Comment 4 for bug 878964

I don't think this is fixed properly.

Let me sum up the change:
In the new function validate_encryption_settings, the first volume is decrypted to see if the provided passphrase matches the one from the aborted backup run.

This makes sense for symmetric encryption. However for public key encryption, we can just check if the recipients are the same. There is no need to decrypt anything in the whole process (or do we need somewhere else?), so we do not need any private decryption keys.
duplicity 0.6.21 requests those keys:

 RESTART: Volumes 7 to 9 failed to upload before termination.
         Restarting backup at volume 7.
[...]
===== Begin GnuPG log =====
gpg: encrypted with 2048-bit RSA key, ID BA6C3E32, created 2013-08-15
"KEY TO ENCRYPT MY BACKUPS (I will never use this key to encrypt anything else than my personal backups. I will never use this key to sign anything.)"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available
===== End GnuPG log =====

(Here I did not provide a passphrase. But the point is that duplicity wants to have the private key.)

The only exception: Hidden recipients. There is no obvious solution:
 - Detecting added hidden recipients could be done by trying to decrypt, like for the symmetric case. But this is again not great for those who want to store their private keys somewhere else or for unattended backups.
 - For removed (and added) hidden recipients, one could store the recipients in the local cache as long as the backup is not finished. Since they should be hidden, that does not sound like a good idea either.
 - Or just live with the fact that parts of the backup can be decrypted with different keys in this special case...