I am trying to change password of specific key with restic key passwd command.
Is there a possibility to specify name or id of the key for restic key passwd?
Thanks for support
passwd changes the password of the key that was used to access the repository. If each key has a unique password, then the correct key is already selected for the password change. If you have multiple keys with the same password, then you probably want to use --key-hint key with the id of the key to change. Or just remove one of the duplicate keys and add a new one.
Edit:
All keys are wrappers for the actual master key. As there is only a single master key for each repository, all keys are interchangeable.
Hi Michael,
thanks for the clarification.
Hi Michael,
I found this thread looking for key handling help.
Just to confirm a few things, since the official docs are a bit vague on this:
-
Repository encryption βchainβ looks like this: key password β key β master key. Passwords are used to decrypt keys, which are then used to decrypt the master key, which is used to access the repository.
-
Master key cannot be changed.
-
We can add and remove keys and since these keys are used to decrypt the master key, new keys can be used to access older snapshots.
-
We can change passwords on keys.
-
Both keys and the master key are only stored in the repository (not on the machine running restic client).
Thank you!
- The master key is stored in each key. That is the password (after deriving the actual password using scrypt) is used to decrypt the key file in the repository. The result is the master key.
- Correct. The only way is to
copyeverything to a new repository. - Yes, all keys share the same master key ad thus are able to access everything stored in the repository.
- Yes. Although technically, restic creates a new key and deletes the old one.
- The keys are only stored in the repository, they are not cached on the client machine. To tolerate lost / corrupted key files, you might want to create a backup copy of them.
1 Like
Thank you very much!