duplicity-team team mailing list archive

Thread
Date

Re: [Question #291346]: Encryped passwords/phrases

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <question291346@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Apr 2016 16:57:06 -0000
Reply-to: question291346@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Question #291346 on Duplicity changed:
https://answers.launchpad.net/duplicity/+question/291346

    Status: Open => Answered

edso proposed the following answer:
On 18.04.2016 17:27, Christoph Löhr wrote:
> New question #291346 on Duplicity:
> https://answers.launchpad.net/duplicity/+question/291346
> 
> Is there an option or feature, where passwords and/or pass-phrases for gpg or storage-backends, can be stores encrypted. 
> Is there any planned feature to add this support, this could be very useful for running automated encrypted backups.
> 
> Could this be a part of the installation itself or more like an add on ?
> 

having secrets (eg. passphrases) encrypted/obfuscated makes no sense as
the decryption has to happen on the same machine anyway so the secret
can be used in gpg which expects it to be plain.

the standard solution for what you ask is gpg-agent, which keeps secrets obfuscated within memory for a configurable time span. essentially you have to 
1. configure gpg-agent to cache the passphrases for a really long time eg. https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session
2. run duplicity (or gpg against the same key used in duplicity) once as the user it is run later in cron and enter the secrets for gpg-agent to cache them

of course this must be repeated in case you reboot the machine at some
point.

..ede

-- 
You received this question notification because your team duplicity-team
is an answer contact for Duplicity.