duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Duplicity asking encrypt-key passphrase?

From: edgar . soldin
Subject: Re: [Duplicity-talk] Duplicity asking encrypt-key passphrase?
Date: Sun, 08 Jul 2012 10:49:46 +0200
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 
On 08.07.2012 07:00, Etienne Perot wrote:
> Hi,
> 
> I have generated 2 PGP keys, one for encryption and one for signing.
> Both of them are RSA/RSA keypairs, with different passphrases, different 
> names, and different email addresses attached to them.
> 
> I am running duplicity using:
> 
> export SIGN_PASSPHRASE="(passphrase of signing key)"
> duplicity full \
>   --encrypt-key (key id of encryption key) \
>   --sign-key (key id of signing key) \
>   /home file:///media/home-server/backup
> unset SIGN_PASSPHRASE
> 
> This works fine and the full bakcup is performed. No problems here.
> 
> However, when I do an incremental backup using the exact same command but 
> replacing "full" by "incremental", duplicity first says:
> 
> Local and Remote metadata are synchronized, no sync needed.
> Last full backup date: Sat Jul  7 21:01:14 2012
> 
> But duplicity doesn't exit; it then asks for a passphrase. It prompts for 
> "GnuPG passphrase:" (as opposed to "GnuPG passphrase for signing key:"), so 
> it 
> is asking for the *encryption* key passphrase, not the signing key 
> passphrase. 
> If I give it the signing key passphrase, it fails with the error:
> 
> GPGError: GPG Failed, see log below:
> ===== Begin GnuPG log =====
> gpg-agent[9188]: enabled debug flags: assuan
> random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
> outmix=0 getlvl1=0/0 getlvl2=0/0
> secmem usage: 384/32768 bytes in 2 blocks
> ===== End GnuPG log =====
> 
> If on the other hand I give it the encryption key passphrase, the incremental 
> backup works and everything goes through.
> 
> My question is: why do I need to provide my encryption key passphrase? Does 
> duplicity need to decrypt anything? I would like those backups to be 
> unattended, and obviously I wouldn't want to store the encryption key 
> passphrase here.
> 
> I have tried the same process but using PASSPHRASE instead of 
> SIGN_PASSPHRASE, 
> and I have tried using both variables set. I have found the the incremental 
> only works when PASSPHRASE is set to the encryption key's passphrase (and in 
> those cases, it doesn't prompt for a passphrase).
> 
> I am using duplicity 0.6.19 from the Arch repositories.
> 
> Thanks in advance.
> 

hi Etienne,

the password for the encryption key is of course always needed when a 
decryption occurs. this is e.g. the case when 

- archive dir (local unencrypted metadata cache) needs to be updated
- you want to restore

none of which "seems" to be the case here.

but you probably stumbled over this long standing issue regarding syncing the 
archive dir, make sure you read the mailing list thread for more details.
https://bugs.launchpad.net/duplicity/+bug/687295


..ede/duply.net
reply via email to
[Prev in Thread] Current Thread [Next in Thread]