[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Questions regarding symmetric encryption/signing
|
From: |
Eponymous - |
|
Subject: |
Re: [Duplicity-talk] Questions regarding symmetric encryption/signing |
|
Date: |
Thu, 25 Jun 2015 13:33:14 +0100 |
>> duplicity utilizes the command line binary gpg which only supports piping on
>> passphrase. so both of the above is true.
if no key is given the passphrase is used for symmetric de/encryption.
if one is givenit's used to unlock the keys for decryption or signing.
I still don't see how in the symmetric role of operation this marries
up with how GPG works: "Both PGP and GnuPG use hybrid ciphers. The
session key, encrypted using the public-key cipher, and the message
being sent, encrypted with the symmetric cipher, are automatically
combined in one package. The recipient uses his private-key to decrypt
the session key and the session key is then used to decrypt the
message." [1]
Or are you saying that if we don't give a key, then we don't use GPG
at all and instead the data is raw encrypted using the PASSPHRASE as a
key to some internal encryption engine in Duplicity?
>> let me point you to "a Note on Symmetric Encryption and Signing"
>> http://duplicity.nongnu.org/duplicity.1.html#sect24 which seems to have
>> slipped your man page reading ;)
I did read this over a few times before asking and it still didn't
make sense to me. For example, it states:
"3. The used PASSPHRASE for symmetric encryption and the passphrase of
the signing key are identical. "
What does this mean? Is it referring to the PASSPHRASE env variable
used to protect the GPG keys? How does the SIGN_PASSPHRASE env
variable play into this?
>> how about using http://duply.net which takes care to generate the proper
>> command lines for you?
I think it's more that I think some of the references to
command-lines/env variables are confusing.
For example:
"--encrypt-key key-id When backing up, encrypt to the given public
key, instead of using symmetric (traditional) encryption. Can be
specified multiple times. The key-id can be given in any of the
formats supported by GnuPG; see gpg(1) , section "HOW TO SPECIFY A
USER ID" for details. "
I'd say that's not a helpful choice of name there :) From reading:
"--encrypt-key" it's not obvious that this only applies to
public/private keypair encryption.
Again, sorry if these seem like obvious questions but Duplicity looks
to be perfect for my needs seems like it's worth the effort of getting
a deep understanding :)
1. https://www.gnupg.org/gph/en/manual.html#AEN26
On Thu, Jun 25, 2015 at 1:15 PM, <address@hidden> wrote:
> On 25.06.2015 14:04, Eponymous - wrote:
>> I'm reposting this as I haven't heard anything and don't know if it was
>> because my original email didn't get through or not. I checked the archives
>> and don't see it there either...
>>
>> Thanks.
>>
>> On 16 Jun 2015 15:24, "Eponymous -" <address@hidden <mailto:address@hidden>>
>> wrote:
>>>
>>> Hi,
>>>
>>> I have a question regarding Duplicity and symmetric encryption.
>>>
>>> Firstly, I've read through the man page for Duplicity and also the
>>> entire GPG document: http://www.gnupg.org/documentation/guides.html
>>>
>>> I noticed Duplicity has --encrypt-key and --sign-key options which
>>> confuse me slightly.
>>>
>>> From what I understand symmetric encryption would be the best choice
>>> for my use-case of Duplicity since it will only be I who accesses the
>>> backed up data.
>>>
>>> My first question is how does Duplicity implement this?
>>>
>>> Does it simply use the PASSPHRASE (as defined as a shell variable) to
>>> both encrypt and decrypt the data or is this passphrase the one used
>>> for unlocking the GPG keyring and I still need to setup up GPG keys
>>> first?
>
> duplicity utilizes the command line binary gpg which only supports piping on
> passphrase. so both of the above is true.
> if no key is given the passphrase is used for symmetric de/encryption. if one
> is givenit's used to unlock the keys for decryption or sigining.
>
>>> This takes care of encryption, so on to signing:
>>>
>>> How can I utilize symmetric encryption but also sign everything I
>>> backup? Surely signing needs a Private key to sign the computed hash
>>> and a Public key to verify?
>
> let me point you to "a Note on Symmetric Encryption and Signing"
> http://duplicity.nongnu.org/duplicity.1.html#sect24
> which seems to have slipped your man page reading ;)
>
>>>
>>> Again, does this need to be set up in advance with GPG?
>>>
>>> For both questions I'm really interested on how I configure Duplicity
>>> to work as the command line options are somewhat confusing to me.
>>>
>>> This seems like a really great program and I hope you can bear with me
>>> if these questions seem obvious.
>>>
>
> how about using http://duply.net which takes care to generate the proper
> command lines for you?
>
> ..ede/duply.net