Back In Time

How to store passphrase for ssh key under root?

Asked by sjjh

I run BIT as root to backup some non-user files.
Backup happens via ssh, using public/private keys. The key is protected by a passphrase.
For my normal user this passphrase is stored in gnome keyring, but I cannot do this for root in BIT. I activated the checkbox in the profile config to cache the passphrase, still I have to type it in manually the first time I want to run a backup after rebooting.
Is there a way to store the passphrase for BIT run under root permanently? (except using keys without a passphrase)

Ubuntu 13.04, BIT 1.0.26

Question information

Language:
English Edit question
Status:
Solved
For:
Back In Time Edit question
Assignee:
No assignee Edit question
Solved by:
Germar
Solved:
Last query:
Last reply:
Revision history for this message
Best Germar (germar) said : 		#1

Sorry, there is no way to do this for root. Gnome Keyring stores secrets encrypted with your users password. By default root has no Gnome Keyring because he doesn't have a password at all. You only raise root-permissions through sudo which will prompt for your non-root user-password.

Sure, you could add a password for your root-account and configure Gnome Keyring for it, too. But then you would need to login as root in Gnome to unlock Gnome Keyring every time after reboot. So you'd still have to give a separate password but now you wouldn't be prompted automatically any more.

The other option would be to store the password in plain text or with some 'snake oil' encryption which doesn't need a secret to decrypt (e.g. base64). But this wouldn't add any extra security compared to having a private key without passphrase.

Revision history for this message
sjjh (simon-harhues) said : 		#2

Sounds reasonable. I'll then create a second key for root without a passphrase.

I was thinking about other possibilities, e.g. storing the key in a keyring of a user and somehow handing over the key to root when the user logs in. Not sure if that or any other method is feasible. Shall I open a feature request?

Revision history for this message
sjjh (simon-harhues) said : 		#3

Thanks Germar, that solved my question.

Revision history for this message
Germar (germar) said : 		#4

Yepp. I'd recommend creating a new key without passphrase which you will use only for Backintime. If your user home is encrypted you could place the private key inside your users home (read-able for root) so it is protected if you're logged out. You can select a that new private key under 'Advanced SSH Settings'.

Root has no access to users keyring. There would be some ugly hacks to make that possible. But to be honest I don't like to break security barriers that where made for obvious good reasons.