I wrote a guide for how I use restic to back up multiple hosts to B2, might be helpful to someone:
I’ve been using this setup to back up four Ubuntu machines and it seems to be working well. I use pass to securely store the B2 application key and RESTIC_PASSWORD on each machine, and I give my main machine access to every machine’s backups so I can do all the maintenance (restic forget, restic prune, restic check) from one machine.
I suggest using
RESTIC_PASSWORD_COMMAND="$(pass show "$RESTIC_HOST"/RESTIC_PASS”
instead of
RESTIC_PASSWORD="$(pass "$RESTIC_HOST"/RESTIC_PASS”
This way, I think, password does not leak via environmental variable, rather is decrypted on demand.
Am I right?
Yeah that seems to work, thanks. It’s a shame that there isn’t a B2_ACCOUNT_KEY_COMMAND for the B2 application key as well.
I think this is the correct bash (so that shellcheck doesn’t complain about anything):
RESTIC_PASSWORD_COMMAND=pass\ "$RESTIC_HOST"/RESTIC_PASSWORD
And you also need to change RESTIC_PASSWORD in the export at the bottom of the script to RESTIC_PASSWORD_COMMAND.
For the env.fish file it’s just:
set -x RESTIC_PASSWORD_COMMAND pass $RESTIC_HOST/RESTIC_PASSWORD
I updated the post with this suggestion, thanks