3

  • Had a catastrophic failure on a RAID array and lost everything.

  • Have a full set of backups on S3 via duplicity (2003 files), encrypted with GPG.

  • I have the passphrase and a copy of the private key used to encrypt the backups.

  • I have imported the private key on the new host with gpg --import-key KEYNAME. gpg --list-keys gives me the KEYID. We'll say it's 123456.

  • Downloaded all files from S3 to a fresh local host.

  • When I try to list the files in the backup with duplicity list-current-files file:///mnt/Media/backups --encrypt-key 123456 the result is:

Synchronizing remote metadata to local cache... GnuPG passphrase: Copying duplicity-full-signatures.20111105T191036Z.sigtar.gpg to local cache. GPGError: GPG Failed, see log below: ===== Begin GnuPG log ===== gpg: encrypted with RSA key, ID ABCDEFG gpg: decryption failed: No secret key ===== End GnuPG log =====

What step(s) am I missing? The RSA key referenced in the GnuPG log (ex: ABCDEF) is different than the ID of the key I imported (ex: 123456), is that related to the issue?

My test restores when I initially set up the backups all worked, but I realize now it's because the keys were already available on the backed up host. But because the original host is toast, restoring to a brand new host is all new to me. Thanks in advance.

SteveJ
  • 482
  • 1
  • 7
  • 13

1 Answers1

3

send backup secret-key from BAK-SERVER to RESTORE-SERVER

#ON BAK-SERVER
gpg --list-keys
gpg --armor --export-secret-keys bak-key-name > bak-key-name.secret.asc
cat bak-key-name.secret.asc |nc -l BAK-SERVER_IP 12345


#ON Restore-SERVER

nc BAK-SERVER_IP 12345 > bak-key-name.secret.asc
gpg --import bak-key-name.secret.asc

get encrypt-key : for example 05AB3DF5

gpg --list-keys

/root/.gnupg/pubring.gpg
------------------------
pub   2048R/05AB3DF5 2013-09-19
uid                  Your Name <your_email@example.com>
sub   2048R/32866E3B 2013-09-19

backup on BAK-SERVER

PASSPHRASE="passphrase_for_GPG" duplicity  full --encrypt-key 05AB3DF5  /source BAK_URL

restore on RESTORE-SERVER 

PASSPHRASE="passphrase_for_GPG" duplicity  restore --encrypt-key 05AB3DF5  BAK_URL /source-restore

refer: https://www.digitalocean.com/community/tutorials/how-to-use-duplicity-with-gpg-to-securely-automate-backups-on-ubuntu

rhinoceros.xn
  • 251
  • 2
  • 4
  • I'm a bit confused here. If the original server has been completely blown up, am I to understand that the backups are completely inaccessible? – Tmanok Aug 21 '22 at 05:09