[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] gpg key password asked for backup after verify
|
From: |
edgar . soldin |
|
Subject: |
Re: [Duplicity-talk] gpg key password asked for backup after verify |
|
Date: |
Wed, 24 May 2017 13:49:41 +0200 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 |
whoops, hit send too fast. read on below.
On 24.05.2017 13:17, Raphael Bauduin wrote:
>
>
> On Wed, May 24, 2017 at 12:19 PM, edgar.soldin--- via Duplicity-talk
> <address@hidden <mailto:address@hidden>> wrote:
>
> On 24.05.2017 11 <tel:24.05.2017%2011>:28, Raphael Bauduin via
> Duplicity-talk wrote:
> > Hi,
> >
> > I had encrypted backups working fine for weeks on a server. As the
> encryption uses the public key, it doesn't ask for a password.
> >
> > Then I did a duplicity verify, which requires the gpg private key, and
> asks for a password.
> > The verify went fine, but since then the gpg key password is also asked
> for backups, preventing the automation.... I'm nearly sure this is linked
> >
> > I have removed the duplicity cache in ~/.cache/duplicity, but to no
> avail....
> >
> > Any suggestion?
> >
>
> 1.
> are you using duply?
>
>
> no
>
>
>
> 2.
> what is your backup command line?
>
>
> LC_ALL=en_US /bin/duplicity inc --encrypt-key 'XXXX' --exclude
> /root/.cache/duplicity --exclude /home/backups --exclude /home/restore
> --exclude /backups --include /home/sftp --include /etc --include /home
> --include /root --exclude '**' / par2+rsync://rsync/duplicity/ --verbosity
> debug
>
>
>
>
> 3.
> what's the language locale of your os?
>
>
> I'm forcing it to en_US, which worked fine.
>
> Investigating further, I think I might have deleted the cache before I did
> the verify. So not sure which one causes what.
> I took a look at the code. Here is the code in question asking for the
> password when the cache was empty, where I added a print:
> if local_missing and (rem_needpass or loc_needpass):
> if decrypt:
> # password for the --encrypt-key
> print "local_missing = %s,-- %s, -- %s" %
> (local_missing, rem_needpass, loc_needpass)
> globals.gpg_profile.passphrase = get_passphrase(1, "sync")
>
> local_missing was a set of .sigtar.gpg files, rem_needpass was True and
> loc_needpass was False.
>
> Now I have done a backup manually (providing the key password), I have the
> else clause below asking for the password although the action is inc:
>
> elif (action == "inc" and
> (globals.gpg_profile.recipients or
> globals.gpg_profile.hidden_recipients) and not
> globals.gpg_profile.sign_key and not globals.restart):
> return ""
>
> # Finally, ask the user for the passphrase
> else:
> print "action = %s" % action
> log.Info(_("PASSPHRASE variable not set, asking user."))
> use_cache = True
>
>
> globals.gpg_profile.recipients is my encryption key id,
> globals.gpg_profile.sign_key is None, but globals.restart= <__main__.Restart
> instance at 0x13a8518>
>
> So it seems that the globals.restart is set and makes the code skip the
> action == "inc" part.
>
> Any idea what the problem might be?
>
> Thanks
>
ok, your backup is restarting. restarting happens when a backup was
interrupted. restarting _needs_ to decrypt some information from the backend,
which can only be done w/ priv key and passphrase of course.
what you ran into here is essentially this bug
https://bugs.launchpad.net/duplicity/+bug/687295
consider using two key pairs in the future. duplicity using gpg can encrypt to
multiple keys. place
A. a sec/pub key for the box
B. your own pub key
in your keyring. then backup against both keys and optionally use the machine
key to sign your backups. this way the box can decrypt when needed w/o needing
your very secret personal private key.
..ede/duply.net