Merge pull request #1245 from anarcat/faq

add explanation of restic automation
2017-09-19 10:46:55 +02:00 · 2017-09-19 10:46:55 +02:00 · e91749bbb0
parent 01c486d486 bcd1e45ba7
commit e91749bbb0
2 changed files with 28 additions and 1 deletions
--- a/doc/conf.py
+++ b/doc/conf.py
@ -19,7 +19,7 @@ import os
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
-extensions = []
+extensions = ['sphinx.ext.extlinks']

 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@ -104,3 +104,7 @@ html_static_path = ['_static']

 # Output file base name for HTML help builder.
 htmlhelp_basename = 'resticdoc'
+
+extlinks = {
+    'issue': ('https://github.com/restic/restic/issues/%s', '#'),
+}
--- a/doc/faq.rst
+++ b/doc/faq.rst
@ -26,3 +26,26 @@ The message means that there is more data stored in the repo than
 strictly necessary. With high probability this is duplicate data. In
 order to clean it up, the command ``restic prune`` can be used. The
 cause of this bug is not yet known.
+
+How can I specify encryption passwords automatically?
+-----------------------------------------------------
+
+When you run ``restic backup``, you need to enter the passphrase on
+the console. This is not very convenient for automated backups, so you
+can also provide the password through the ``--password-file`` option
+or ``RESTIC_PASSWORD`` environment. A discussion is in progress over
+implementing unattended backups happens in :issue:`533`.
+
+.. important:: Be careful how you set the environment; using the env
+               command, a `system()` call or using inline shell
+               scripts (e.g. `RESTIC_PASSWORD=password borg ...`)
+               might expose the credentials in the process list
+               directly and they will be readable to all users on a
+               system. Using export in a shell script file should be
+               safe, however, as the environment of a process is
+               `accessible only to that user`_. Please make sure that
+               the permissions on the files where the password is
+               eventually stored are safe (e.g. `0600` and owned by
+               root).
+
+.. _accessible only to that user: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009