Safely store password for automatic restic backup

Question

Context

platforms: archlinux and ubuntu

I have a shell script that backs up my data to a restic server. In order to perform the backup, the script needs access to the restic repository password. There are multiple ways to provide restic with the password (user input, env variable, shell command, file) and I am currently saving the password as plaintext in a file.

Problem

This file is only accessible to root (the script runs as a systemd service as root) but it does not make it particularly secure. Anyone getting access to my laptop could recover my backup password. I know I can change the password of a repository if my laptop gets stolen but I am looking for a solution that does not involve human intervention. I looked for how people more experienced than me do that but could not find any better way.

• The user input method does not suit me as I want the script to be fully automated.

• The environment variable method only moves the problem as this variable needs to be set at some point and stored in a file.

• A shell command could maybe decrypt the password from a file but that also just moves the problem to store the decryption key. However, if the decryption key could be handled by the system in a secure way that could work. I don't have any experience in that so I don't know where to look but this is the most promising way I found.

Question

Is there a secure way to store the password of a restic repository in order to perform automatic backups that would prevent an attacker (that gets access to the machine) from recovering the password?

PS

I want to avoid manually entering the password. I want the script to be fully automatic. I am looking for some kind of lock on the password file that would open when I am logged in. I have no idea if such a thing exists.

Thanks!

Answer 1

This isn't a problem only related to restic, but to encryption and accessing data in general. As you want the script to be fully automatic you rightly noted, that you need to store the password somewhere. The only way to do this securely is to use some kind of encryption. So you either have to encrypt the whole disk, some parts of it (e.g. /home) or use something external like a thumb drive. This enhanced security comes at the cost of being inconvenient to some degree. PAM can be used in conjunction with mounting, so that the decryption happens automatically when you log in.

The downside to this approach is, that the login password has to be secure. If you log in often, this could get annoying. Another way would be to create an encrypted container and just open it after you log in, so that you have separate passwords. Either way, you have to authenticate somewhere by entering a password or supplying a key file.

It would be a good idea to create separate backups of that password file, as to not lose access to the restic repository in case your encrypted disk/drive fails for some reason.