Hello. I’m trying to configure rest-server as a backend for my backups.
Documentation mentions .htpasswd syntax for rest-server credentials on the server side and using
restic init -r rest:https://user@password:<rest_server_domain>
invocation on client.
It looks a bit insecure because any user making ps ax on client during backup process is able to see unencrypted auth credentials. It doesnt help another user seeing backup contents because backup uses another credentials for encryption but still compromises access credentials and allows him to destroy backups.
restic --help mentions --password-file as available for use on client, but it is used only for backup encryption.
Is there any way to set rest-server credentials during backup secure way without shell/gpg or some other external stuff?
Also found such line in docs:
For automated backups, restic accepts the repository location in the environment variable RESTIC_REPOSITORY.
But even with $RESTIC_REPOSITORY set restic requires -r option.
Could you help with correct usage of that?
That isn’t the case.
I have RESTIC_REPOSITORY set in the environment and just use this command line for my offsite backup:
restic backup --exclude-caches --exclude-file exclude.list /home/wscott
And that works fine. Of course, someone with root can still read both passwords from the environment of the backup process, but that is an exploit on the local machine which is explicitly not one of the targets being protected. But it does hide it from other users on the same machine.
Perhaps you should include a full transcript that includes ‘restic version’, the setting of the environment, and the error you are seeing from restic.
Thank you for reply!
It is definitely pretty reasonable behaviour I expected, but for some reason it doesn’t work in my environment
I use
restic 0.7.3
compiled with go1.9 on linux/amd64
from debian/testing on Kvm machine with Linux 4.12.0-2-amd64 Debian 4.12.13-1
I declare
RESTIC_REPOSITORY="rest:https://<user>:<pass>@<domain>/<repo subfolder>"
and call
restic backup <some_relative_folder>/
receiving
Fatal: Please specify repository location (-r)
Same call using -r option works fine
Don’t forget to export RESTIC_REPOSITORY!
Shame on me. It works! Thanks!
For some reason I thought it would nest running bash shell before execution.
export makes the job.