I am setting up an append-only restic server. However, I am stuck at implementing a server side pruning service. As the server side command
restic -r /path/ forget needs to know the password for each machine, how to supply it?
Is it a good idea to have e.g. passwords.txt with
$repo $password $retentionpolicy for each line and a shell script to iterate over it when pruning?
Alternative: I use TLS with basic auth, thus using a different or even hard password for the repositories may be unnecessary? I don’t really need encryption because the server is trusted.
Note that restic is able to use multiple passwords, but they are all used to access the identical encryption key. That means that every host which has access to the repo by any password automatically has full repo access (except you restrict some rights by the backend itself).
So in your case, simply generate a new “key” for the server using
restic key add and use it to forget whatever snapshot you want.
Oh I didn’t know restic can do that. Neat, but still I need to decrypt the initialized repo first in order to add a key, right? Maybe I need to think about the implications a bit more.
Anyway, I had decided to implement the above shell script with weak encryption passwords and strong authentication. I may change it to using the key-add command you mentioned. In any case thank you for the answer.
A “key” in restic can basically be meant to be a new password which allows to access the “masterkey” which is used for encryption. So you don’t need to decrypt the repo to add a new “key” (a.k.a. password), but you need ANY of the existing “keys”/passwords to add a new one using the
restic key command.