1

I'm trying to set up automatic, full filesystem backups on my local system using Duplicity. I do not want to have to enter my password for it to encrypt a volume: what if I am not at the computer and the backup stalls? I absolutely do not want to be prompted for a password for every volume it encrypts.

I already have login-session credential session caching set up with gpg-agent. For example, I can use the 'pass' command without needing to enter a password every time. This is how I would like Duplicity to work.

To have Duplicity perform a full filesystem backup, I think I need to run it as root using sudo. However, this makes it so the gpg commands run by Duplicity are ran under the root user. One solution is the use of the --homedir option. However, there is no persistent session as the root user using this method.

I guess what I want to do is: have Duplicity run relevant gpg commands as my user and take advantage of my already-present session caching. Is this possible as-is or will it require changes to the code base?

Thanks

Improve this question

1 Answer 1

Reset to default
1

I'm trying to set up automatic, full filesystem backups on my local system using Duplicity. I do not want to have to enter my password for it to encrypt a volume: what if I am not at the computer and the backup stalls? I absolutely do not want to be prompted for a password for every volume it encrypts.

easiest solution is to use the double key approach https://lists.launchpad.net/duplicity-team/msg02374.html

I already have login-session credential session caching set up with gpg-agent. For example, I can use the 'pass' command without needing to enter a password every time. This is how I would like Duplicity to work.

gpg-agent works properly for duplicity as it is merely using the command line gpg binary. if you have persisting issues w/ duplicity i suggest to post them on the duplicity mailing list.

To have Duplicity perform a full filesystem backup, I think I need to run it as root using sudo.

probably needed for some system folders.

However, this makes it so the gpg commands run by Duplicity are ran under the root user. One solution is the use of the --homedir option. However, there is no persistent session as the root user using this method.

you may have your gpg run as root reuse the gpg-agent of your user session like described here https://unix.stackexchange.com/questions/170758/using-gpg-agent-between-different-sessions

I guess what I want to do is: have Duplicity run relevant gpg commands as my user and take advantage of my already-present session caching. Is this possible as-is or will it require changes to the code base?

yes, as described above. simplest solution though is a passphrase less machine key pair stored under ~root/ which spares you the trouble of setting gpg-agent and entering passphrases at all.

..ede/duply.net

Improve this answer
1
  • Thanks for your help. I ended up using a separate keypair in the root's homedir with passphrase, storing the passphrase in my backup script. This is what I wanted to avoid doing in the first place, but it seems alright...
    – Kevin Smith
    Aug 10, 2018 at 15:16

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .