7

I am using duplicity to perform backups on my server. Right now duplicity is encrypting the backup using a GPG public-private key system. I would prefer to encrypt the backup files using just a passphrase, so I don't have to try and keep up with secret keys. How can I configure the backups to be encrypted this way?

Thanks,

Mike

mclark1129
  • 555
  • 1
  • 11
  • 28

2 Answers2

7

old question, but I have an answer. You can set the passphrase in your backupscript, to let it run unattended.

#!/bin/bash
export PASSPHRASE=<your password>
duplicity…
ThorstenS
  • 3,084
  • 18
  • 21
  • 3
    Don't forget `unset PASSPHRASE` at the end of the script, otherwise the passphrase will be available to other scripts. – Sam Wilson Jan 28 '14 at 00:16
  • 3
    `PASSPHRASE` won't be available to other scripts, but it will be available to anything else in that script (presuming you aren't `source`ing the script). If your really want to just set the passphrase for the duplicity command use the prefix syntax: `PASSPHRASE=whatever duplicity ...` – Brad Spencer Jun 26 '17 at 02:36
5

The default mode of duplicity is to use a symmetric key which consists of a simple passphrase. There's no way I would use that though: if you have to type the key, you can't run an unattended backup!

If you want to run an unattended backup, you have to pass duplicity a public key somehow. The only kind of public key that duplicity supports is GPG, and that requires a key pair. If you don't want more security than the passphrase provides, keep plenty of copies of the private key around (e.g. store it on every backup media, and print it).

Note that you need to choose a really good passphrase (as in long and having high entropy) to get reasonable security from offline attacks (which is the threat here).

Gilles 'SO- stop being evil'
  • 9,181
  • 1
  • 30
  • 48
  • 1
    Gilles, So you're telling me that I am already using symmetric encryption? Does this mean that if my server was to explode today, I could restore my backups just using the passphrase? I was under the impression that the passphrase had to be somehow used in conjunction with some key stored in my gpg db, meaning I would have to protect my GPG DB with my life! I am able to use a passphrase in an unattended backup by exporting the phrase to $PASSPHRASE at the beginning of my backup script, then unsetting it at the end. – mclark1129 Aug 25 '10 at 04:10
  • @Mike: As far as I remember, duplicity only supports the two modes. If you're passing `--encrypt-key`, you're using public key encryption, and your private key is composed from your private key file and your passphrase. Otherwise you're using symmetric encryption and the secret key consists of your passphrase exclusively. Obviously, you should test restoring on a machine or account that doesn't have your gpg database, if that's what you want. – Gilles 'SO- stop being evil' Aug 25 '10 at 07:07
  • I'm going to do a test restore tonight on a separate machine to see what happens, thanks! – mclark1129 Aug 25 '10 at 13:24