0

I created a backup with duplicity with GPG encryption used by below command. When I want to restore a file duplicity asks password for decryption. Any idea why? I use YubiKey 5 to store my GPG private key so it is not password protected, moreover, it asks passphrase for decryption not passphrase of GPG private key.

Earlier I used symmetric encryption too instead of GPG (PASSPHRASE environment variable) but in the meantime both ~/.cache/duplicity directory on client side and full backup set on remote side were deleted.

:/tmp$ duplicity restore --file-to-restore "/home/gabor/test.jpg" sftp://backupmachine//mnt/duplicity/ /tmp/teszt/test.jpg
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Sat Aug 27 14:02:43 2022
GnuPG passphrase for decryption:

This is how backup was created:

TARGET='sftp://backupmachine//mnt/duplicity/'
SSH_KEY="${BASE_DIR}/cloud.pem"

GPG_ENCRYPT_OPTS=--encrypt-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export DUP_OPT="--ssh-options -oIdentityFile=${SSH_KEY}"
duplicity $DUP_OPT $GPG_ENCRYPT_OPTS --full-if-older-than 3W --include-filelist "$(dirname $0)/gabor1-list.txt" --exclude '**' --exclude "$HOME/.cache/duplicity" / "${TARGET}"

This is how I tested .gpg files they are really encrypted with GPG key instead of symmetric encryption with passphrase:

:/tmp$ gpg -d duplicity-new-signatures.20220827T120243Z.to.20220828T010003Z.sigtar.gpg > x
gpg: encrypted with 4096-bit RSA key, ID xxxxxxxxxxxxxxxx, created 2022-05-27
      "me <email@address.tld>"
:/tmp$ file x
x: POSIX tar archive
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Halacs
  • 103
  • 4

1 Answers1

1

duplicity does not know that you created a passphraseless key. hence it asks. just supplying an empty one by hitting enter should suffice.

if you want duplicity not to ask provide either

PASSHPHRASE=''

or

  • set the option --use-agent to have gpg explicitly use it's agent to deal with passphrases.

hope that helped, ede/duply.net

ede-duply.net
  • 324
  • 1
  • 4
  • If I just simply press enter to provide empty passphrase I get this message, however, --use-agent looks good! Thanks! "Cannot use empty passphrase with symmetric encryption! Please try again." – Halacs Aug 28 '22 at 16:55
  • "Cannot use empty passphrase with symmetric encryption! Please try again." signals that duplicity is not aware of your keys and thinks it is in default symmetric encryption mode. what was the command line leading to the error message? – ede-duply.net Aug 29 '22 at 18:54
  • Yes, most probably that was the case because --use-agent option solves my issue as ede suggested. Thanks! – Halacs Aug 30 '22 at 19:59
  • still @Halacs make sure tat you are really using the keys by providing the proper parameters to duplicity! – ede-duply.net Aug 31 '22 at 20:04