Skip to content

Commit

Permalink
Only support a single systemd credential by default (#930).
Browse files Browse the repository at this point in the history
  • Loading branch information
witten committed Nov 8, 2024
2 parents 227f475 + 467ddd0 commit 3f75e99
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 8 deletions.
30 changes: 24 additions & 6 deletions docs/how-to/provide-your-passwords.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,27 +39,45 @@ Save your password as an encrypted credential to `/etc/credstore.encrypted/borgm
# systemd-ask-password -n | systemd-creds encrypt - /etc/credstore.encrypted/borgmatic.pw
```
Then uncomment or use the following in your configuration file:
```yaml
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw"
```

Note that the name `borgmatic.pw` is hardcoded in the systemd service file.

If you use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g.,
To use multiple different passwords, save them as encrypted credentials to `/etc/credstore.encrypted/borgmatic/`, e.g.,

```
# mkdir /etc/credstore.encrypted/borgmatic
# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_backupserver1 - /etc/credstore.encrypted/borgmatic/backupserver1
# systemd-ask-password -n | systemd-creds encrypt --name=borgmatic_pw2 - /etc/credstore.encrypted/borgmatic/pw2
...
```

Ensure that the file names, (e.g. `backupserver1`) match the corresponding part of
the `--name` option *after* the underscore (_). The `borgmatic` folder is hardcoded in the systemd service file.
the `--name` option *after* the underscore (_), and that the part *before*
the underscore matches the directory name (e.g. `borgmatic`).

Then uncomment or use one of the following in your configuration file. Adjust `borgmatic_backupserver1`
according to the name given to the credential.
Then, uncomment the appropriate line in the systemd service file:

```yaml
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic.pw"
```
# systemctl edit borgmatic.service
...
# Load multiple encrypted credentials.
LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/
```

Finally, use the following in your configuration file:

```
encryption_passcommand: "cat ${CREDENTIALS_DIRECTORY}/borgmatic_backupserver1"
```

Adjust `borgmatic_backupserver1` according to the name given to the credential
and the directory set in the service file.

### Environment variable interpolation

<span class="minilink minilink-addedin">New in version 1.6.4</span> borgmatic
Expand Down
6 changes: 4 additions & 2 deletions sample/systemd/borgmatic.service
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ Documentation=https://torsion.org/borgmatic/
[Service]
Type=oneshot

# Load encrypted credentials.
LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/
# Load single encrypted credential.
LoadCredentialEncrypted=borgmatic.pw

# Load multiple encrypted credentials.
# LoadCredentialEncrypted=borgmatic:/etc/credstore.encrypted/borgmatic/

# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Expand Down

0 comments on commit 3f75e99

Please sign in to comment.