read a passphrase from a file descriptor

Read a passpharase from a file descriptor specified in the BORG_PASSPHRASE_FD environment variable.
2026-05-28 04:03:21 -04:00 · 2018-09-20 13:32:34 +02:00 · 2018-09-20 13:32:34 +02:00 · c9c1403685
commit c9c1403685
parent 59c9fccf57
2 changed files with 21 additions and 1 deletions
--- a/borg/key.py
+++ b/borg/key.py
@ -26,7 +26,7 @@ PREFIX = b'\0' * 8


 class PassphraseWrong(Error):
-    """passphrase supplied in BORG_PASSPHRASE or by BORG_PASSCOMMAND is incorrect."""
+    """passphrase supplied in BORG_PASSPHRASE, by BORG_PASSCOMMAND or via BORG_PASSPHRASE_FD is incorrect."""


 class PasscommandFailure(Error):
@ -323,6 +323,9 @@ class Passphrase(str):
        passphrase = cls.env_passcommand()
        if passphrase is not None:
            return passphrase
+        passphrase = cls.fd_passphrase()
+        if passphrase is not None:
+            return passphrase

    @classmethod
    def env_passcommand(cls, default=None):
@ -336,6 +339,16 @@ class Passphrase(str):
                raise PasscommandFailure(e)
            return cls(passphrase.rstrip('\n'))

+    @classmethod
+    def fd_passphrase(cls):
+        try:
+            fd = int(os.environ.get('BORG_PASSPHRASE_FD'))
+        except (ValueError, TypeError):
+            return None
+        with os.fdopen(fd, mode='r') as f:
+            passphrase = f.read()
+        return cls(passphrase.rstrip('\n'))
+
    @classmethod
    def getpass(cls, prompt):
        return cls(getpass.getpass(prompt))
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -172,6 +172,13 @@ General:
        It is used when a passphrase is needed to access an encrypted repo as well as when a new
        passphrase should be initially set when initializing an encrypted repo.
        If BORG_PASSPHRASE is also set, it takes precedence.
+    BORG_PASSPHRASE_FD
+        When set, specifies a file descriptor to read a passphrase
+        from. Programs starting borg may choose to open an anonymous pipe
+        and use it to pass a passphrase. This is safer than passing via
+        BORG_PASSPHRASE, because on some systems (e.g. Linux) environment
+        can be examined by other processes.
+        If BORG_PASSPHRASE or BORG_PASSCOMMAND are also set, they take precedence.
    BORG_DISPLAY_PASSPHRASE
        When set, use the value to answer the "display the passphrase for verification" question when defining a new passphrase for encrypted repositories.
    BORG_LOGGING_CONF