New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use "passcommand"s instead of passphrases #3396
Comments
Twist on the idea: Slightly change the --passphrase option to use a prefix. This is similar to what OpenSSL does. Examples:
To ease the migration, print a warning if the passphrase doesn't start with a known prefix and use it as if there was "pass:" in front of it. Bonus level 1: For the On Linux, that would be Bonus level 2: Add a command to generate a passphrase file with the correct permissions. Bonus level 3: The command should add a backup job to backup the passphrase file to an USB stick. Ask the user for a simple passphrase to encode this one because that passphrase will be used rarely and it might take years before the user needs it again - but when they do, all their data might be at stake. Alternatively, refuse to encrypt this backup and just make it clear that the user must keep the USB stick in a safe place. Safe means here: 1) where they will find it again, 2) where it won't be overwritten by accident, 3) where other people probably won't find it. |
This is a good idea but the proposed solution would be a breaking change. Everyone uses First suggestion: add new |
@sergethedev17 I think you misread things. I didn't propose what you describe, my proposal was to use a generic Regarding your proposal, instead of adding a whole new flags with weird names, what about simply adding a |
@piegamesde, I was concerned that @digulla 's examples (eg
This definitely resolves the breaking change concern. However, to me it still does not look right that we would be storing file paths and other references in the How about two new parameters:
I am not very familiar with this repo/project. The repo maintainers are probably best placed to suggest which parameters should be added and how they should be named. @warwickmm , could you weigh in on this please? |
Environment info
Description
Currently, we have a lot of problems with passwords stored in plain text:
are both sensitive data and both are potentially stored unprotected in the configuration file. There are some things to avoid this issue:
The last one is a nuisance: there are a ton of different password managers and it is impossible to cover them all. The backup tool
borgbackup
thus has had a genius idea: instead of storing the password, take in a command that will be executed to retrieve the password. This way, everyone can create commands and scripts to retrieve passwords from the most obscure password managers themselves. And since borg has a few already documented, Duplicati would get them basically for free.The text was updated successfully, but these errors were encountered: