5

I'd like to use duplicity to backup files and I'd like to encrypt them with GnuPG. I was wondering why duplicity asks for a passphrase to encrypt the files. For asymmetric encryption the passphrase is only needed for decryption.

I was using the following command:

duplicity full --encrypt-key="KEY-ID" --sign-key="KEY-ID" /path/to/source file://path/to/destination

I expected duplicity to use the public part of the given "KEY-ID" to encrypt the backup. Am I getting something wrong?

Jens Erat
  • 1,400
  • 2
  • 11
  • 26
john.dough
  • 103
  • 10

1 Answers1

6

You're right, encryption only requires the public key, which is not protected by a passphrase.

There are two reasons Duplicity might require the private key passphrase:

  • You ask duplicity to not only encrypt the backup, but also sign it. Signing is a private key operation (and thus requires the passphrase).
  • Duplicity needs to fetch the (encrypted) meta data information from the remote location, because the local copy is wrong/out of sync. Decryption is also a private key operation and requires the passphrase.
Jens Erat
  • 1,400
  • 2
  • 11
  • 26
  • it also asks for the passphrase without the signing option – john.dough Oct 01 '16 at 12:41
  • Duplicity is _not_ querying for the passphrase on my machine if signing is not selected. This might only happen for incremental backups with an outdated local metadata cache (in this case, it has to pull and decrypt the remote metadata). Is duplicity adding any information just before asking for the passphrase? – Jens Erat Oct 01 '16 at 13:00
  • You are right. There were some old metadata. I was just looking in the wrong place, because I forgot one additional "/" in the destination path. Now everything works fine. – john.dough Oct 01 '16 at 13:18