I’ve searched, and it doesn’t seem this question has been taken up directly.
I’ve also read the docs fairly closely, so I realize there are many ways to save passwords/credentials either and environment variables, or to specific files, etc. And I’ve found a couple of places online where someone describes using the MacOS command-line to manually save Restic credentials to the macOS Keychain.
But it’s not clear to me, why can’t Restic just do this directly?
Duplicacy does it automatically: the first time you set up a repo it asks you for the password (in the CLI) and saves what you give it to the keychain. It couldn’t be easier.
I’m thinking of setting up an automatic backup in launchd, using Restic, but it feels like such a pain (and a bit over my skill level) to have to manually interact with keychain and figure out how to store credentials there.
Why not? I think it is very simple. Because nobody implemented it yet…
Good is that it is open source project so anybody interested can work on it and add this feature. Or find somebody else to do it. Or pay somebody:)
It would be a bit of work to do this properly and support Linux, Windows and macOS. Definitely doable but at the same time I am not entirely sure that it is worth to add it to restic itself. More code to maintain not related to key restic competence - backup. Similarly like having nice GUI, scheduler etc. And IMO it would be against one of the key UNIX principles (and so far restic sticks to it rather well):
Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new “features”.
Do a bit of Google - maybe somebody already did some wrapper using key-chain and restic for OS you are using.
Yes, I admit that it’s over my head to know how much work it requires, and obviously the highest priority for the restic project should be making it the best backup tool it can be. From reading on the duplicacy forums, and seeing how it works there, it didn’t seem to me that the integration with password managers was all that complex a technical hurdle – but again, my coding skills are nowhere near the needed level.
I agree completely about the generally unix philosophy.
But I’d point to another principle:
Write programs to work together.
And my argument would be that in 2025 every computing environment has to deal with the password problem, and right now the only way to deal with it well is through some sort of password manager. Linux, Windows, and MacOS all have built-in password managers that can be used by any program.
So as a feature request, I’m not advocating making Restic into its own password manager (having it do lots of things). Instead, I’m saying that a good piece of backup software should work well with a good password manager. Especially because good backup should be done regularly and therefore should be automated, and for that password management becomes even more important.
On Linux it is few lines of code to add what you are asking for.
Maybe what is missing is better documentation with working examples. Which again somebody has to spend time on and create:) You really want it better? Then volunteer, do your study and start some docs pages. Often this is what is needed for others to step in and help.
Don’t know if some systems will by default allow gpg-agent tty pinentry to show up when restic calls GPG, but not mine at least (Debian 12), and the use case seemed so obvious that I had hard time figuring out that there could be such an issue without documentation warnings, or forum discussions about it.
Yes, I asked my question only after figuring out the steps needed on Restic, which, crudely, I understand as follows (this is on MacOS):
Save the necessary credentials (key, path, password) in keychain using security
Write a shell script for backups that exports all of those, using RESTIC_PASSWORD_COMMAND for the password.
Agreed – it’s basically 2 or 3 extra lines in the shell script.
But I’d underscore this point:
The documentation just assumes you will deal with passwords and keys on your own, by creating a password file (and figuring out how to encrypt/de-crypt it), by exporting them for your command-line environment, or by figuring out yourself how to hook them up to your OS password manager.
OK, I hear you. I think I could give this a go!
But while I have a GitHub account, my coding skills are extremely rudimentary, and most importantly, I’ve never worked on any sort of open-source or collective project.
So can you point me in the right direction for how I would volunteer and create some docs that might help?
Depending on whether this will just be a short section or a longer description it could make sense to align the concept beforehand to avoid surprises by opening an issue on Github. The actual change would be made and discussed in detail through a Github pull request.
This makes sense. I think I have two things I could write up, one into each category:
An example of what is required currently to take pwd, key, storageID (from GCS as my example) and, first, save them to MacOS keychain, and second, automate the process so that they can be retrieved dynamically for restic.
A bit for the FAQ that would lay out why a hook to modern OS pwd managers could be a useful and logical addition to restic, but also (I’ve been doing more reading today) a pointer to some key resources for adding this.
In particular, having talked at length about this with a friend with very real coding skills (unlike me!), I am convinced that the solution used by duplicacy, could be incorporated into restic. It’s open source and written in go. go-keychain