using borg with smartcards, crypto sticks, etc.

[ThomasWaldmann]

borg has no special interface / does not use some special api for smartcards or crypto usb sticks.

But there is this:

environment vars for the passphrase

https://borgbackup.readthedocs.io/en/stable/usage/general.html#environment-variables

• BORG_PASSPHRASE - directly give a passphrase to borg

• BORG_PASSCOMMAND - execute a shell command which outputs the passphrase

• BORG_PASSPHRASE_FD - read the passphrase from an open file descriptor

With these, some tool that might come with your hardware and some shell scripting, you can "glue together" the hardware and borg (no internal change in borg is needed for that).

You can use repokey as well as keyfile mode of borg for this, the passphrase that would unlock (decrypt) the key would from / via your special hardware, borg's encrypted key would be stored as usual.

environment vars for the key directory

Alternatively, for usb sticks with encrypted mass storage, the BORG_KEYS_DIR (or BORG_KEY_FILE) environment variable could be used to let borg read the keyfile directly from the storage on the stick (keyfile mode).

The storage needs to be mounted at some place and BORG_KEYS_DIR (or BORG_KEY_FILE) needs to point into there (doing that is also scripting and outside the scope of what borg does internally).

[ThomasWaldmann]

I personally do not use smartcards / crypto sticks (yet?), so I can not help much more than this.

So if anybody already has a setup for this, please add scripts and setup tips below.

[jans23]

if you want a free Nitrokey device to develop and test such feature, please drop us an email (see https://www.nitrokey.com/contact ).

[klausenbusk]

So if anybody already has a setup for this, please add scripts and setup tips below.

Something like this should do it (assuming the key is on a smartcard):

head -c 32 /dev/urandom | base64 | gpg --encrypt -r <key on smartcard ID> > ~/.borg-passphrase.gpg
export BORG_PASSCOMMAND="gpg --decrypt $HOME/.borg-passphrase.gpg"

[ThomasWaldmann]

It would be useful if a nitrokey (yubikey, ...) user could confirm that the solution @klausenbusk was suggesting is actually working.

If you test it, report back whether it is working and give the hardware / key setup you are using.

If it can be made working that simply, guess there is no need for hardware key specific development work (but we could add it to the docs / faq).

[klausenbusk]

It would be useful if a nitrokey (yubikey, ...) user could confirm that the solution @klausenbusk was suggesting is actually working.

The Quick Start guide already contains a example using pass, pass use GPG under the hood, so I can't see why it shouldn't work.

Nevertheless I did a quick test with my YubiKey 4 and it seems to work:

$ head -c 32 /dev/urandom | base64 | gpg --encrypt -r kristian@klausen.dk > borg-passphrase.gpg
$ export BORG_PASSCOMMAND="gpg --decrypt borg-passphrase.gpg"
$ borg init -e keyfile foo
gpg: encrypted with 4096-bit RSA key, ID 89694FF686B54D0A, created 2019-06-02
      "Kristian Klausen <kristian@klausen.dk>"

By default repositories initialized with this version will produce security
errors if written to with an older version (up to and including Borg 1.0.8).

If you want to use these older versions, you can disable the check by running:
borg upgrade --disable-tam foo

See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications.

IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
Use "borg key export" to export the key, optionally in printable format.
Write down the passphrase. Store both at safe place(s).

[ThomasWaldmann]

OK, so does anybody feel like making pull requests against master (and after review against 1.1-maint), adding this method to support all gpg supporting hw crypto keys?

[ThomasWaldmann]

OK, guess what we should do is this:

• only keep the most simple BORG_PASSPHRASE method in the quickstart script
• add a note to the script about other options, pointing to a following section
• add a section below the script about "other options to supply the passphrase"
• mention BORG_PASSCOMMAND there, give an example with "pass" and one with "gpg"
• mention that GPG can optionally be used with a hw crypto stick
• also mention BORG_PASSPHRASE_FD there
• (optional) give a tested(!) example how to use BORG_PASSPHRASE_FD