[Borgbackup] Providing passphrase on the command line (Terminal)

[Sitaram Chamarty]

On Mon, Jan 29, 2018 at 10:32:47AM +0100, Marian Beermann wrote:
> On 29.01.2018 06:36, Sitaram Chamarty wrote:
> > On Mon, Jan 29, 2018 at 06:12:58AM +0100, azarus wrote:
> >>
> >>
> >> On 29 January 2018 03:51:06 CET, Howard Mann <howardm at xmission.com> wrote:
> >>> Hi,
> >>>
> >>> I’m a new (non-techie) Borg user. I’ve successfully created a
> >>> repository— with passphrase-aasociated encryption. I use Mac OS.
> >>>
> >>> For each individual command I now issue in Terminal, such as “borg
> >>> list…” I have to enter the requested passphrase.
> >>>
> >>> Is there a way I can avoid (or minimize) this requirement.
> >>>
> >>> I know about the use of “export
> >>> BORG_PASSPHRASE=‘superawesomepassphrase’” in a script, which I’ve
> >>> created and used successfully.
> >>
> >> That what you've just mentioned can be used inside a script or outside a script and is called an 'environment variable'.
> >>
> >> Borg regards that environment variable either way, so I'd just export it before listing the repos.
> > 
> > I'm also using that environment variable, but that is not ideal.
> > On multi user systems where /proc is mounted default, it can
> > reveal the passphrase to a "ps" command.
> 
> Process environments are private. "export FOO=bar" can't be observed by
> ps, because "export" can't be a command, but must always be a shell
> built-in.
> 
> Even if you do "FOO=bar some_command", the "FOO=bar" part is interpreted
> by the shell and won't show up in ps.

You're right; I forgot that it's only root that can pull
environment variables from another user's process.

Still, using environment variables makes it too easy for root.
Using a pipe makes him work harder to get your password!