Load systemd encrypted credentials #902
Loadingβ¦
x
Reference in New Issue
Block a user
No description provided.
Delete Branch "cvlc12/borgmatic:cvlc12-patch-1"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Try to find an encrypted borg password to use, provided as an encrypted systemd credential
One can save an encrypted password to
/etc/credstore.encrypted/borgpw
(or other supported path) with e.g.Problems:
Is PASSCOMMAND the right tool here, and what if someone is already using it ?I don't think Borg can natively just read the password from a file, although that would be great.If there is no credential, systemd handles this gracefully, but cat throws an error which pollutes the log..It should be possible to support multiple passwords,
but I've been unable to make that work:This can probably be adapted to work with the user service, however they don't have fallback directories for that yet, so we would need to hardcode a full path in
LoadCredentialEncrypted
Thanks for taking the time to submit this PR, and I apologize for the delay in getting to it! The general approach makes sense to me, but I'd recommend perhaps commenting it out by default so that a borgmatic systemd user can make an intentional decision to use it or not. I think my main concern with enabling it by default is that the
PASSCOMMAND
environment variable can get stomped over by borgmatic if the user also has the corresponding configuration option set.I think
PASSCOMMAND
is the right tool. If someone is already using it within borgmatic via theencryption_passcommand
option, then borgmatic will stomp over it. And yeah, Borg can't natively read the password from a file AFAIK. Might be an interesting PR for Borg though!Not ideal, but might be a good enough solution.
That's unfortunate, but IMO you could comment around that for now.
Do tildes work? Or would the home directory need to be hard-coded too? Might not be a huge issue if it's commented out by default here too.
62222022c3
tofdd33947e4
Alright, here's a new take on this!
I'm using a new variableBORG_CRED
in the service file, so as not to stomp over anyone's previous settings.Actually it's even easier than that... $CREDENTIALS_DIRECTORY is inherited.. the only necessary step is to load the credential...!
And no need to edit the service file anymore, just uncomment or write down
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
in a configuration file.I tried adding this as a second example to the
encryption_passcommand
section of the main config file, however this might not work as expected, I know nothing about yaml files :)Still working on this
For now this does not seem to work. See https://github.com/systemd/systemd/issues/33796
What do you think about this new approach ?
Alright, even got the multiple passwords to work..
The service file needs to have
Then passwords are available as
Only problem is that the full path needs to be hardcoded in the service file. From man systemd-exec(5):
Slightly less straightforward, but definitely can be useful. Should we go for this approach instead ?
Nice use of borgmatic's environment variables feature here. π I honestly think either of these approaches could work. If you have a use case for multiple passphrases, then maybe go with that.
@ -235,1 +235,4 @@
example: "secret-tool lookup borg-repository repo-name"
description: |
Uncomment to use an encrypted systemd service credential (/etc/credstore.encrypted/borgpw).
example: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
I don't think you can have two descriptions and two examples for a given option. So maybe just work the additional description into the existing one, maybe including the new example there? And/or relying on documentation rather than the schema to document this feature?
BTW you can test this with
scripts/dev-docs
if you have Docker Compose installed. Even just running tests withtox
will exercise the code path that interprets the schema. (No Docker Compose required that way.)More info at: https://torsion.org/borgmatic/docs/how-to/develop-on-borgmatic/
Indeed the tox tests failed, but they seem to run OK with one description but two examples. Does that look ok ?
Unfortunately I don't think it works. Even it tests pass, the following won't work with those changes:
That error happens because standard YAML doesn't allow duplicate keys. What I recommend doing instead is to work any secondary examples into the description. It's not ideal, but at least it'd be valid YAML. π Alternatively, or in addition, your documentation changes might be sufficient for documenting the systemd approach.
(BTW even if unit/integrations tests pass with the duplicate key, I'd expect end-to-end tests to properly catch it and fail.)
Ok, so I removed the example and linked to the docs. I used the following to fit the URL in:
https://yaml.org/spec/1.2-old/spec.html#style/flow/double-quoted
Sorry to keep going back and forth on this, but unfortunately I don't think this works either! Here's what ends up in the generated config file:
I think the problem is that that the double quotes are already embedded in a
|
-defined string. (YAML is kind of complex...) Rather than try to fight YAML on this, I'd instead recommend doing something like:It's not ideal in that it doesn't have the direct link to the section in question, but it has the distinct benefit of resulting in a working URL in the generated config.
125401e416
to0da21cd4cb
It's probably nice to go with the multiple password approach and hardcode the path for now while they sort a couple things out (https://github.com/systemd/systemd/issues/34542, https://github.com/systemd/systemd/issues/33887). And then eventually update it to be more generic.
Is 'borgpw' ok for the credential folder name ? Or should it just be borgmatic ?
521a75320c
toaefc9d61ba
665cf85b9e
to4e833e147a
4e833e147a
to7eb925dfbc
WIP: Load systemd encrypted credentialsto Load systemd encrypted credentialsAlright, sorry for doing this in so many stages, but I believe this last take is the right approach. This allows using either one password, or multiple.
The hardcoded path for multiple passwords is necessary for now but can probably be removed later on.
Removed WIP from the title as I think it's ready now
7eb925dfbc
tofd91eebeda
Personally, I'd prefer
borgmatic
just because these are the systemd credentials for the borgmatic systemd service (even if borgmatic happens to pass them to Borg).I'll have a look at the rest of the changes!
@ -32,0 +57,4 @@
```yaml
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgpw"
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borg_backupserver1"
This does make me wonder if you can just put all credentials inside a directory, even in the single credential case. Then your instructions/procedure would be the same regardless of the number of credentials.
Do not feel strongly.
Yes I considered that as well. I decided not to because I guess most people just use a single password, and the "foldername_filename" thing systemd came up with for the credential name when using multiple credentials might throw some people off. But I don't mind reconsidering if you think that's easier.
The other reason is that it makes it easier to propagate the password/credential if using only one, since the path is not hardcoded. So
borgmatic.pw
will automatically be checked for in e.g./run/credstore.encrypted
in addition to/etc/credstore.encrypted/
, etc..I'm totally fine with it as is!
@ -29,6 +29,37 @@ For example, to ask the *Pass* password manager to provide the passphrase:
encryption_passcommand: pass path/to/borg-repokey
```
### Using systemd service credentials
Nice docs! I appreciate you writing this up.
12879bda2e
to5280de86ff
I'm gonna merge this just so we don't have to do another round of back and forth, and then I'll adjust the URL in the config file as per my comment. Thanks so much for sticking with this!
Great ! Thanks
Released in borgmatic 1.9.0!
It sounds like this change errors when encrypted credentials aren't present on disk: #929
Is that expected, and can you think of any work-arounds other than leaving it commented out by default? Thanks.
I can confirm that credentials are gracefully skipped when missing:
nov. 07 16:23:30 host (sd-mkdcre[3448]: Couldn't read inherited credential 'borgmatic.pw', skipping: No such file or directory
However this is not the case with the credential folder
LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/
If the folder is empty, everything is gracefully ignored. But if the folder is missing, then it breaks...
I've filed an issue to systemd https://github.com/systemd/systemd/issues/35077
I see two options,
/etc/credstore.encrypted/borgmatic/
dirAnyway, the missing borgmatic.pw credential should not error out, and there should be no error at all if the the borgmatic folder exists.