This could be done using standard tools like provided by libfido2 in combination with the password-command option but ideally it would be supported by restic internally with very small changes.
Regardless of how it is implemented, using hmac-secret for key material requires a salt to be stored. Since one primary advantage of using this feature would be that no additional keyfiles are required, I am trying to reuse the salt used by the restic repository.
However that means I need to retrieve the salt value in the key file before I have the password/key.
When the restic repo is local, I can just read the salt in the keys directory of the repo.
However, I am trying to do this through restic commands in order to make this work for remote repositories as well.
How do I request metadata information like the salt value from a restic repository?
There’s no repository-wide salt. Each key and each blob / file in the repository uses a distinct salt.
For a key, there’s no easy wait to let restic return the key content before entering the password.
I’d advise against reusing parts of the key material, it might have some weird security implications.
Is there any meta information related to the repository that can be reteived before password entry? Like the repo ID? Any constant that could be put through a hash function to serve as a salt value?
If needed, this idea still works without a unique salt but having one would prevent offline attacks, so if there is any way to get some unique information from the repo before password entry, that would solve the issue.
No, the first files that are read are the keys. The config file, which contains the repo ID, is encrypted.
The only proper, fully integrated way would be to make the necessary metadata part of the key files. That metadata could then be passed to some password helper command. But I don’t have time to explore that idea further.