duplicity-team team mailing list archive

[Michael Terry <mike@xxxxxxxxxxx>]

Michael Terry has proposed merging lp:~mterry/duplicity/resume-encrypt-no-pass into lp:duplicity.

Requested reviews:
  duplicity-team (duplicity-team)

For more details, see:
https://code.launchpad.net/~mterry/duplicity/resume-encrypt-no-pass/+merge/375468

This branch arose from a Debian patch that has been disabling the encryption validation of volume1 during restarts for years.

Debian has been preserving the ability to back up with just an encrypt key and no password (i.e. to have no secrets on the backup machine).

This seems like a reasonable use case. So here's a patch to skip encryption validation in that scenario.
-- 
Your team duplicity-team is requested to review the proposed merge of lp:~mterry/duplicity/resume-encrypt-no-pass into lp:duplicity.

=== modified file 'duplicity/dup_main.py'
--- duplicity/dup_main.py	2019-09-22 23:44:56 +0000
+++ duplicity/dup_main.py	2019-11-13 04:19:44 +0000
@@ -153,14 +153,14 @@
     # there is no sign_key and there are recipients
     elif (action == u"full" and
           (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
-          globals.gpg_profile.sign_key and not globals.restart):
+          globals.gpg_profile.sign_key):
         return u""
 
     # for an inc backup, we don't need a password if
     # there is no sign_key and there are recipients
     elif (action == u"inc" and
           (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
-          globals.gpg_profile.sign_key and not globals.restart):
+          globals.gpg_profile.sign_key):
         return u""
 
     # Finally, ask the user for the passphrase
@@ -346,6 +346,13 @@
         from encrypted to non in the middle of a backup chain), so we check
         that the vol1 filename on the server matches the settings of this run.
         """
+        if ((globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and
+                not globals.gpg_profile.sign_key):
+            # When using gpg encryption without a signing key, we skip this validation
+            # step to ensure that we can still backup without needing the secret key
+            # on the machine.
+            return
+
         vol1_filename = file_naming.get(backup_type, 1,
                                         encrypted=globals.encryption,
                                         gzipped=globals.compression)

=== modified file 'testing/functional/test_restart.py'
--- testing/functional/test_restart.py	2019-09-26 14:58:52 +0000
+++ testing/functional/test_restart.py	2019-11-13 04:19:44 +0000
@@ -79,6 +79,22 @@
         self.backup(u"full", u"testfiles/largefiles")
         self.verify(u"testfiles/largefiles")
 
+    def test_restart_encrypt_without_password(self):
+        u"""
+        Test that we can successfully restart a encrypt-key-only backup without
+        providing a password for it. (Normally, we'd need to decrypt the first
+        volume, but there is special code to skip that with an encrypt key.)
+        """
+        self.set_environ(u'PASSPHRASE', None)
+        self.set_environ(u'SIGN_PASSPHRASE', None)
+        self.make_largefiles()
+        enc_opts = [u"--encrypt-key", self.encrypt_key1]
+        self.backup(u"full", u"testfiles/largefiles", options=enc_opts, fail=2)
+        self.backup(u"full", u"testfiles/largefiles", options=enc_opts)
+
+        self.set_environ(u'PASSPHRASE', self.sign_passphrase)
+        self.verify(u"testfiles/largefiles")
+
     def test_restart_sign_and_encrypt(self):
         u"""
         Test restarting a backup using same key for sign and encrypt