Extend handling of a new passphrases

steelman · steelman · commit 252663fa3dbe · 2025-08-17T22:21:51.000+02:00
Enable reading of a new passphrase not only from BORG_NEW_PASSPHRASE
environement variable but also from a passcommandoor a file descriptor.

If Passphrase.new() is called from FlexiKey.change_passphrase(), do
not read a passphrase from regular sources (i.e. BORG_PASSPHRASE
et al.) if it is available via one of the "new" ones (BORG_NEW_PASSPHRASE
et al.). This makes it possible to change passphrases in
fully non-interactive manner.
diff --git a/src/borg/crypto/key.py b/src/borg/crypto/key.py
@@ -545,7 +545,7 @@ def _save(self, passphrase, algorithm):
 
     def change_passphrase(self, passphrase=None):
         if passphrase is None:
-            passphrase = Passphrase.new(allow_empty=True)
+            passphrase = Passphrase.new(allow_empty=True, only_new=True)
         self.save(self.target, passphrase, algorithm=self._encrypted_key_algorithm)
 
     @classmethod
diff --git a/src/borg/helpers/passphrase.py b/src/borg/helpers/passphrase.py
@@ -47,21 +47,27 @@ def _env_passphrase(cls, env_var, default=None):
             return cls(passphrase)
 
     @classmethod
-    def env_passphrase(cls, default=None, other=False):
+    def env_passphrase(cls, default=None, other=False, new=False):
+        if other and new:
+            raise ValueError("Only one of 'other' and 'new' may be true")
         env_var = "BORG_OTHER_PASSPHRASE" if other else "BORG_PASSPHRASE"
+        env_var = "BORG_NEW_PASSPHRASE" if new else env_var
         passphrase = cls._env_passphrase(env_var, default)
         if passphrase is not None:
             return passphrase
-        passphrase = cls.env_passcommand(other=other)
+        passphrase = cls.env_passcommand(other=other, new=new)
         if passphrase is not None:
             return passphrase
-        passphrase = cls.fd_passphrase(other=other)
+        passphrase = cls.fd_passphrase(other=other, new=new)
         if passphrase is not None:
             return passphrase
 
     @classmethod
-    def env_passcommand(cls, default=None, other=False):
+    def env_passcommand(cls, default=None, other=False, new=False):
+        if other and new:
+            raise ValueError("Only one of 'other' and 'new' may be true")
         env_var = "BORG_OTHER_PASSCOMMAND" if other else "BORG_PASSCOMMAND"
+        env_var = "BORG_NEW_PASSCOMMAND" if other else env_var
         passcommand = os.environ.get(env_var, None)
         if passcommand is not None:
             # passcommand is a system command (not inside pyinstaller env)
@@ -73,8 +79,11 @@ def env_passcommand(cls, default=None, other=False):
             return cls(passphrase.rstrip("\n"))
 
     @classmethod
-    def fd_passphrase(cls, other=False):
+    def fd_passphrase(cls, other=False, new=False):
+        if other and new:
+            raise ValueError("Only one of 'other' and 'new' may be true")
         env_var = "BORG_OTHER_PASSPHRASE_FD" if other else "BORG_PASSPHRASE_FD"
+        env_var = "BORG_NEW_PASSPHRASE_FD" if new else env_var
         try:
             fd = int(os.environ.get(env_var))
         except (ValueError, TypeError):
@@ -83,10 +92,6 @@ def fd_passphrase(cls, other=False):
             passphrase = f.read()
         return cls(passphrase.rstrip("\n"))
 
-    @classmethod
-    def env_new_passphrase(cls, default=None):
-        return cls._env_passphrase("BORG_NEW_PASSPHRASE", default)
-
     @classmethod
     def getpass(cls, prompt):
         try:
@@ -143,6 +148,9 @@ def fmt_var(env_var):
                 {fmt_var("BORG_PASSPHRASE")}
                 {fmt_var("BORG_PASSCOMMAND")}
                 {fmt_var("BORG_PASSPHRASE_FD")}
+                {fmt_var("BORG_NEW_PASSPHRASE")}
+                {fmt_var("BORG_NEW_PASSCOMMAND")}
+                {fmt_var("BORG_NEW_PASSPHRASE_FD")}
                 {fmt_var("BORG_OTHER_PASSPHRASE")}
                 {fmt_var("BORG_OTHER_PASSCOMMAND")}
                 {fmt_var("BORG_OTHER_PASSPHRASE_FD")}
@@ -151,13 +159,14 @@ def fmt_var(env_var):
             print(passphrase_info, file=sys.stderr)
 
     @classmethod
-    def new(cls, allow_empty=False):
-        passphrase = cls.env_new_passphrase()
-        if passphrase is not None:
-            return passphrase
-        passphrase = cls.env_passphrase()
+    def new(cls, allow_empty=False, only_new=False):
+        passphrase = cls.env_passphrase(new=True)
         if passphrase is not None:
             return passphrase
+        if not only_new:
+            passphrase = cls.env_passphrase()
+            if passphrase is not None:
+                return passphrase
         for retry in range(1, 11):
             passphrase = cls.getpass("Enter new passphrase: ")
             if allow_empty or passphrase:
