How do I recover the key for autorestic if I redeployed entire config (restic REST backend)?

[Kenya-West]

This is updated question

Let's imagine I have restic REST server setup (via Docker). It is no big deal, docs can help.

I successfully setup autorestic with this REST backend despite the wrong fields in config file. Initialized repository, and it works seamlessly fine.

But now I discovered the case that if I suddenly rewrite config and try to initialize repo in the backend again, it falls with error:

autorestic backup -c /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.yaml -a -v

Using config:    /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.yaml
Using env:       /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.env
Using lock:      /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.lock.yml


    Backing up location "home_user"

Backend: somedest
> Executing: /usr/local/bin/restic backup --tag ar:location:home_user /home/kenyawest
Fatal: wrong password or no key found

home_user@somedest:
Fatal: wrong password or no key found
exit status 12

Error: 1 errors were found

The keys do not match. Even if put the server key in autorestic config, it does not help, the error Fatal: wrong password or no key found stays the same.

How do I restore the key for autorestic to continue to use the same repo for restic REST backend?

---

According to the docs page, the first thing I have to do is to get so called masterkey. With masterkey, I can access restic backups even if I suddenly reset the config file (which could and will happen at some point... sometimes people like get silly/dumb and forget things).

Let's begin with the new setup. Make a successful backup, then retrieve the master key:

autorestic exec -c /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.yaml -av -- cat masterkey

I get:

{
  "mac": {
    "k": "R522zKqXKQbXik+jhUAfvQ==",
    "r": "x3JF7/1kYJ37tYdV3zLXJQ=="
  },
  "encrypt": "GJU5lITc6iDyaVtwThXfT5FDyCWoqt4qul+0QVMbnpU="
}

while on restic REST server, I have:

{
    "created": "2025-01-11T19:40:05.180354722Z",
    "username": "someuser",
    "hostname": "some_restic_client_machine",
    "kdf": "scrypt",
    "N": 32768,
    "r": 8,
    "p": 5,
    "salt": "auaLvaucHNhSXVzVinxDIEYfqzi5+8LI6PUX5cHs0p2+A4glaBfps/vLCUNmwhQBVOFoyzkujPkWxDFlF+P23g==",
    "data": "AQfzxGPCZY3Z0foY4x4+SxdZKoih3/CYGbSDqnM54pRKZaILCqc7fjJANB1YauJ7pc95tgeyC1mmR6yWjxCJucH4szlJ3EVecQ/cjZ3xxyCSK5nqcTjrnyJtQuXqjxtrklIhavcMCL9gtm7e8uA1I+uzwKxFncE7z2gsCmNrXYBB1TcdbIEzYGUDtOKzah9IuMmE7XtT8w6KBAYkmHeDMg=="
}

And in .autorestic.yaml config, I have a key:

# ...
key: XzxcLFkrKPCnybEghC1a6TnPSIYjT4FGsjqjBpdrMF5nmPuZgibwy9Z0T11LMYhzJXv5Bjz5WbhGjl6Hg
# ... 

The question now is...

What data do I save if I suddenly wipe autorestic config and want to restore backup from restic REST server? And how do I reconstruct the key? Or what actions do I have to do to avoid Fatal: wrong password or no key found error while trying to reconnect backend to a reinstalled autorestic?

[Kenya-West]

Do not forget about KISS. It's simple...

If you want to save a key to decrypt repositories, just save the value of the actual key line for each of backends in .autorestic.yaml config.

Here's the yq command for that:

yq eval '.backends | to_entries | .[] | {"name": .key, "key": .value.key, "path": .value.path}'

- that's it, lol.

[Kenya-West]

And now I understand meaning of the warning in Configuration docs page. I just had no clue that the warning was about my case in this discussion! So unclear for newbies, so understandable now.