[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before
From: |
edgar . soldin |
Subject: |
Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore? |
Date: |
Thu, 14 Jul 2011 13:43:18 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 |
On 14.07.2011 12:19, Chris Poole wrote:
> On Thu, Jul 14, 2011 at 9:38 AM, <address@hidden> wrote:
>> On 13.07.2011 17:53, Chris Poole wrote:
>>> (Thus, it's very important to sign
>>> backups being stored in untrusted locations.)
>>
>> It is provided the public key used is published somewhere or in other ways
>> available to a possible attacker. If you create a keypair just for your
>> backup and keep it on the backup machine and in your secure storage (for
>> restoring) you don't necessarily need it.
>>
>> On the other hand. Currently duplicity needs a private key to work reliably,
>> so signing to it does no harm and can be seen as an extra lock for an
>> intruder to pick. see http://bugs.launchpad.net/duplicity/+bug/687295
>
> Thanks. I'm going to get used to signing my backups. I don't use cron
> to do them for me anyway.
>
> What I find annoying is that Duplicity asks me for my passphrase (when
> doing an incremental backup) 3 times. Surely once is enough, to
> decrypt my private key? (Using the same Key ID to encrypt and sign my
> backup.)
>
latest duplicity has the possibility to define env var SIGN_PASSPHRASE and
PASSPHRASE. this way you don't have to input them manually.
there is no code to compare signing vs. encryption key, so they are asked for
separately. I am not sure if the double input to ensure correctness is a wise
decision. i would plead to have it putted in and if it is wrong gpg will
complain later on.
@ken: is the doublecheck routine really necessary?
eventually. i just had a look at the corresponding code
duplicity-bin::get_passphrase. with the latest duplicity you should be asked
two times ("Input/Retype") for each key (Signing/Encryption). Isn't that so?
You could post an obfuscated output log of a run with '-v9' to show what
happens.
ede/duply.net
- [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/13
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Martin Pool, 2011/07/13
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, edgar . soldin, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?,
edgar . soldin <=
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Kenneth Loafman, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, edgar . soldin, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Kenneth Loafman, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, edgar . soldin, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, edgar . soldin, 2011/07/14
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/18
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, edgar . soldin, 2011/07/18
- Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?, Chris Poole, 2011/07/21