Support users of Open Smart Cards like the Nitrokey by providing a graphical interface for their use with Vorta

[ghost]

Is your feature request related to a problem? Please describe.

For my personal security, I use Nitrokeys myself to perform two-factor authentication. Unfortunately, I don't see any way how I can combine this with my use of Vorta as a backup solution.
The issue tracker of borgbackup has already discussed a solution: borgbackup/borg#4549 However, this is not graphical and will therefore not be a real help to most standard users.

Describe the solution you'd like

• Take my Nitrokey to make my backup. So instead of entering my passphrase or password, I insert my Nitrokey to unlock my backup location when the backup should start. My application scenario is running local backups, e.g. on the internal hard disk or with external USB hardware drives. No remote access and cloud storage.

• Secondly, I am also specifically interested in being able to use the capabilities of the "Nitrokey Storage" model and integrate it as a storage location in Vorta, since it also offers encrypted and even hidden volumes, for example, which could be used for particularly secure backups. More about this model at https://www.nitrokey.com/files/doc/Nitrokey_Storage_factsheet.pdf

I think that visually integrating a way of using two-factor authentication in Vorta can help more people learn and use secure and conscious data handling.

[m3nu]

I already use a Yubikey with Vorta. It will just start blinking upon connecting and I confirm. No interface needed. This is for the login, not the encryption.

Your idea is to keep the keyfile on a hardware device? You should provide some more details of how that would work.

[ghost]

I already use a Yubikey with Vorta. It will just start blinking upon connecting and I confirm. No interface needed.

What authentication method do you use with your Yubikey?
Are you referring to local or remote backups?

You should provide some more details of how that would work.

Maybe @ThomasWaldmann and @jans23 can explain this better?

[m3nu]

I keep the SSH key on the Yubikey. For remote backups.

Keeping the keyfile on hardware device would be even better, but I'm not aware of an easy way. It's probably possible with the passphrase command and some GPG trickery.

[ghost]

I keep the SSH key on the Yubikey. For remote backups.

Thanks for your feedback!
Does this way of authentication also work out of the box if you use your Yubikey instead of ssh for local backups, e.g. with USB hardware drives?

It's probably possible with the passphrase command and some GPG trickery.

Please have a look at borgbackup/borg#4549
It should be possible to implement it using Borgs environment vars for the passphrase and environment vars for the key directory. It doesn't seem to be a widely tested solution yet. And the adapted documentation for this has unfortunately not been merged yet. But should not be so tricky, if I have understood the discussion correctly ;-)

[m3nu]

Local backups usually don't use SSH, so no hardware key involved.

What's the suggestions exactly? Any new feature would need to be universally useful for most users. It's already possible to use the BORG_PASSCOMMAND to roll your own hardware key solution.

[ghost]

What's the suggestions exactly?

Please take a look at my baseline scenario again. #365 (comment)

I think that the best possible graphical support of Open Smart Cards and two-factor authentication in Vorta is something that can have a very big universal benefit for its users. However, users should be able to set this up, even without any knowledge of scripts and Borg parameters. Only then is it really a universal feature in my eyes.
Maybe my idea is simply to translate the parameters in the linked Borg issue into an appealing and understandable visual interface for Vorta.
The solution should enable me to realize my two concerns from above with Vorta.