Update FAQ on private key use by Obnam when backing up

1 files changed, 17 insertions, 0 deletions

diff --git a/faq/private-key-for-backup.mdwn b/faq/private-key-for-backup.mdwn
index d84cde5..5651f73 100644
--- a/faq/private-key-for-backup.mdwn
+++ b/faq/private-key-for-backup.mdwn
@@ -6,3 +6,20 @@ files and when they were last modified. The metadata is also encrypted,
 and Obnam needs to decrypt it to be able to do an incremental backup.
 That is why Obnam needs the passphrase.
 
+Depending on how your GnuPG and its related agent is configured, you
+may need to type in the passphrase multiple times during a backup run.
+This is because the agent may expire the passphrase: it will remember
+it for, say, five minutes or an hour after you enter the passphrase,
+but after that you may need to enter the passphrase again. This can be
+awkward, and if you're not around to enter the passphrase, the backup
+may be terminated in the middle.
+
+There's two ways around that: you can either configure your GnuPG
+agent to remember the passphrase for a longer time, possibly
+indefinitely, or you can use a private key without a passphrase.
+Neither is unproblematic from a security point of view.
+
+In any case, it's not something that Obnam is part of. Obnam only runs
+gpg, and if gpg talks to its agent, which asks for a passphrase, or
+not, depending on the configuration. There's nothing Obnam can do to
+affect this.