On Thu, Jun 26, 2025, at 2:42 AM, Eric Bollengier via Bacula-devel wrote:
> Hello,
>
> This is a very good topic. It's not so elegant, but I think you can cover your
> need today with the @ macro in the configuration file.
>
> You can execute a command that will generate the password (reading from a file
> for example, or doing some query in a database), or read a file.
>
> If you want to just read from a file:
>
> Client {
> Name = myclient-fd
> @/opt/bacula/etc/myclient.password
> Address = myclient.lan
> File Retention = 5 years
> Job Retention = 5 years
> ..
> }
>
> and in /opt/bacula/etc/myclient.password
> you have
>
> # cat /opt/bacula/etc/myclient.password
> Password = "this is a secret"
We use this in production at $WORK. All secrets are stored using this approach.
All configuration files are stored in repos. There are no secrets in repos.
--
Dan Langille
d...@langille.org
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
