[pbs-devel] [PATCH backup] pbs-client: read credentials from $CREDENTIALS_DIRECTORY
Maximiliano Sandoval
m.sandoval at proxmox.com
Wed Mar 26 11:46:37 CET 2025
Jörg Behrmann <proxmox at behrmj87m.dialup.fu-berlin.de> writes:
> Hi!
>
> Sorry to chime in from the sidelines, I just saw this patch set, which makes me
> very happy.
:)
> It would be great if everything that can be set via envvar could be set, via
> credential as well, most importantly I am thinking about the repository, since
> systemd can accept credentials passed in via smbios type 11 strings.
Makes sense, I can prepare a follow-up with some of these if this patch
is applied.
> There is a bug report against the PVE web UI open to be able to set arbitrary
> key pars for that [1]. This would allow to configure the pbs client for a VM
> directly from the PVE web UI.
>
> Another comment further down inline.
>
> Thanks for this works!
>
> best regards,
> Jörg Behrmann
>
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=5601
>
> On Mon, Mar 24, 2025 at 01:35:42PM +0100, Maximiliano Sandoval wrote:
>> Allows to load credentials passed down by systemd. A possible use-case
>> is safely storing the server's password in a file encrypted by the
>> systems TPM, e.g. via
>>
>> ```
>> systemd-ask-password -n | systemd-creds encrypt --name=pbs-password - my-api-token.cred
>> ```
>> ...
>> +/// Gets an encryption password.
>> +///
>> +/// We first try reading from the `PBS_ENCRYPTION_PASSWORD` environment
>> +/// variable, then we try reading from the `pbs-encryption-password`
>
> The name for credentials is pretty free form and dashes are the correct
> namespacing for systemd units, but when grepping for SetCredential= and
> LoadCredential= in the systemd codebase, you'll see that dots are the more
> idiomatic way of namespacing credentials, this idiom has also spread to other
> projects, e.g. util-linux (see the credential support in agetty).
>
> The better name would therefore be pbs.encryption.password or
> pbs.encryption-password or pbs.encryption_password, depending on what exactly
> the namespacing you want to communicate is.
You are right, I will send a v3 using `proxmox-backup-client.password`
and `proxmox-backup-client.encryption-password`.
More information about the pbs-devel
mailing list