Password and Key Hygiene
Repository encryption is automatic, but your password handling determines whether restores are possible and whether secrets leak.
Quick Summary
Treat the repository password like the key to all backups:
- Keep it safe (confidential)
- Keep it recoverable (documented for the right people)
- Keep it consistent (automation uses a password file)
Baseline Rules
- Store passwords in root-only files (
chmod 600) - Prefer
RESTIC_PASSWORD_FILEover interactive prompts in automation - Rotate backend credentials and keep documented recovery process
Repository Password vs Backend Credentials
| Secret | What it controls | Example |
|---|---|---|
| Repository password | decrypting snapshots | RESTIC_PASSWORD_FILE |
| Backend credentials | access to storage location | S3 access keys, SSH keys |
Losing either one can block restores.
Setup Example
install -m 700 -d /etc/restic
install -m 600 /dev/null /etc/restic/password
printf '%s' 'CHANGE_ME_LONG_RANDOM_VALUE' > /etc/restic/password
Practical Checklist
- Store
/etc/restic/passwordin your password manager or secure runbook (restricted access) - Ensure only root (or a dedicated backup user) can read the password file
- Test restores after any change to password file location or permissions
warning
Do not store repository passwords in shell history, CI logs, or public dotfiles.