[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Duplicity-talk Digest, Vol 343, Issue 1
From: |
Arjun |
Subject: |
Re: [Duplicity-talk] Duplicity-talk Digest, Vol 343, Issue 1 |
Date: |
Fri, 16 Sep 2022 22:47:29 -0400 |
User-agent: |
alot/0.10 |
Hi
I RTFM and understood that I should use a machine specific key for signing, and
my own public key for encryption (so that the passphrase is only needed for
decryption).
I have setup duply to use:
# my personal gpg key
GPG_KEYS_ENC='XXXXXXX'
GPG_KEY_SIGN='YYYYYYY'
GPG_PW_SIGN='ZZZZZZ'
I asking for help again with my setup, as I can't get it to make incrementals
without passphrases. The following is my duply output:
Start duply v2.1, time is 2022-09-16 22:36:06.
Using profile '/etc/duply/Dropbox'.
Using installed duplicity version 0.7.18.2, python 2.7.16
(/usr/bin/python2), gpg 2.2.12 (Home: /root/.gnupg), awk 'GNU Awk 4.2.1, API:
2.0 (GNU MPFR 4.0.2, GNU MP 6.1.2)', grep 'grep (GNU grep) 3.3', bash
'5.0.3(1)-release (x86_64-pc-linux-gnu)'.
Enable gpg-agent usage. Running gpg-agent instance found and GPG_PW or
GPG_PW_SIGN (enc != sign key) not set.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - En/Decryption skipped. (Testing disabled)
--- Start running command PRE at 22:36:06.979 ---
Running '/etc/duply/Dropbox/pre' - OK
--- Finished state OK at 22:36:07.280 - Runtime 00:00:00.300 ---
--- Start running command BKP at 22:36:07.298 ---
LFTP version is 4.8.4
Reading globbing filelist /etc/duply/Dropbox/exclude
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Fri Sep 16 20:30:01 2022
Error processing remote manifest
(duplicity-inc.20220917T003001Z.to.20220917T023101Z.manifest.gpg): GPG Failed,
see log below:
===== Begin GnuPG log =====
gpg: Sorry, we are in batchmode - can't get input
===== End GnuPG log =====
--------------[ Backup Statistics ]--------------
StartTime 1663382179.50 (Fri Sep 16 22:36:19 2022)
EndTime 1663382192.83 (Fri Sep 16 22:36:32 2022)
ElapsedTime 13.33 (13.33 seconds)
SourceFiles 23968
SourceFileSize 4324667061 (4.03 GB)
NewFiles 0
NewFileSize 0 (0 bytes)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 0
RawDeltaSize 0 (0 bytes)
TotalDestinationSizeChange 736 (736 bytes)
Errors 0
Can someone tell me what is going on and what I should do to modify my setup?
Arjun
Quoting duplicity-talk-request@nongnu.org (2022-08-25 12:00:08)
> Send Duplicity-talk mailing list submissions to
> duplicity-talk@nongnu.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
> or, via email, send a message with subject or body 'help' to
> duplicity-talk-request@nongnu.org
>
> You can reach the person managing the list at
> duplicity-talk-owner@nongnu.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Duplicity-talk digest..."
>
>
> Today's Topics:
>
> 1. Encryption keys and passphrases (Arjun)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Aug 2022 22:57:24 -0400
> From: Arjun <arjunkc@gmail.com>
> To: <duplicity-talk@nongnu.org>
> Subject: [Duplicity-talk] Encryption keys and passphrases
> Message-ID: <166139624420.13871.8875545748507294252@mediaserver.home>
> Content-Type: text/plain; charset="utf-8"
>
> Hello all
>
> There was a discussion this year about encryption keys and passphrase best
> practices. I have a few questions:
>
> I use
>
> duplicity 0.7.18
>
> along with duply on my server. I run full backups every 6 months, and
> incrementals in between to a remote backup location. Originally, I just used
> my "all purpose" gpg key to encrypt and sign backups, so I had to store the
> passphrase in a "conf" file. The first solution I tried was to try to *not
> sign* backups, thinking I wont need the passphrase if I'm just encrypting
> backups, right?
>
> That didn't work since it appears to need the passphrase to read the remote
> manifest for incrementals. Is there a way around this?
>
> Then, I tried putting keys into my server with a really long ttl (10 years),
> into the root users gpg-agent by entering the passphrase on login. I ssh into
> the server to decrypt the rootfs anyway on those rare times when I need to
> reboot it, and starting the gpg-agent right after is no big deal. Somehow,
> this is still a slight annoyance, and it would be great if the gpg-agent need
> not be started at all.
>
> Reading the thread
>
> 'backup from multiple devices with GPG asymetric key encryption - best
> practices'
>
> from earlier this year showed that people use machine specific keys *without*
> passphrases to encrypt and sign backups. Do people keep copies of these keys
> on other machines so that they can access backups in case the machine went
> down? If there are machine specific keys, it doesn't seem to be necessary to
> split up the signing and encryption keys right?
>
> Any thoughts, comments or advice?
>
> Arjun
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Duplicity-talk mailing list
> Duplicity-talk@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/duplicity-talk
>
>
> ------------------------------
>
> End of Duplicity-talk Digest, Vol 343, Issue 1
> **********************************************
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Duplicity-talk] Duplicity-talk Digest, Vol 343, Issue 1,
Arjun <=