diff options
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | examples/example.dup | 33 | ||||
| -rw-r--r-- | handlers/dup | 33 |
5 files changed, 54 insertions, 20 deletions
@@ -14,3 +14,4 @@ Patches: cmccallum@thecsl.org Daniel.Bonniot@inria.fr Brad Fritz <brad@fritzfam.com> -- trac patch +garcondumonde@riseup.net @@ -11,6 +11,8 @@ version 0.9.2 -- unreleased duplicity: . globbing support fixed in include and exclude options . different signing and encrypting key support added + . fixed erroneous comments in example.dup about the way + GnuPG-related options are used mysql: . handler vserver bugs fixed and debug output enhanced ninjahelper(s) changes @@ -0,0 +1,5 @@ +WARNING FOR DUPLICITY USERS + +Old (pre-0.9.2) example.dup file used to give false information about the way +the GnuPG-related options are used. Please read the new example.dup file, and +update your own configuration files if needed. diff --git a/examples/example.dup b/examples/example.dup index 88ac28c..1e788b9 100644 --- a/examples/example.dup +++ b/examples/example.dup @@ -11,25 +11,42 @@ nicelevel = 19 ###################################################### ## gpg section ## (how to encrypt and optionnally sign the backups) +## +## WARNING: old (pre-0.9.2) example.dup used to give wrong information about +## the way the following options are used. Please read ahead +## carefully. +## +## If the encryptkey variable is set: +## - data is encrypted with the GnuPG public key specified by the encryptkey +## variable +## - if signing is enabled, the password variable is used to unlock the GnuPG +## private key used for signing; else, you do not need to set the password +## variable +## If the encryptkey option is not set: +## - data signing is not possible +## - the password variable is used to encrypt the data with symmetric +## encryption: no GnuPG key pair is needed [gpg] -# passphrase needed to unlock the GnuPG key -# NB: do not quote it, and it should not contain any quote -password = a_very_complicated_passphrase - +# when set to yes, encryptkey variable must be set bellow; if you want to use +# two different keys for encryption and signing, you must also set the signkey +# variable bellow. # default is no, for backward compatibility with backupninja <= 0.5. -# when set to yes, either signkey or encryptkey option must be set below. sign = yes -# key ID used for data encryption. -# if not set, local root's default GnuPG key is used. +# ID of the GnuPG public key used for data encryption. +# if not set, symmetric encryption is used, and data signing is not possible. encryptkey = 04D9EA79 -# key ID used for data signing. +# ID of the GnuPG private key used for data signing. # if not set, encryptkey will be used. #signkey = 04D9EA79 +# password +# NB: do not quote it, and it should not contain any quote +password = a_very_complicated_passphrase + ###################################################### ## source section ## (where the files to be backed up are coming from) diff --git a/handlers/dup b/handlers/dup index c28619d..bbdb0ae 100644 --- a/handlers/dup +++ b/handlers/dup @@ -31,7 +31,6 @@ destdir=${destdir%/} [ "$destdir" != "" ] || fatal "Destination directory not set" [ "$include" != "" ] || fatal "No source includes specified" -[ "$password" != "" ] || fatal "No password specified" ### vservers stuff ### @@ -80,17 +79,27 @@ scpoptions="$sshoptions" execstr="$options --no-print-statistics --scp-command 'scp $scpoptions' --ssh-command 'ssh $sshoptions' " -# if encryptkey is set, add --encrypt-key to the command-line -[ -z "$encryptkey" ] || execstr="${execstr}--encrypt-key $encryptkey " -# if signkey is not set, set it to encryptkey -[ -n "$signkey" ] || signkey="$encryptkey" -# if needed, add --sign-key to command-line -if [ "$sign" == "yes" ]; then - if [ -n "$signkey" ]; then - execstr="${execstr}--sign-key $signkey " - else - fatal "Either encryptkey or signkey option must be set when signing." - fi +# deal with symmetric or asymmetric (public/private key pair) encryption +if [ -n "$encryptkey" ]; then + execstr="${execstr}--encrypt-key $encryptkey " + debug "Data will be encrypted with the GnuPG key $encryptkey." +else + [ -n "$password" ] || fatal "The password option must be set when using symmetric encryption." + debug "Data will be encrypted using symmetric encryption." +fi + +# deal with data signing +if [ "$sign" == yes ]; then + # duplicity is not able to sign data when using symmetric encryption + [ -n "$encryptkey" ] || fatal "The encryptkey option must be set when signing." + # if needed, initialize signkey to a value that is not empty (checked above) + [ -n "$signkey" ] || signkey="$encryptkey" + # check password validity + [ -n "$password" ] || fatal "The password option must be set when signing." + execstr="${execstr}--sign-key $signkey " + debug "Data will be signed will the GnuPG key $signkey." +else + debug "Data won't be signed." fi if [ "$keep" != "yes" ]; then |