container.md 2.0 KB
title: Container secerts eleventyNavigation: key: • Container
parent: 🔒 Credentials
New in version 1.9.11 When running inside a container, borgmatic can read Docker secrets and Podman secrets. Creating those secrets and passing them into your borgmatic container is outside the scope of this documentation, but here's a simple example of that with Docker Compose:
services:
borgmatic:
# Use the actual image name of your borgmatic container here.
image: borgmatic:latest
secrets:
- borgmatic_passphrase
secrets:
borgmatic_passphrase:
file: /etc/borgmatic/passphrase.txt
This assumes there's a file on the host at /etc/borgmatic/passphrase.txt
containing your passphrase. Docker or Podman mounts the contents of that file
into a secret named borgmatic_passphrase in the borgmatic container at
/run/secrets/.
Once your container secret is in place, you can consume it within your borgmatic configuration file:
encryption_passphrase: "{credential container borgmatic_passphrase}"
This reads the secret securely from a file mounted at
/run/secrets/borgmatic_passphrase within the borgmatic container.
The {credential ...} syntax works for several different options in a borgmatic
configuration file besides just encryption_passphrase. For instance, the
username, password, and API token options within database and monitoring hooks
support {credential ...}:
postgresql_databases:
- name: invoices
username: postgres
password: "{credential container borgmatic_db1}"
You can also optionally override the /run/secrets directory that borgmatic reads secrets from
inside a container:
container:
secrets_directory: /path/to/secrets
But you should only need to do this for development or testing purposes.