Using RESTIC_PASSWORD_COMMAND with keepassxc-cli

Hello everybody,

I just started using restic and am trying to figure out, how to load the password for the restic repository from a keepassxc database using keepassxc-cli.

My current approach is this:

export RESTIC_PASSWORD_COMMAND="keepassxc-cli show -sa password /path/to/keepass.kdbx restic"

This does not work, unfortunately.

If run on its own, this command prompts for the password of the keepass database and will then print out the password of the repository.

But here, I do not get the chance to input my keepass password.
Instead, I immediately get the error that the (keepass) credentials are wrong and restic stops.

Does anybody know, how to fix this?

I found a workaround:

By defining a function

    local password=$(keepassxc-cli show -sa password /path/to/keepass.kdbx restic)
    /usr/bin/restic --password-file <(echo $password) "$@"

I can first retrieve the backup-password from the keepass database and then pass it to restic.
A minor nuisance with this solution is that I am always prompted to enter the password, even if I type something like restic --help where no password is needed.

1 Like

Thanks for sharing. I’m using KeePass. I guess it works the same way

1 Like

[Edit: apologies for assuming Linux… but I think the general idea is useful and there may be eqvts in other OSs also]

I use keepassxc, and in settings I enabled “Secret Service Integration” (have to kill gnome-keyring-daemon first!). This allows the linux command secret-tool to grab passwords.

Create a group in keepassxc, call it, say, “SSI”, and in the secret service integration tell keepassxc to expose only keys in the SSI group. This protects other keys that you may not want to be accessible via secret-tool.

Move or copy your repo key entry to that group.

Test by running secret-tool lookup Path myresticrepo – it should show the password.

Finally, export RESTIC_PASSWORD_COMMAND="secret-tool lookup Path myresticrepo" in your bashrc or eqvt makes it all work – you do not need to type the keepassxc password every time. Set keepassxc to lock itself when you lock the screen etc., and that should be that.


Can I ask how exactly you disabled the gnome-keyring-daemon?
I’m running GNOME under Fedora. Unfortunately I have not yet found a way to do this there.
(For example this method How to disable GNOME Keyring on GNOME desktop does not work for me)

1 Like

Keepassxc will tell you the PID that is blocking it from enabling its own secret service integration when you go to that tab in the settings.

I just kill that PID

I’m sure there’s a better way to do this, but being this happens once per boot I have not been motivated to look for it, sorry.

(I do recall trying to disable it in XFCEs “Application Autostart” list, but it didn’t seem to “take” – next boot gnome keyring started anyway, despite this setting being off. Maybe some impedance mismatch between xfce and gnome; I did not dig into it)

1 Like