You can easily specify a password file via env variable[1]. Make sure file permissions are restricted to root only. If someone had root they could read any file already, so I don't see a threat beyond someone gaining root.
My offsite is done automatically with cron using restic. Then I use rsync for incremental backups to a USB drive (LUKS encrypted). Beyond that, I have a NAS with mirrored ZFS (+ daily snapshots) for live data. I use Syncthing to get my data to the NAS from phones, laptops, etc.
You can easily specify a password file via env variable[1]. Make sure file permissions are restricted to root only. If someone had root they could read any file already, so I don't see a threat beyond someone gaining root.
My offsite is done automatically with cron using restic. Then I use rsync for incremental backups to a USB drive (LUKS encrypted). Beyond that, I have a NAS with mirrored ZFS (+ daily snapshots) for live data. I use Syncthing to get my data to the NAS from phones, laptops, etc.
[1] https://restic.readthedocs.io/en/latest/faq.html#how-can-i-s...