1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
[[!tag obnam-wishlist]]
Obnam should, optionally, ask for a gpg passphrase, for the key specified
with --encrypt-with, so that a user without a gpg agent will be able to
do encrypted backups. Obnam should read the passphrase if its
ask-passphrase setting is true, and it has access to a terminal.
It should not have a setting for the passphrase itself, just for
reading it from a terminal (just so that people who don't know
better don't put their passphrase in a config file or similar).
Those running obnam from cron will need to have a passphraseless
key, since there's no way to give obnam a passphrase in that case,
without storing it in the crontab or a config file, and then it's
no better than not having a passphrase.
See [Debian
bug #649769](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649769).
--liw
From my understanding, having a symmetric passphrase stored in a config file is not useless at all. My purpose in encrypting the backup data is to prevent the remote server from having my data in plain-view; or if I back it up to an external drive, I wouldn't want it to be accessible to anyone who picks it up. But if someone gains access to my config file, he'll have direct access to all of my data anyway--he wouldn't need to access my backups.
If I use a passphrase, then if my house burns down and I lose everything, I can get a new computer and download my data and decrypt it with my passphrase--which is long enough to be unfeasible to crack, yet completely memorized by me.
If I use a key, then if my house burns down and I don't have a working copy of my key outside my house, my backups are totally useless, and I really HAVE lost everything. (Sure, I should take precautions to keep from losing my key--but things happen.)
--Adam
It's possible to get obnam to request a passphrase when running from cron:
1. Ensure 'use-agent' is enabled in ~/.gnupg/gpg.conf.
2. Ensure the gpg-agent is running, and GPG_AGENT_INFO is set in your regular environment. Note that if obnam already asks for an enccryption passphrase when run normally, then 1 & 2 are already correctly set.
3. Ensure the environment obnam is called from in cron is exporting GPG_AGENT_INFO correctly. This means you must set and export the GPG_AGENT_INFO environment variable in your cron script. gpg writes this information to ~/.gnupg/gpg-agent-info-$(hostname), so in your cron script you must have:
source "~/.gnupg/gpg-agent-info-$(hostname)" && export GPG_AGENT_INFO
Then call obnam as normal.
This will only work on a desktop system where there is someone to notice that a pinentry window has popped up. However it looks like there may be a way to forward the gpg-agent socket over ssh, and thus run obnam with encryption from cron on a headless remote machine (<a href="http://superuser.com/questions/161973/how-can-i-forward-a-gpg-key-via-ssh-agent">See here</a>). You'd probably have to store the private key on the remote machine though.. so not sure how useful that would be.
--Scott
---
I continue to be of the opinion that a setting for the passphrase for
the GPG is pointless. The symmetric key is encrypted by GPG public key
only. [[done]] --liw
|
