[Duplicity-talk] Private key management, signature verification

duplicity-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-talk] Private key management, signature verification

From:	Jeff Rizzo
Subject:	[Duplicity-talk] Private key management, signature verification
Date:	Mon, 20 Jul 2015 16:16:49 -0700
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

First off, a brief description of what I'm trying to accomplish:

I'd like to have a "master" key which can decrypt backups, but whoseprivate key doesn't live on any backed-up host. I seem to have ALMOSTachieved what I want with the script "duply" and duplicity 0.6.24/0.6.25(it's what I currently have available - i'd be willing to move to anewer version if it actually fixes things).


If I create a config file for "duply" that looks like this:

ulimit -n 2048
GPG_KEYS_ENC='EA2F12BE,FA174E5B'
GPG_KEY_SIGN='EA2F12BE'
GPG_PW=‘redacted'
TARGET='ssh://address@hidden//backups/duplicity/duply3'
SOURCE='/var'
VOLSIZE=500
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "

DUPL_PARAMS="${DUPL_PARAMS}--ssh-options='-oIdentityFile=/root/.ssh/id-backups' "

DUPL_PARAMS="${DUPL_PARAMS} --ssh-backend=pexpect "

I can successfully create backups from the original host using "duply".This host has the private key for EA2F12BE on it.

On the "restore" host, which has the key FA174E5B but not EA2F12BE, Icreate a config file that looks like this:


ulimit -n 2048
#GPG_KEYS_ENC='EA2F12BE,FA174E5B'
GPG_KEY='FA174E5B'
#GPG_KEY_SIGN='EA2F12BE'
GPG_PW=‘redacted'
TARGET='ssh://address@hidden//backups/duplicity/duply3'
SOURCE='/var'
VOLSIZE=500
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "

#DUPL_PARAMS="${DUPL_PARAMS}--ssh-options='-oIdentityFile=/root/.ssh/id-backups' "

DUPL_PARAMS="${DUPL_PARAMS} --ssh-backend=pexpect "

Using this file, I can eventually do a "duply test3 list" and get a listof backed-up files (there are some errors of the form:

OSError: [Errno 1] Operation not permitted:'/Users/jrizzo/.cache/duplicity/duply_test3/duplicity-inc.20150224T012820Z.to.20150720T205314Z.manifest'



which occur, but don't happen on the second run).

I can _also_ restore some files. However, after restoring the firstvolume, I get this error:



Volume was signed by key EA2F12BE, not FA174E5B

...which makes sense. But really, I'd like to check that the signaturefrom EA2F12BE is good. Adding it to GPG_KEY_SIGN is no good, becausethe script expects me to have the private key then. (huh?)

Does anyone have a suggestion for tweaks to make to achieve my goal?Thanks!

+j

[Prev in Thread]

Current Thread

[Next in Thread]

[Duplicity-talk] Private key management, signature verification, Jeff Rizzo <=
- Re: [Duplicity-talk] Private key management, signature verification, edgar . soldin, 2015/07/21
  - Re: [Duplicity-talk] Private key management, signature verification, Jeff Rizzo, 2015/07/21

Prev by Date: Re: [Duplicity-talk] Automatically creating buckets with S3 storage
Next by Date: [Duplicity-talk] --exclude-if-present
Previous by thread: [Duplicity-talk] Automatically creating buckets with S3 storage
Next by thread: Re: [Duplicity-talk] Private key management, signature verification
Index(es):
- Date
- Thread