1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-23 16:26:29 +00:00

how to supply a passphrase, use crypto devices, fixes #4549

This commit is contained in:
Thomas Waldmann 2019-06-10 22:31:29 +02:00
parent b989b66584
commit faae9c9d56

View file

@ -172,10 +172,8 @@ backed up and that the ``prune`` command is keeping and deleting the correct bac
# Setting this, so the repo does not need to be given on the commandline:
export BORG_REPO=ssh://username@example.com:2022/~/backup/main
# Setting this, so you won't be asked for your repository passphrase:
# See the section "Passphrase notes" for more infos.
export BORG_PASSPHRASE='XYZl0ngandsecurepa_55_phrasea&&123'
# or this to ask an external program to supply the passphrase:
export BORG_PASSCOMMAND='pass show backup'
# some helpers and error handling:
info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
@ -272,6 +270,50 @@ the sudoers(5) man page.
To debug what your borg process is actually seeing, find its PID
(``ps aux|grep borg``) and then look into ``/proc/<PID>/environ``.
.. passphrase_notes:
Passphrase notes
----------------
If you use encryption (or authentication), Borg will interactively ask you
for a passphrase to encrypt/decrypt the keyfile / repokey.
A passphrase should be a single line of text, a trailing linefeed will be
stripped.
For your own safety, you maybe want to avoid empty passphrases as well
extremely long passphrase (much more than 256 bits of entropy).
Also avoid passphrases containing non-ASCII characters.
Borg is technically able to process all unicode text, but you might get into
trouble reproducing the same encoded utf-8 bytes or with keyboard layouts,
so better just avoid non-ASCII stuff.
If you want to automate, you can alternatively supply the passphrase
directly or indirectly using some environment variables.
You can directly give a passphrase::
# use this passphrase (use safe permissions on the script!):
export BORG_PASSPHRASE='my super secret passphrase'
Or ask an external program to supply the passphrase::
# use the "pass" password manager to get the passphrase:
export BORG_PASSCOMMAND='pass show backup'
# use GPG to get the passphrase contained in a gpg-encrypted file:
export BORG_PASSCOMMAND='gpg --decrypt borg-passphrase.gpg'
Or read the passphrase from an open file descriptor::
export BORG_PASSPHRASE_FD=42
Using hardware crypto devices (like Nitrokey, Yubikey and others) is not
directly supported by borg, but you can use these indirectly.
E.g. if your crypto device supports GPG and borg calls ``gpg`` via
``BORG_PASSCOMMAND``, it should just work.
.. backup_compression:
Backup compression