[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Duplicity-talk] Changing gpg keyring to use
|
From: |
C. Enzmann |
|
Subject: |
[Duplicity-talk] Changing gpg keyring to use |
|
Date: |
Sun, 8 Jan 2017 10:01:58 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 |
Hi fellows,
does anyone by chance know how I can provide a different user's secret
keyring file to a restore process? I back up home directories with
system's private and the user's public keys (--encrypt-key=BBBEEECC),
thus I'd need the user's private key to restore. Since operation may
need sudo/root it seems that only private keys in root's keyring are
available to the duplicity or the gpg-agent. However, I must not provide
them to root for data privacy reasons. For the same reasons adding
root's key to a second --encrypt-key is not an option.
An example:
# sudo -c "export PASSPHRASE=whatever; duplicity --use-agent
--ssh-options="-oIdentityFile=/root/.ssh/id_duplicity"
--encrypt-key=BBBEEECC --exclude-if-present .dupl_noBackup
--exclude-filelist /etc/duplicity/files2ignore /home/userx/
scp://address@hidden/BackUps/hostname.userx-BBBEEECC; unset PASSPHRASE"
The user may issue
$ sudo duplicity [verify|restore] --use-agent [--encrypt-secret-keyring
/home/userx/.gnupg/secring.gpg --encrypt-key BBBEEECC
--ssh-options="-oIdentityFile=/root/.ssh/id_duplicity"
scp://address@hidden/BackUps/hostname.userx-BBBEEECC /home/userx
duplicity 0.7.10 (August 20, 2016)
:
Found primary backup chain with matching signature chain:
:
Incremental Sat Jan 7 15:04:36 2017 1
:
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: encrypted with 3072-bit RSA key, ID BBBEEECC, created 2013-12-15
"userx <address@hidden>"
gpg: decryption failed: No secret key
===== End GnuPG log =====
The --encrypt-secret-keyring was just a test, according to manpage I did
not expect it really to work, but other attempts failed as well.
Any help is highly appreciated.
Best regards,
Christian