[go: up one dir, main page]

duplicity no longer performing backups without GPG decryption key

I have:

  • ([x] when completed)
  • searched https://gitlab.com/duplicity/duplicity/-/issues for similar issues. If you find a similar issue and the issue is still open, add a comment to the existing issue instead of opening a new one. If you find a Closed issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one.
  • tested that this issue still occurs on the latest stable snap (install instructions: https://snapcraft.io/duplicity), please include the snap version (snap info duplicity | grep installed) output: installed: x.xx.xx (xx)
  • ideally, tested that this issue still occurs on the latest edge snap, if you can test without risking your data. Please include the snap version output: installed: x.xx.xx (xx)

Summary

I am using duplicity to back up a server files to Amazon S3 with GPG encryption.

The server has the GPG public key but not the secret key. The secret key is not needed for encryption, and keeping the secret key off the server reduces the risk of exposing the secret key.

This has worked fine for years, with backups stored to Amazon S3 every night, and with replacement servers deployed when necessary from these backups.

Since duplicity version 1.2.2 the backups have reported failure and have not uploaded backups to Amazon S3.

The backups are being done by backupninja. The backupninja logs show that duplicity 1.2.1 and 1.2.2 both report a GPG error, but 1.2.2 treats this as fatal whereas 1.2.1 goes ahead and performs a successful backup.

I believe this change of behavior is caused by commit 72a373af.

Environment

Ubuntu 22.04.2 LTS (server)

duplicity 1.2.2

Command line used: backupninja -n -d

The output indicates that backupninja is executing the command: nice -n 10 LC_ALL=C duplicity --no-print-statistics --ssh-options '' --encrypt-key --full-if-older-than 28D --archive-dir /var/cache/backupninja/duplicity --include '/var/vmail' --exclude '**' / s3:///email-server12-vphost-co-uk

Steps to reproduce

Use duplicity to backup to Amazon S3 with GPG encryption, but don't install the GPG secret key (only install the GPG public key).

What is the current bug behaviour?

Duplicity fails.

What is the expected correct behaviour?

For duplicity < 1.2.2 duplicity outputs a GPG error but successfully performs a backup and stores the backup in Amazon S3.

Relevant logs and/or screenshots

See attached.

Possible fixes

I don't know the code well enough to propose a fix, but I believe this change of behavior is caused by commit 72a373af.