How can I provide my password if I'm running borgmatic through a systemd unit? #762
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#762
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I'm trying to setup Borgmatic to run with systemd. I'm using repokey mode, so I have to give my password.
I tried editing my systemd drop-in to have
Environment="BORG_PASSPHRASE=REDACTED"
, but that didn't work:Steps to reproduce
sudo borgmatic rcreate --encryption repokey-aes-ocb
sudo systemctl enable borgmatic.timer
Actual behavior
I get this error in the systemd journal:
Expected behavior
Borgmatic is able to read my password
Other notes / implementation ideas
No response
borgmatic version
1.8.2
borgmatic installation method
Fedora package
Borg version
1.2.6
Python version
Python 3.11.5
Database version (if applicable)
No response
Operating system and version
Fedora 38
Setting the
BORG_PASSPHRASE
environment variable should work, although I guess it's conceivable there's a borgmatic bug around that. (There are several other options for providing your password to borgmatic as well.) Some things to try:Environment="BORG_PASSPHRASE=REDACTED"
is under the[Service]
heading in your service file.sudo systemctl daemon-reload
?journalctl -xeu borgmatic.service
and you should see something likeSep 30 04:24:42 fedora38 borgmatic.service[1234]: BORG_PASSPHRASE=REDACTED
. If you don't see that, it could indicate the environment variable is not actually getting set.Oh, I might try one of those options then. Is there a recommend way to provide your password for a systemd unit?
I just used
sudo systemctl edit borgmatic.service
to make a drop-in file, but the contents of that is this:The contents of the unit file at
/usr/lib/systemd/system/borgmatic.conf
:Yep, I made sure to do that.
I can't find it in the log, but here it is:
The short answer is no, there isn't, as how you pass passwords to a system service varies based on your requirements and threat model. Some light reading on the topic can be found here though: https://unix.stackexchange.com/questions/391040/is-there-a-typical-way-to-pass-a-password-to-a-systemd-unit-file
So I've never used systemd drop-in files before. The fact the the passphrase envirionment variable doesn't show up in logs makes me think it's not working properly though. You could try putting the
Environment=
directly in the unit file to see if that fixes the problem. That would tell you something is going wrong with the drop-in.I assume in addition to reloading the daemon, you've also run
systemctl restart borgmatic.service
after making changes?@witten Sorry for the late response, I was away from my computer. Am I able to specify my encryption passphrase directly in the
config.yaml
?Edit: Found it.
Yup, that's it! Let me know whether that works out for you.
Thank you 🙂. That seems to work.
Awesome, glad to hear that worked!