">New in version 1.6.4</span> borgmatic

View File

@ -9,6 +9,10 @@ ConditionACPower=true
[Service]
Type=oneshot
# Load encrypted credentials.
LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/
LoadCredentialEncrypted=borgmatic.pw
# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html