Leaving a password in the clear to a backup script file is a nuisance because care must be taken not to accidentally make it public. Also, it’s a temptation for nosy people.
An OpenPGP/GnuPG standard assymetric key only requires a password during decryption, and not during encryption, which solves that problem. (OpenPGP standard, GnuPG implementation).
We show how to create an encryption key without a signing key.
We show a couple of examples of how to use the key:
- unattended duplicity backup
- auto backup of etckeeper data
So as not to interfere with exising gpg keys, we create a seperate gpg home directory.
- Default gpg home directory is
- We use alternate gpg home directory
We’ll bypass the gpg-agent and query for password directly in shell script when necessary. (Necessary = key creation, decryption, one-time backup of the key itself.)
Adding a line
~/.gnupg.local/gpg.conf makes this script query possible.
Add a link for the case where we need to use the key as root:
sudo ln -s ~/gnupg.local/gpg-agent.conf /root/gnupg.local/gpg-agent.conf
We create a minimalist encryption key named
GnuPG usally creates two “keys” together: a signing “key” and an encryption “key”. Each of those is composed of two “keys”, a public “key”, and a private “key”. For our purpose, we only need the encryption side. Unattended gpg key creation offers a way to do this. Its easiest to use a script file:
Notice the round bracket “()” surrounding the function body. The stops the shell variable/value
$Password from leaking out into the outer shell.
Execute it and enter the password
Display the key:
gpg2 --homedir ~/.gnupg.local -k
As you can see, there is an encryption key but no signing key.
encrypt@local secret key is safe even if the key data is compromised because you gave it a password. But if the key data is lost (i.e. disk failure) the backed up encrypted data will be enencryptable, even if the password is not lost. So right after creating the key we back up the whole
~/gnupg.local directory with a *symmetric** key.
A *symmetric** key is embedded with the encrypted data, and requires the password during both encryption and decryption. No key data is stored anywhere else.
Do it with a script file. Set
BackupDir to a suitable value.
Execute and enter password:
Test restoration is left as an exercise for the reader.
Example of unattended duplicity with no password required.
Credit for this etckeeper back method belongs to Josh Triplett.
Go sudo and create the following files:
Set permissions - owner must be
chmod 755 /etc/.git/hooks/post-commit
Now every time
etckeeper commit is called, the etckeeper respository will be backed up. E.g., automatically after apt updates.