diff options
Diffstat (limited to 'bugs/gpg-passphrase.mdwn')
-rw-r--r-- | bugs/gpg-passphrase.mdwn | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/bugs/gpg-passphrase.mdwn b/bugs/gpg-passphrase.mdwn deleted file mode 100644 index 308fa82..0000000 --- a/bugs/gpg-passphrase.mdwn +++ /dev/null @@ -1,47 +0,0 @@ -[[!tag obnam-wishlist]] -Obnam should, optionally, ask for a gpg passphrase, for the key specified -with --encrypt-with, so that a user without a gpg agent will be able to -do encrypted backups. Obnam should read the passphrase if its -ask-passphrase setting is true, and it has access to a terminal. -It should not have a setting for the passphrase itself, just for -reading it from a terminal (just so that people who don't know -better don't put their passphrase in a config file or similar). - -Those running obnam from cron will need to have a passphraseless -key, since there's no way to give obnam a passphrase in that case, -without storing it in the crontab or a config file, and then it's -no better than not having a passphrase. - -See [Debian -bug #649769](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649769). - ---liw - -From my understanding, having a symmetric passphrase stored in a config file is not useless at all. My purpose in encrypting the backup data is to prevent the remote server from having my data in plain-view; or if I back it up to an external drive, I wouldn't want it to be accessible to anyone who picks it up. But if someone gains access to my config file, he'll have direct access to all of my data anyway--he wouldn't need to access my backups. - -If I use a passphrase, then if my house burns down and I lose everything, I can get a new computer and download my data and decrypt it with my passphrase--which is long enough to be unfeasible to crack, yet completely memorized by me. - -If I use a key, then if my house burns down and I don't have a working copy of my key outside my house, my backups are totally useless, and I really HAVE lost everything. (Sure, I should take precautions to keep from losing my key--but things happen.) - ---Adam - -It's possible to get obnam to request a passphrase when running from cron: - -1. Ensure 'use-agent' is enabled in ~/.gnupg/gpg.conf. -2. Ensure the gpg-agent is running, and GPG_AGENT_INFO is set in your regular environment. Note that if obnam already asks for an enccryption passphrase when run normally, then 1 & 2 are already correctly set. -3. Ensure the environment obnam is called from in cron is exporting GPG_AGENT_INFO correctly. This means you must set and export the GPG_AGENT_INFO environment variable in your cron script. gpg writes this information to ~/.gnupg/gpg-agent-info-$(hostname), so in your cron script you must have: - - source "~/.gnupg/gpg-agent-info-$(hostname)" && export GPG_AGENT_INFO - -Then call obnam as normal. - -This will only work on a desktop system where there is someone to notice that a pinentry window has popped up. However it looks like there may be a way to forward the gpg-agent socket over ssh, and thus run obnam with encryption from cron on a headless remote machine (<a href="http://superuser.com/questions/161973/how-can-i-forward-a-gpg-key-via-ssh-agent">See here</a>). You'd probably have to store the private key on the remote machine though.. so not sure how useful that would be. - ---Scott - - ---- - -I continue to be of the opinion that a setting for the passphrase for -the GPG is pointless. The symmetric key is encrypted by GPG public key -only. [[done]] --liw |