Cannot restore when passphrase has changed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Duplicity |
Fix Released
|
Medium
|
Unassigned |
Bug Description
My use case:
Done incremental backups for a long time:
export PASSPHRASE=one
duplicity full $args $src $dst
duplicity $args $src $dst
... etc
Now, I need to rotate the passphrase, so I create a new chain with the new passphrase and keep on doing incrementals with that new passphrase:
export PASSPHRASE=two
duplicity full $args $src $dst
duplicity $args $src $dst
... etc
Now, I need to restore the last backup in another machine. It fails to fetch the metadata:
export PASSPHRASE=two
duplicity restore $args --force $dst $src
Synchronizing remote metadata to local cache...
Copying manifest-
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key
===== End GnuPG log =====
According to the date of the archive it's restoring, it must have been encrypted using the old PASSPHRASE. However, this is expected. I don't really need to restore that file until I need to restore an older backup. Is there no other way to do this? Can't I just tell Duplicity to sync signatures and manifests only for the needed chains (the last one actually)?
Changed in duplicity: | |
milestone: | none → 0.8.00 |
milestone: | 0.8.00 → none |
Changed in duplicity: | |
milestone: | none → 0.7.19 |
importance: | Undecided → Medium |
I tried restoring with --ignore-errors, to let duplicity sync only metadata that is encrypted with the same passphrase, but it yields the same error. 😕