[Duplicity-talk] Restore has trouble with multiple encryption keys

duplicity-talk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-talk] Restore has trouble with multiple encryption keys

From:	Ezra Stevens
Subject:	[Duplicity-talk] Restore has trouble with multiple encryption keys
Date:	Tue, 19 Jan 2016 15:46:07 -0800

Hi folks,

I'd like to be able to rotate my encryption keys occasionally when
using Duplicity (between backup chains only, not in the middle of a
chain). This works fine when I restore to the same machine I backed up
from, but not for restores to a different machine. Specifically, the
restore will fail repeatedly as it tries to synchronize the cache,
because it keeps trying to sync files that it can't decrypt with the
key it's been given. But if I give it different keys enough times, it
will eventually sync the whole cache and then be able to restore
properly (see shell transcript below). Is this a bug, or is what I'm
trying to do completely unsupported? Is there a way to convince
Duplicity to only sync the cache files for the chain it's actually
trying to restore? Should Duplicity print a warning when a user tries
to use different encryption keys within the same bucket?

Thanks,
Ezra Stevens

---

address@hidden 13:52:02 ~$ duplicity --version
duplicity 0.7.06

# Back up an arbitrary directory with passphrase "alpha"
address@hidden 14:23:11 ~$ PASSPHRASE=alpha duplicity full /home/q/tmp
sftp://address@hidden//home/q/duplicity-dest/
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
--------------[ Backup Statistics ]--------------
StartTime 1453242218.87 (Tue Jan 19 14:23:38 2016)
EndTime 1453242220.82 (Tue Jan 19 14:23:40 2016)
ElapsedTime 1.95 (1.95 seconds)
SourceFiles 1968
SourceFileSize 40896399 (39.0 MB)
NewFiles 1968
NewFileSize 40896399 (39.0 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 1968
RawDeltaSize 39286663 (37.5 MB)
TotalDestinationSizeChange 18555692 (17.7 MB)
Errors 0
-------------------------------------------------

# Perform the exact same backup with passphrase "beta"
address@hidden 14:23:41 ~$ PASSPHRASE=beta duplicity full /home/q/tmp
sftp://address@hidden//home/q/duplicity-dest/
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Tue Jan 19 14:23:38 2016
--------------[ Backup Statistics ]--------------
StartTime 1453242236.66 (Tue Jan 19 14:23:56 2016)
EndTime 1453242238.62 (Tue Jan 19 14:23:58 2016)
ElapsedTime 1.96 (1.96 seconds)
SourceFiles 1968
SourceFileSize 40896399 (39.0 MB)
NewFiles 1968
NewFileSize 40896399 (39.0 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 1968
RawDeltaSize 39286663 (37.5 MB)
TotalDestinationSizeChange 18555692 (17.7 MB)
Errors 0
-------------------------------------------------

# Switch to a user with an empty Duplicity cache
address@hidden 14:24:46 ~$ sudo su -

# The following five commands are identical, except that PASSPHRASE
alternates between "beta" and "alpha"
# Each time it gets a little bit farther into syncing the cache
address@hidden:~# PASSPHRASE=beta duplicity restore
sftp://address@hidden//home/q/duplicity-dest/ /root/restore
Synchronizing remote metadata to local cache...
Copying duplicity-full-signatures.20160119T222338Z.sigtar.gpg to local cache.
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: bad key
===== End GnuPG log =====

address@hidden:~# PASSPHRASE=alpha duplicity restore
sftp://address@hidden//home/q/duplicity-dest/ /root/restore
Synchronizing remote metadata to local cache...
Copying duplicity-full-signatures.20160119T222338Z.sigtar.gpg to local cache.
Copying duplicity-full-signatures.20160119T222356Z.sigtar.gpg to local cache.
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: bad key
===== End GnuPG log =====

address@hidden:~# PASSPHRASE=beta duplicity restore
sftp://address@hidden//home/q/duplicity-dest/ /root/restore
Synchronizing remote metadata to local cache...
Copying duplicity-full-signatures.20160119T222356Z.sigtar.gpg to local cache.
Copying duplicity-full.20160119T222338Z.manifest.gpg to local cache.
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: bad key
===== End GnuPG log =====

address@hidden:~# PASSPHRASE=alpha duplicity restore
sftp://address@hidden//home/q/duplicity-dest/ /root/restore
Synchronizing remote metadata to local cache...
Copying duplicity-full.20160119T222338Z.manifest.gpg to local cache.
Copying duplicity-full.20160119T222356Z.manifest.gpg to local cache.
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: bad key
===== End GnuPG log =====

# Now it works
address@hidden:~# PASSPHRASE=beta duplicity restore
sftp://address@hidden//home/q/duplicity-dest/ /root/restore
Synchronizing remote metadata to local cache...
Copying duplicity-full.20160119T222356Z.manifest.gpg to local cache.
Last full backup date: Tue Jan 19 14:23:56 2016

[Prev in Thread]

Current Thread

[Next in Thread]

[Duplicity-talk] Restore has trouble with multiple encryption keys, Ezra Stevens <=
- Re: [Duplicity-talk] Restore has trouble with multiple encryption keys, edgar . soldin, 2016/01/20
  - Re: [Duplicity-talk] Restore has trouble with multiple encryption keys, Ezra Stevens, 2016/01/20
    - Re: [Duplicity-talk] Restore has trouble with multiple encryption keys, edgar . soldin, 2016/01/21

Prev by Date: [Duplicity-talk] RFC: MediaFire backend
Next by Date: Re: [Duplicity-talk] Restore has trouble with multiple encryption keys
Previous by thread: [Duplicity-talk] RFC: MediaFire backend
Next by thread: Re: [Duplicity-talk] Restore has trouble with multiple encryption keys
Index(es):
- Date
- Thread