Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support keyring for passphrase storage #392

Closed
ThomasWaldmann opened this issue Nov 9, 2015 · 17 comments

Comments

@ThomasWaldmann
Copy link
Member

commented Nov 9, 2015

Consider using https://github.com/jaraco/keyring as it's maintained and supports GNOME, KDE, OS X, and others.

Supercedes #184 and #78.

@ThomasWaldmann ThomasWaldmann changed the title support keyring for passphrase storage for automated backups support keyring for passphrase storage Nov 9, 2015

@anarcat

This comment has been minimized.

Copy link
Contributor

commented Nov 9, 2015

keyring is packaged in debian, FWIW, all the way down to Debian:

[995]anarcat@angela:~$ rmadison python3-keyring
debian:
 python3-keyring | 0.7.1-1+deb7u1 | wheezy           | all
 python3-keyring | 3.8-1~bpo70+1  | wheezy-backports | all
 python3-keyring | 4.0-1          | jessie-kfreebsd  | all
 python3-keyring | 4.0-1          | jessie           | all
 python3-keyring | 5.6-1          | stretch          | all
 python3-keyring | 5.6-1          | sid              | all
ubuntu:
 python3-keyring | 0.7.1-1fakesync1       | precise/universe          | all
 python3-keyring | 0.9.2-0ubuntu0.12.04.2 | precise-security/universe | all
 python3-keyring | 0.9.2-0ubuntu0.12.04.2 | precise-updates/universe  | all
 python3-keyring | 3.5-1                  | trusty/universe           | all
 python3-keyring | 4.0-1ubuntu1           | vivid                     | all
 python3-keyring | 4.0-1ubuntu1           | wily                      | all
 python3-keyring | 5.6-1ubuntu1           | xenial                    | all
@ghost

This comment has been minimized.

Copy link

commented Jul 15, 2016

Hi, is gnome-keyring going to be supported ? This seems to be the only reasonably secure way of automating encrypted backups...

@enkore

This comment has been minimized.

Copy link
Contributor

commented Jul 15, 2016

If the headline were implemented then, yes.

As to reasonably secure... well... a keyring is a bit better than having it in plain-text in the script. For the backup to run, the keyring still has to be unlocked (with the password then available for attackers as well). Since we're talking automated, it likely is often unlocked.

Also note that you don't have to put the passphrase in the script. You could use e.g. secret-tool(1) to get it from the key ring with no specific support from borg. Someone on IRC recently made his scripts fetch the passphrase from a physical security token. There are many possibilities to do things like this right now...

@enkore

This comment has been minimized.

Copy link
Contributor

commented May 31, 2017

Use BORG_PASSCOMMAND.

E.g., using Linux keyring stuff:

  1. Store password, secret-tool store borg-repository some-borg-repo --label="Borg Password"
  2. BORG_PASSCOMMAND="secret-tool lookup borg-repository some-borg-repo" borg list/create/...

This should work with other keyrings as well, e.g. OSX.

@enkore enkore added documentation and removed enhancement labels May 31, 2017

@enkore

This comment has been minimized.

Copy link
Contributor

commented May 31, 2017

Documentation Task: Test and document using the different keyrings (Linux, OSX)

@Simounet

This comment has been minimized.

Copy link

commented Jun 8, 2017

Hi there,
I would love to use the secret-tool to handle my Borg password. I tried to add it to a cronjob, it asks me to unlock my keyring. Do you have any hint for me?

@RonnyPfannschmidt

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2017

that bit belongs exclusively to secret-tool, borg cant help with it

@Simounet

This comment has been minimized.

Copy link

commented Jun 8, 2017

I agree but @enkore seems to used it so I thought it might be useful to Borg users.

@enkore

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2017

Well the keyring needs to be unlocked to get passwords from it. If it isn't unlocked already, that should result in a prompt.

If the keyring is always unlocked anyway, then there is no real advantage to PASSCOMMAND over PASSPHRASE.

@Simounet

This comment has been minimized.

Copy link

commented Jun 8, 2017

Hmmm ok, I see. Thanks for the tip. I thought that an opened session could access to a password without being prompted.

@enkore

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2017

It should be able to.

secret-tool uses the DBUS-stuff, so it probably needs to run with the same X11 DISPLAY env-var as your desktop session / where the unlocked session is.

@Simounet

This comment has been minimized.

Copy link

commented Jun 8, 2017

In my case (a cronjob) it feels like it is not the same session. Too bad!

@enkore

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2017

If it's running under the same user, DISPLAY=:0 / DISPLAY=:1 might be enough.

@Simounet

This comment has been minimized.

Copy link

commented Jun 8, 2017

It's working perfectly with DISPLAY=:0. Thanks!

@ThomasWaldmann

This comment has been minimized.

Copy link
Member Author

commented Jun 8, 2017

^^^ sounds like a FAQ entry.

milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 16, 2017
Describe how to use macOS/GNOME keyrings for repository passphrases (f…
…ixes borgbackup#392)

I haven't tested the macOS instructions yet, they were made with a
careful reading of the security man pages. I also haven't made the
equivalent tutorial for the KDE keyring equivalent (KWallet) yet.
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 16, 2017
Detail how to use macOS/GNOME keyrings for repo passwords (fixes borg…
…backup#392)

I haven't tested the macOS instructions yet, they were made with a
careful reading of the security man pages. I also haven't made the
equivalent tutorial for the KDE keyring equivalent (KWallet) yet.
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 17, 2017
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 17, 2017
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 19, 2017
Detail how to use macOS/GNOME keyrings for repo passwords (fixes borg…
…backup#392)

I haven't tested the macOS instructions yet, they were made with a
careful reading of the security man pages. I also haven't made the
equivalent tutorial for the KDE keyring equivalent (KWallet) yet.
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 19, 2017
milkey-mouse added a commit to milkey-mouse/borg that referenced this issue Jul 19, 2017
Detail how to use macOS/GNOME keyrings for repo passwords (fixes borg…
…backup#392)

I haven't tested the macOS instructions yet, they were made with a
careful reading of the security man pages. I also haven't made the
equivalent tutorial for the KDE keyring equivalent (KWallet) yet.

@enkore enkore closed this in 756dea7 Jul 24, 2017

enkore added a commit that referenced this issue Jul 24, 2017
Merge pull request #2837 from milkey-mouse/fix392
Detail how to use macOS/GNOME/KDE keyrings for repo passwords (fixes #392)
@piegamesde

This comment has been minimized.

Copy link

commented Sep 7, 2018

I don't quite understand -- is https://github.com/jaraco/keyring in use or not? The only thing I could find in the documentation regarding Gnome, KDE etc. seems to refer to their specific commands and not to that tool linked here which is quite confusing.

@hrehfeld

This comment has been minimized.

Copy link

commented Jul 13, 2019

  File "/usr/lib/python3.7/site-packages/keyring/core.py", line 55, in get_password
    return _keyring_backend.get_password(service_name, username)
  File "/usr/lib/python3.7/site-packages/keyring/backends/chainer.py", line 44, in get_password
    password = keyring.get_password(service, username)
  File "/usr/lib/python3.7/site-packages/keyring/backends/kwallet.py", line 100, in get_password
    raise KeyringLocked("Failed to unlock the keyring!")
keyring.errors.KeyringLocked: Failed to unlock the keyring!

Seems like it is in use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.