|
|
@@ -42,6 +42,9 @@ postgresql_databases:
|
|
|
password: "{credential keepassxc /etc/keys.kdbx database}"
|
|
|
```
|
|
|
|
|
|
+
|
|
|
+### Custom command
|
|
|
+
|
|
|
You can also optionally override the `keepassxc-cli` command that borgmatic calls to load
|
|
|
passwords:
|
|
|
|
|
|
@@ -49,3 +52,47 @@ passwords:
|
|
|
keepassxc:
|
|
|
keepassxc_cli_command: /usr/local/bin/keepassxc-cli
|
|
|
```
|
|
|
+
|
|
|
+Another example:
|
|
|
+
|
|
|
+```yaml
|
|
|
+keepassxc:
|
|
|
+ keepassxc_cli_command: docker exec keepassxc keepassxc-cli
|
|
|
+```
|
|
|
+
|
|
|
+### Key file
|
|
|
+
|
|
|
+KeePassXC supports unlocking a database with a separate [key
|
|
|
+file](https://keepassxc.org/docs/#faq-keyfile-howto) instead of or in addition
|
|
|
+to a password. To configure borgmatic for that, use the `key_file` option:
|
|
|
+
|
|
|
+```yaml
|
|
|
+keepassxc:
|
|
|
+ key_file: /path/to/keyfile
|
|
|
+```
|
|
|
+
|
|
|
+By default, keepassxc-cli prompts the user for the password to unlock a
|
|
|
+database. But if you only want to provide a key file to unlock your database and
|
|
|
+not a password, for instance to support unattended backups, use the
|
|
|
+`ask_for_password` option:
|
|
|
+
|
|
|
+```yaml
|
|
|
+keepassxc:
|
|
|
+ ask_for_password: false
|
|
|
+ key_file: /path/to/keyfile
|
|
|
+```
|
|
|
+
|
|
|
+### YubiKey
|
|
|
+
|
|
|
+KeePassXC also supports unlocking a database with the help of [a
|
|
|
+YubiKey](https://keepassxc.org/docs/#faq-yubikey-2fa). To configure borgmatic
|
|
|
+for that, use the `yubikey` option:
|
|
|
+
|
|
|
+```yaml
|
|
|
+keepassxc:
|
|
|
+ yubikey: 1:7370001
|
|
|
+```
|
|
|
+
|
|
|
+The value here is the YubiKey slot number (e.g., `1` or `2`) and optional serial
|
|
|
+number (e.g., `7370001`) used to access the KeePassXC database. Join the two
|
|
|
+values with a colon, but omit the colon if you're leaving out the serial number.
|
Dan Helfman