Avoid special characters in password

LanceHaverkamp · April 27, 2019, 4:01pm

A word to the wise: Avoid special characters in your restic password! I had special characters in my restic password, which would work in a script–as long as I put the password in quotes. But, when I tried to get systemd to handle backup automation, I kept getting “wrong password or no key found.” Systemd can’t handle quotes around the password. I changed the password to just alphanumeric characters, removed the quotes, and that has solved the problem.

Lance

cdhowie · April 27, 2019, 4:38pm

I’m guessing that you put the password directly in the systemd configuration file as part of a bash inline script. (ExecStart=/bin/bash -c ...) In this case, the quotes likely get processed by systemd first, so you’d need to double-quote it; systemd removes the outer layer of quotes, and bash would see the inner layer. If you only have one layer of quotes, systemd removes them and bash doesn’t have any quotes left.

Alternatively, consider creating a helper script for specific repositories:

#!/bin/sh

export RESTIC_REPOSITORY=/path/to/repo
export RESTIC_PASSWORD='password'

exec restic "$@"

Make the file chmod 700 and owned by root to keep the password secure. You can use the script both from systemd, and as root whenever you need to manually interact with the repository.

firecat53 · April 27, 2019, 5:36pm

Even better, create an environment file for systemd to use:

[Unit]
Description=Restic Backup to B2
Before=restic_forget.service
RequiresMountsFor=/home /mnt/media

[Service]
Type=oneshot
EnvironmentFile=/root/.restic_backup_env
ExecStart=/usr/local/bin/restic backup /home/ /srv /var/backups /mnt/media

[Install]
WantedBy=restic_backup.target

/root/.restic_backup_env

B2_ACCOUNT_ID={{ b2_account_id }}
B2_ACCOUNT_KEY={{ b2_account_key }}
HOME=/root
RESTIC_PASSWORD={{ restic_password }}
RESTIC_REPOSITORY=b2:firecat53-restic
XDG_CACHE_HOME=/var/cache

Edit: the double braces are just denoting Ansible variables. I have plenty of special characters in my password!

cdhowie · April 27, 2019, 6:22pm

Yep, this is also a viable approach. I prefer using a script because then I can run restic-reponame snapshots -c for example without having to remember the repository password, but there’s multiple ways to do this.

firecat53 · April 27, 2019, 6:38pm

Yeah, I don’t do it often enough so I always have to look up in my notes the

export $(cat /root/.restic_backup_env | xargs)

to be able to run the restic commands. But…worth it!

LanceHaverkamp · April 27, 2019, 7:17pm

Interesting! I have not seen the double braces before; I’d just copied & pasted from my script into the EnvironmentFile. I keep hoping someone will write a GUI front-end. No one believes me when I tell them that Linux end-users really do exist.