How can I use Duplicity with a symmetric key?
Solution 1
The default mode of duplicity is to use a symmetric key which consists of a simple passphrase. There's no way I would use that though: if you have to type the key, you can't run an unattended backup!
If you want to run an unattended backup, you have to pass duplicity a public key somehow. The only kind of public key that duplicity supports is GPG, and that requires a key pair. If you don't want more security than the passphrase provides, keep plenty of copies of the private key around (e.g. store it on every backup media, and print it).
Note that you need to choose a really good passphrase (as in long and having high entropy) to get reasonable security from offline attacks (which is the threat here).
Solution 2
old question, but I have an answer. You can set the passphrase in your backupscript, to let it run unattended.
#!/bin/bash
export PASSPHRASE=<your password>
duplicity…
Related videos on Youtube
mclark1129
Updated on September 17, 2022Comments
-
mclark1129 almost 2 years
I am using duplicity to perform backups on my server. Right now duplicity is encrypting the backup using a GPG public-private key system. I would prefer to encrypt the backup files using just a passphrase, so I don't have to try and keep up with secret keys. How can I configure the backups to be encrypted this way?
Thanks,
Mike
-
Gilles 'SO- stop being evil' almost 14 years@Mike: As far as I remember, duplicity only supports the two modes. If you're passing
--encrypt-key
, you're using public key encryption, and your private key is composed from your private key file and your passphrase. Otherwise you're using symmetric encryption and the secret key consists of your passphrase exclusively. Obviously, you should test restoring on a machine or account that doesn't have your gpg database, if that's what you want. -
mclark1129 almost 14 yearsI'm going to do a test restore tonight on a separate machine to see what happens, thanks!
-
Sam Wilson over 10 yearsDon't forget
unset PASSPHRASE
at the end of the script, otherwise the passphrase will be available to other scripts. -
Brad Spencer about 7 years
PASSPHRASE
won't be available to other scripts, but it will be available to anything else in that script (presuming you aren'tsource
ing the script). If your really want to just set the passphrase for the duplicity command use the prefix syntax:PASSPHRASE=whatever duplicity ...