[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Duplicity-talk] Encryption keys and passphrases
From: |
Arjun |
Subject: |
[Duplicity-talk] Encryption keys and passphrases |
Date: |
Wed, 24 Aug 2022 22:57:24 -0400 |
User-agent: |
alot/0.10 |
Hello all
There was a discussion this year about encryption keys and passphrase best
practices. I have a few questions:
I use
duplicity 0.7.18
along with duply on my server. I run full backups every 6 months, and
incrementals in between to a remote backup location. Originally, I just used my
"all purpose" gpg key to encrypt and sign backups, so I had to store the
passphrase in a "conf" file. The first solution I tried was to try to *not
sign* backups, thinking I wont need the passphrase if I'm just encrypting
backups, right?
That didn't work since it appears to need the passphrase to read the remote
manifest for incrementals. Is there a way around this?
Then, I tried putting keys into my server with a really long ttl (10 years),
into the root users gpg-agent by entering the passphrase on login. I ssh into
the server to decrypt the rootfs anyway on those rare times when I need to
reboot it, and starting the gpg-agent right after is no big deal. Somehow, this
is still a slight annoyance, and it would be great if the gpg-agent need not be
started at all.
Reading the thread
'backup from multiple devices with GPG asymetric key encryption - best
practices'
from earlier this year showed that people use machine specific keys *without*
passphrases to encrypt and sign backups. Do people keep copies of these keys on
other machines so that they can access backups in case the machine went down?
If there are machine specific keys, it doesn't seem to be necessary to split up
the signing and encryption keys right?
Any thoughts, comments or advice?
Arjun
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Duplicity-talk] Encryption keys and passphrases,
Arjun <=