diff options
-rw-r--r-- | handlers/dup.helper | 119 |
1 files changed, 98 insertions, 21 deletions
diff --git a/handlers/dup.helper b/handlers/dup.helper index 7297fb1..15afcfd 100644 --- a/handlers/dup.helper +++ b/handlers/dup.helper @@ -131,35 +131,88 @@ do_dup_dest() { setDefault gpg } -do_dup_gpg() { - - set -o noglob - - # encryptkey ? +do_dup_gpg_encryptkey() { REPLY= while [ -z "$REPLY" -o -z "$dup_gpg_encryptkey" ]; do - inputBox "$dup_title - GnuPG" "Enter the GnuPG key ID to be used to encrypt the backups:" "$dup_gpg_encryptkey" + inputBox "$dup_title - GnuPG" "Enter ID of the public GnuPG key to be used to encrypt the backups:" "$dup_gpg_encryptkey" [ $? = 0 ] || return 1 dup_gpg_encryptkey="$REPLY" done +} + +do_dup_gpg_sign() { + # sign ? + booleanBox "$dup_title - GnuPG" "Sign the backups?" "$dup_gpg_sign" + if [ $? = 0 ]; then + dup_gpg_sign=yes + else + dup_gpg_sign=no + fi +} + +do_dup_gpg_signkey() { + # one key pair ? + booleanBox "$dup_title - GnuPG" "Use the same GnuPG key pair for encryption and signing?" "$dup_gpg_onekeypair" + if [ $? = 0 ]; then + dup_gpg_onekeypair=yes + else + dup_gpg_onekeypair=no + fi - # passphrase ? + if [ "$dup_gpg_onekeypair" == "no" }; then + # signkey ? + REPLY= + while [ -z "$REPLY" -o -z "$dup_gpg_signkey" ]; do + inputBox "$dup_title - GnuPG" "Enter the ID of the private GnuPG key to be used to sign the backups:" "$dup_gpg_signkey" + [ $? = 0 ] || return 1 + dup_gpg_signkey="$REPLY" + done + fi +} + +do_dup_gpg_passphrase() { + local question="Enter the passphrase needed to $@:" REPLY= while [ -z "$REPLY" -o -z "$dup_gpg_password" ]; do - passwordBox "$dup_title - GnuPG" "Enter the passphrase needed to unlock the key 0x$dup_gpg_encryptkey" + passwordBox "$dup_title - GnuPG" "$question" [ $? = 0 ] || return 1 dup_gpg_password="$REPLY" done +} - # sign ? - booleanBox "$dup_title - GnuPG" "Sign the backups?" "$dup_gpg_sign" +do_dup_gpg() { + + # symmetric or public key encryption ? + booleanBox "$dup_title - GnuPG" "Use public key encryption? Else, symmetric encryption will be used, and data signing will be impossible." "$dup_gpg_asymmetric_encryption" if [ $? = 0 ]; then - dup_gpg_sign=yes + dup_gpg_asymmetric_encryption=yes else - dup_gpg_sign=no + dup_gpg_asymmetric_encryption=no + fi + + # when using public/private key pair encryption, ask for the keys to use + if [ "$dup_gpg_asymmetric_encryption" == yes ]; then + do_dup_gpg_encryptkey ; [ $? = 0 ] || return 1 + do_dup_gpg_sign ; [ $? = 0 ] || return 1 + if [ "$dup_gpg_sign" == yes ]; then + do_dup_gpg_signkey ; [ $? = 0 ] || return 1 + fi + fi + + # a passphrase is only needed when signing, or when symmetric encryption is used + if [ "$dup_gpg_asymmetric_encryption" == "no" ]; then + do_dup_gpg_passphrase "encrypt the backups" + [ $? = 0 ] || return 1 + elif [ "$dup_gpg_sign" == "yes" ]; then + if [ -z "$dup_gpg_signkey" ]; then + do_dup_gpg_passphrase "unlock the GnuPG 0x$dup_gpg_signkey key used to sign the backups" + [ $? = 0 ] || return 1 + else + do_dup_gpg_passphrase "unlock the GnuPG 0x$dup_gpg_encryptkey key used to sign the backups" + [ $? = 0 ] || return 1 + fi fi - set +o noglob _gpg_done="(DONE)" setDefault adv # TODO: replace the above line by the following when do_dup_conn is written @@ -222,21 +275,42 @@ testconnect = $dup_testconnect ###################################################### ## gpg section ## (how to encrypt and optionnally sign the backups) +## +## WARNING: old (pre-0.9.2) example.dup used to give wrong information about +## the way the following options are used. Please read ahead +## carefully. +## +## If the encryptkey variable is set: +## - data is encrypted with the GnuPG public key specified by the encryptkey +## variable +## - if signing is enabled, the password variable is used to unlock the GnuPG +## private key used for signing; else, you do not need to set the password +## variable +## If the encryptkey option is not set: +## - data signing is not possible +## - the password variable is used to encrypt the data with symmetric +## encryption: no GnuPG key pair is needed [gpg] -# passphrase needed to unlock the GnuPG key -# NB: do not quote it, and it should not contain any quote -password = $dup_gpg_password - +# when set to yes, encryptkey variable must be set bellow; if you want to use +# two different keys for encryption and signing, you must also set the signkey +# variable bellow. # default is no, for backward compatibility with backupninja <= 0.5. -# when set to yes, encryptkey option must be set below. sign = $dup_gpg_sign -# key ID used for data encryption and, optionnally, signing. -# if not set, local root's default gpg key is used. +# ID of the GnuPG public key used for data encryption. +# if not set, symmetric encryption is used, and data signing is not possible. encryptkey = $dup_gpg_encryptkey +# ID of the GnuPG private key used for data signing. +# if not set, encryptkey will be used. +signkey = $dup_gpg_signkey + +# password +# NB: do not quote it, and it should not contain any quote +password = $dup_gpg_password + ###################################################### ## source section ## (where the files to be backed up are coming from) @@ -415,8 +489,11 @@ dup_wizard() { dup_destdir="/backups/`hostname`" dup_desthost= dup_destuser= - dup_gpg_sign="yes" + dup_gpg_asymmetric_encryption="yes" dup_gpg_encryptkey="" + dup_gpg_sign="yes" + dup_gpg_onekeypair="yes" + dup_gpg_signkey="" dup_gpg_password="" dup_nicelevel=19 dup_testconnect=yes |