FR EN
Dev docs GitHub Download
11 · Administration

Manage remote hosts and SSH keys

Remote functionality does not rely solely on Restic. It also relies on an SSH layer managed within the interface: hosts for SSH-based backups, keys for remote restores, connectivity tests, and initial access deployment.

Remote access
Target machines

Hosts page

Hosts represent the machines on which certain backup jobs can run via SSH. Each host registered in the database groups a set of structured fields that fully describe the connection.

  • Display name: human-readable label shown in the interface to identify the machine.
  • hostname: DNS name or IP address of the target machine.
  • user: SSH user used for the connection.
  • port: SSH port (default 22).
  • ssh_key_id: reference to an SSH key already declared on the SSH Keys page.
  • sudo_password_ref: optional SecretStore reference containing the sudo password, for operations requiring targeted privilege escalation.
  • sudo_password_file: historical compatibility field, read only as a legacy fallback and migrated to SecretStore when possible.
  • Free-text description, connection test, and guided setup assistant.

The connection check (check) uses the server's native ssh command and captures the result (return code, stdout, stderr) to display a readable diagnostic in the interface.

Connection material

SSH Keys page

Key management makes it possible to generate, import, test, and deploy the access credentials required for certain remote workflows.

  • Generate a private/public key pair with name, user, host, and port.
  • Import an existing key.
  • Display the public key with a copy button.
  • Ready-to-paste command for adding the key to authorized_keys.
  • Connection test.
  • Assisted key deployment to a remote machine using a one-time password.

Generated or imported private keys are stored in SecretStore. The historical private_key_file field keeps a reference, often in the secret://... form, and may still point to an old local file on migrated installations. When the native SSH client needs a file path, Fulgurite materializes a strictly protected temporary file at runtime and removes it after use; that temporary file is not the primary key store.

What is each for?

Difference between a host and an SSH key

ComponentPrimary useExamples
HostRepresent a remote execution machine for a backup job.Back up /var/www on an application server via SSH.
SSH KeyUsed for remote restores, connectivity tests, and access deployment.Send a restore to another machine via rsync/SSH.
Privileges

Sudo and protected paths

The optional sudo password on a host is not required in every case, but it becomes useful when the paths to back up are not readable by the standard SSH user. It allows Fulgurite to attempt executions that require targeted privilege escalation. The password is never stored directly in the database: the current mechanism writes a sudo_password_ref pointing to SecretStore. The sudo_password_file field remains only as a legacy fallback for older installations and can be migrated automatically to SecretStore.

As with any privileged automation, limit these configurations to necessary cases, isolate hosts by scope, and combine them with strict user scopes.
Fulgurite · Public documentation · fulgurite.sh