Hi,
someone can help me to make BORG_PASSCOMMAND export persistent between reboot?
e.g export BORG_PASSCOMMAND=“cat ~/borg_password.txt” OR
export BORG_PASSCOMMAND=“qrexec-client-vm vault-backup ‘qubes.BorgPassword’”
thank you
mkdir -p /home/user/.config/environment.d/
cat <<'EOF' >/home/user/.config/environment.d/borg.conf
BORG_PASSCOMMAND="qrexec-client-vm vault-backup 'qubes.BorgPassword'"
EOF
or add this to your shell profile in the user (should be ~/.bash_profile or ~/.bashrc)
export BORG_PASSCOMMAND="qrexec-client-vm vault-backup 'qubes.BorgPassword'"
4 Likes
Hi Solene,
thank you.
I never used Qrexec, is the following step are ok to give the Borg password from AppVM vault to AppVm vault-backup-borg? So will be more safety and Qubes OS like.
Or there is a better solution (more clear)?
thank you again!
-
Into the AppVM vault:
a. Create file that contains Borg password.
cat > /rw/config/borg-pass <<'EOF' herewritesecretpassword EOF chmod 600 /rw/config/borg-passb. Create script RPC that read password file:
nano /rw/config/borg.Password #!bin/sh cat /rw/config/borg-passc. Make script executable:
chmod +x /rw/config/borg.Passwordd. Copy the script into /etc/qubes-rpc/ at boot so will be persistent at reboot:
nano /rw/config/rc.local sudo cp /rw/config/borg.Password /etc/qubes-rpc/borg.Password
2.Into Dom0:
e. Define the policy. Create file /etc/qubes/policy.d/30-borg-password.policy
sudo nano /etc/qubes/policy.d/30-borg-password.policy
with inside:
borg.Password vault vault-backup-borg allow
borg.Password * * deny
f. Test if policy works. From dom0 terminal:
qubes-policy-tool borg.Password vault-backup-borg
-
Into AppVM vault-backup-borg
g. put export into the file /rw/config/rc.local so will be persistent at reboot:
echo 'export BORG_PASSCOMMAND="qrexec-client-vm vault borg.Password"' >> /rw/config/rc.localh. borg list /home/user/vault-backup-borg