Send the "encryption_passphrase" option to Borg via an anonymous pipe. #998

witten · 2025-02-17T19:18:52Z

witten commented

2025-02-17 19:18:52 +00:00

This PR sends the encryption_passphraseoption to Borg via an anonymous pipe (using the BORG_PASSPHRASE_FD environment variable to refer to that pipe) instead of the previous behavior of sending the passphrase via environment variable. The motivation is that environment variables can potentially by spied upon, for instance potentially by child processes of borgmatic/Borg or anything that compromises a machine and has access to /proc/[pid]/environ. And especially now that borgmatic has the ability to read credentials from various sources into that encryption_passphrase option, it seems prudent to not allow that value to get subsequently compromised via environment variable.

So this anonymous pipe change applies to:

literal/inline encryption_passphrase values
encryption_passphrase that references an environment variable
encryption_passphrase that loads a credential via {credential ...}
the result of running an encryption_passcommand command

It does not apply to:

BORG_PASSPHRASE when passed in externally and encryption_passphrase is unconfigured. In that case, the BORG_PASSPHRASE environment variable gets passed through to Borg untouched.

However, note that like with previous versions of borgmatic, encryption_passphrase, if set, still takes precedence over BORG_PASSPHRASE.

Still to do

audit for missing test coverage, especially for borg/environment.py
more manual testing

This PR sends the `encryption_passphrase`option to Borg via an anonymous pipe (using the `BORG_PASSPHRASE_FD` environment variable to refer to that pipe) instead of the previous behavior of sending the passphrase via environment variable. The motivation is that environment variables can potentially by spied upon, for instance potentially by child processes of borgmatic/Borg or anything that compromises a machine and has access to `/proc/[pid]/environ`. And especially now that borgmatic has the ability to read credentials from various sources into that `encryption_passphrase` option, it seems prudent to not allow that value to get subsequently compromised via environment variable. So this anonymous pipe change applies to: - literal/inline `encryption_passphrase` values - `encryption_passphrase` that references an environment variable - `encryption_passphrase` that loads a credential via `{credential ...}` - the result of running an `encryption_passcommand` command It does *not* apply to: - `BORG_PASSPHRASE` when passed in externally and `encryption_passphrase` is unconfigured. In that case, the `BORG_PASSPHRASE` environment variable gets passed through to Borg untouched. However, note that like with previous versions of borgmatic, `encryption_passphrase`, if set, still takes precedence over `BORG_PASSPHRASE`. ### Still to do * [x] audit for missing test coverage, especially for `borg/environment.py` * [x] more manual testing

witten added 1 commit 2025-02-17 19:18:52 +00:00

Send the "encryption_passphrase" option to Borg via an anonymous pipe. 07ecc0ffd6

witten added 1 commit 2025-02-22 04:27:28 +00:00

Merge branch 'main' into passphrase-via-file-descriptor 4ee2603fef

witten added 1 commit 2025-02-22 06:08:49 +00:00

Fix a few tests to mock more accurately. 2280bb26b6

witten added 1 commit 2025-02-22 06:30:53 +00:00

Add PR number to NEWS item. a61eba8c79

witten added 1 commit 2025-02-22 17:27:56 +00:00

Merge branch 'main' into passphrase-via-file-descriptor 087b7f5c7b

witten added 1 commit 2025-02-22 17:57:05 +00:00

Ignore the BORG_PASSCOMMAND environment variable when the "encryption_passphase" option is set. ad3392ca15