Restic backups with secure secret storage

I’ve been using restic for backups for a few months now, and there are a lot of great resources out there to get started setting that up. However, most tutorials will have you store application keys and passwords in plaintext, which is not ideal from a security standpoint. I spent some time figuring out a better way, and I’m sharing what I discover on Github!

Below is an excerpt from the documentation for what I’ve put together so far. For the full version, along with the scripts I use on my system and any updates I make in the future, go to the repository on GitHub.

Initially, I started out following the restic documentation and this excellent guide from Backblaze. I did my first rounds of backups on my old Windows system using the recommended environment variables and entering the restic password at the prompt, but on Linux, I wanted to put together a more security-oriented way of doing backups. Maybe it’s my background in healthcare software with the accompanying security requirements, but I don’t feel comfortable storing sensitive data like keys and passwords in plaintext, even if only root technically has permission to access it. That only helps as long as the OS is running to enforce permissions, and as long as nobody else gains root access to my system somehow. Those are both worst-case scenarios, but compromises like that do happen.

I found a few mentions of secret-tool when researching how to securely store passwords etc. on Linux, but no ready-made examples of how to apply that to my setup. My goal for the scripts in this repository is to be that example (as well as, you know, being functional for backing up my files). Fortunately it’s easy to set up and use secrets using the command. There are great examples of it in action in the scripts, but for a quick reference here, this is how it’s used to store a secret:

secret-tool store --label='Descriptive label' key1 value1 key2 value2

It then prompts for a “Password:” which is the secret to store. It’s also possible to pipe in text on stdin which will then allow newlines as part of the data; I didn’t see the need to do that for any of what I was storing to get my backups set up. Then, to use the stored secret:

secret-tool lookup key1 value1 key2 value2

… will print the stored secret to stdout with a newline after it. This can be stored into an environment variable in a script, or in the case of the repository password, I just give restic the command itself to run when it needs the password.