Restic is using encryption by default. I mean is it okay to rely on it or should I encrypt sensitive data additionally? I’ve chosen backblaze as a storage it has an option
what if I turn it on? Will encryption on encryption work?
What is a good approach to manage api keys and password, documentation suggest to export it as environmental variables and for password to use password.txt file. Is it okay? Or is it best practice around?
As far as in my case repo is on the cloud storage am I correct that access key is stored on that remote repo? Should I download it and backup?
Enabling the B2 default encryption shouldn’t conflict with restic. You can just turn it on and give it a try. Not sure whether there are any further sideeffects from that.
Running check every now and then should be enough. Although running check with one of the --read-data options (warning: downloads large parts of the repository!) can be useful to be super sure that everything is fine.
That depends on your exact use case. Although the actual question is mostly how to safely store those credentials not so much how to pass them to restic.
I’m not exactly sure what you mean here, but it sounds incorrect. There is the restic repository password, which must be backed up, and the B2 credentials, which can be replaced any time. restic just needs correct B2 credentials to access the repository data and then uses the password to decrypt it.
You can create a backup of the config and keys in repository as the repository cannot be decrypted without them. However, B2 normally doesn’t loose that data.
AES which is typically used in one variant or the other is by now hardware accelerated on modern hardware to encrypt multiple gigabytes per second. Take a look at the restic docs if you want to know more about restic’s data format: References — restic 0.17.3 documentation .
Well, the only possible answer here is “it depends” as I know nothing at all about the context in which restic is used. Typically it can be something between storing data in some secret management service or a password manager or just as an access protected plaintext file on disk. What option is available and what makes sense depends on your use case and the security requirements.
