# [SOLVED] duplicity + keychain: Anyone got it working yet?

## archrax

Hi guys, 

I'm using duplicity for encrypted backups. I'm using an encryption key and a signing key. Since I eventually want to run this on a daily cron schedule, I don't want to have to enter my signing passphrase every single day. I also don't want to leave my passphrase in my script as clear text. I therefore settled on using keychain to use cached passphrases.

I've got things set up so that when I log in keychain prompts me for my signing passphrase. So far so good. To check this, I then try signing a document using gpg in the standard manner, using my signing key. Works no problem and gpg does not prompt me for a passphrase, as expected.

However, when I try to run my duplicity backup script, I get prompted for my passphrase (twice no less). So it looks like duplicity is not being served with a passphrase. I don't know if it's my setup. Does anybody have this working? If so please could you tell me what it is.

Here is my existing setup;

.bash_profile

```

# Clear keys. This is a security measure.

keychain --clear

# Explicitly start ssh-agent and gpg-agent. 

eval 'keychain --agents ssh,gpg'

source ~/.keychain/`hostname`-sh-gpg

# Load signing key.

eval 'keychain --eval mySigningKeyID'

```

I backup using the following encantation;

```

duplicity --encrypt-key myEncryptingKeyID --sign-key mySigningKeyID sourceDir file:///destDir

```

Any pointers would be much appreciated.Last edited by archrax on Sat Jan 07, 2012 11:54 am; edited 1 time in total

----------

## Telemin

Hi,

Looking at the man page seems like you need the --use-agent option for duplicity to grab keys from ssh-agent rather than it being automatic.

-Telemin-

----------

## archrax

Hi Telemin,

I'm not using ssh yet. Just practising on local backup first.

I've already tried the --use-agent option but that is no longer used by gpg2 anyway - it will always use the agent if one is running (which is the case).

But I think I've narrowed this down to a duplicity problem rather than a keychain one. (Don't think gpg-agent is at fault either.)

----------

## archrax

This is where I'm at;

The man pages for duplicity are incorrect. The pages state regarding --use-agent;

```

GnuPG 2 and newer ignore this option and will always use a running gpg-agent if no passphrase was delivered.

```

In fact, you do need to invoke --use-agent in order to call gpg-agent. If you don't do this, then you will be prompted for the passphrase.

However, if you do this but no passphrase has been cached, then duplicity will go into an infinite loop waiting for gpg-agent to provide a password (to which of course there will be no response). There is no helpful error message or graceful end to the program.

I now have;

.bash_profile

```

keychain --clear

# Explicitly start ssh-agent and gpg-agent. 

eval 'keychain --agents ssh,gpg'

source ~/.keychain/`hostname`-sh-gpg

# Load keys.

eval 'keychain --eval myEncryptionKeyID mySigningKeyID'

```

```

duplicity --use-agent --encrypt-key myEncryptingKeyID --sign-key mySigningKeyID sourceDir file:///destDir

duplicity verify --use-agent --encrypt-key myEncryptingKeyID --sign-key mySigningKeyID file:///destDir sourceDir 

```

I've now got it working except that keychain only seems to cache one key at a time. So in the code above, it will only remember the 2nd (latest I presume) decrypted key but not the 1st one, causing duplicity to hang when it needs the encryption passphrase in order to verify the backup. Anyone else having issues with this or can get multiple passwords cached? (I'm still not using ssh at the moment - just gpg).Last edited by archrax on Sat Jan 07, 2012 11:53 am; edited 1 time in total

----------

## archrax

Workaround:

Just don't clear keychain when you login. Then the decrypted private keys should still be cached in memory from the last session (provided you haven't rebooted or set a timeout).

----------

