Merge pull request #9621 from borgbackup/backport-9614-to-master

[Backport master] docs: improve macOS Keychain instructions (fixes #5156)
2026-05-28 04:03:21 -04:00 · 2026-05-13 10:03:39 +02:00 · 2026-05-13 10:03:39 +02:00 · 7c8fa4e787
commit 7c8fa4e787
parent a554fd4e18 4dc21d7ed1
1 changed files with 13 additions and 3 deletions
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -493,15 +493,25 @@ Using ``BORG_PASSCOMMAND`` with macOS Keychain
  the built-in ``security`` command, you can access it from the command line,
  making it useful for ``BORG_PASSCOMMAND``.

-  First generate a passphrase and use ``security`` to save it to your login
-  (default) keychain::
+  To store an existing passphrase in your login (default) keychain::

-    security add-generic-password -D secret -U -a $USER -s borg-passphrase -w $(head -c 32 /dev/urandom | base64 -w 0)
+    security add-generic-password -a $USER -s borg-passphrase -w YOUR_PASSPHRASE
+
+  Alternatively, to generate a new random passphrase and store it::
+
+    security add-generic-password -a $USER -s borg-passphrase -w $(head -c 32 /dev/urandom | base64 -w 0)

  In your backup script retrieve it in the ``BORG_PASSCOMMAND``::

    export BORG_PASSCOMMAND="security find-generic-password -a $USER -s borg-passphrase -w"

+  .. note::
+    If you run ``borg`` using ``sudo``, you must use the ``-E`` (preserve environment)
+    flag to ensure ``BORG_PASSCOMMAND`` is available and executed as the correct
+    user to access the keychain::
+
+      sudo -E borg create ...
+
 Using ``BORG_PASSCOMMAND`` with GNOME Keyring
  GNOME also has a keyring daemon that can be used to store a Borg passphrase.
  First ensure ``libsecret-tools``, ``gnome-keyring`` and ``libpam-gnome-keyring``