Hi All. Restic looks just like what I’m after to do backups from Kubuntu to Backblaze B2, and kudos to the developers, but I am a bit confused about the right - and secure - way to use environment variables.
My understanding is that the B2 account ID and key are ‘secrets’ (presumably with them an attacker could modify or delete my backed up files - although presumably not access the unencrypted files without my restic password?).
The restic docs say to simply export these, but I’m worried I’ll forget to avoid including them in the bash history, and want to avoid typing them out each time.
The Quickstart Guide for Restic and Backblaze B2 Cloud Storage suggests putting the exports in a file in /etc/ and making the owner of that file root with appropriately secure file permissions, and using source to utilise the variables. However, I think this assumes running restic as root.
I guess I could add the environment variables to /etc/environment but then it’s permanently available to any user on the system, and I’m not sure how secure that is when I’m aiming to have the variables available to as limited a number of processes/users on my system as possible in case of hacks.
Searching on this forum or elsewhere comes up with many other subtly different methods
I don’t want or need to run restic as root since I’m only interested in backing up user files, and running restic mount as user means I can simply use Dolphin to navigate my backup.
I’m also not so worried about the password here, as I’m not planning to automate backups and so will enter the password manually, or from a secure key.
I may well be misunderstanding or overthinking the issue, but is there a best practice way of handling the environment variables securely and minimising the risk of them being available in places they shouldn’t be, and/or a way of storing the environment variables securley, where they can be safely loaded on an as-needed basis by a regular user running restic?
Thanks in advance, Ash.