RESTIC_PASSWORD_COMMAND="pass ..." : how to make it work?

Paul_Ka · April 11, 2025, 9:14am

Hi,

I am trying to make a backup script using RESTIC_PASSWORD_COMMAND=“pass …” (pass being https://www.passwordstore.org/) on Debian.

Here is my typical script :

#!/bin/sh

export RESTIC_PASSWORD_COMMAND="pass show BACKUP/KEY"
[...]
restic --repo PATH_TO_REPOSITORY backup

Observed behavior is :

If the GPG keyring is unlocked, everything proceed as intended.
If the GPG keyring is locked, instead of prompting password to unlock with pinentry, restic backup fails with :

gpg: decryption failed: No secret key
Resolving password failed: exit status 2

If I insert in the script a line to force gpg-agent pinentry prompt, like so :

export RESTIC_PASSWORD_COMMAND="pass show BACKUP/KEY"
eval ${RESTIC_PASSWORD_COMMAND}
[...]
restic --repo PATH_TO_REPOSITORY backup

Then things work again, gpg-agent shows pinentry if required, key unlocks and restic proceeds as intended.

Do you know what can cause this behavior please ?

Cheers

Paul_Ka · April 11, 2025, 10:06am

Solution found. Because GPG unlock is not called from the shell but from restic, it won’t prompt for the password. The solution is to export GPG_TTY before calling restic.

export GPG_TTY=$(tty)
export RESTIC_PASSWORD_COMMAND="pass show BACKUP/KEY"
[...]
restic backup

Sorry for the noise, hope this will help others.