1

I am trying to create an ansible role to automate backups. However, it fails with the error:

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: ADD3F11Easdsdfs: skipped: public key not found
gpg: [stdin]: encryption failed: public key not found
===== End GnuPG log =====

The PGP key was generated using gpg --gen-key <filename> with these settings:

Key-Type: DSA
Key-Length: 4096
Name-Real: {{ gpg_name }}
Name-Comment: Used primarily for backup encryption on {{ inventory_hostname }}
Name-Email: {{ gpg_email }}
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
%echo done

As you can see, it has no expiry date (so it cannot have expired) and no passphrase. Both properties have been manually verified using the CLI.

This is the command I am using to run duplicity:

duplicity full /var/www gs://backups2/{{ inventory_hostname }} --encrypt-key {{ gpg_email }}

I have also tried using the key ID:

duplicity full /var/www gs://backups2/hostname --encrypt-key ADD3F11E

Any idea what could be going wrong?

DMCoding
  • 1,167
  • 2
  • 15
  • 30
  • This question is not software development related at all and off topic on Stack Overflow therefor, consider asking on Super user instead. – Jens Erat Mar 19 '17 at 11:39
  • @JensErat there are over 7,000 questions currently tagged with ansible on Stack Overflow, another 4,500+ tagged with chef and nearly 3000 tagged with puppet. I am developing software which uses Duplicity and GPG. This is a perfect place to discuss the issue. – DMCoding Mar 20 '17 at 12:33
  • Your question is about plain usage of the duplicity tool, and while mentioning ansible your question is not specific to software development. You will have better luck asking at the right place, where you will get more visibility and attention. – Jens Erat Mar 24 '17 at 18:36
  • You're right that the question may have greater visiblity if posted elsewhere. I merely wanted to point out that the statement that the question is not software development-related is factually incorrect. I am developing software using these tools which others will use; ergo the question is software-development-related. – DMCoding Mar 24 '17 at 18:42
  • The [community defines questions as "off-topic for Stack Overflow](https://stackoverflow.com/help/on-topic) unless they _directly involve tools used primarily for programming_", and this is not the case for sure. Especially, as your question is about general duplicity usage and not specific to configuration management usage apart for some embedded template variables. – Jens Erat Mar 24 '17 at 18:57

1 Answers1

0

Run gpg --version and /usr/bin/gpg --version and check whether they are the same.

Duplicity might fall back to version 1.x.x, whereas your terminal might have an alias to invoke GnuPG version 2.x.x. In that case the key is created/imported with GnuPG 2, but GnuPG 1 might not know about it(?)

Alternatively, if you would like Duplicity to use GnuPG 2 and you are on debian (or related), you can divert /usr/bin/gpg2 to /usr/bin/gpg as described here or here. In that case duplicity will be forced to use version 2.

As noted in the reference, diverting might have undesirable side-effects on other programs expecting GnuPG version 1 when they call /usr/bin/gpg.

Niels
  • 176
  • 7