Duplicity

Merge lp:~mterry/duplicity/resume-encrypt-no-pass into lp:~duplicity-team/duplicity/0.8-series

  1. resume-encrypt-no-pass
  2. Merge into 0.8-series
Proposed by Michael Terry
Status: Merged
Merged at revision: 1503
Proposed branch: lp:~mterry/duplicity/resume-encrypt-no-pass
Merge into: lp:~duplicity-team/duplicity/0.8-series
Diff against target: 61 lines (+25/-2)
2 files modified
duplicity/dup_main.py (+9/-2)
testing/functional/test_restart.py (+16/-0)
To merge this branch: bzr merge lp:~mterry/duplicity/resume-encrypt-no-pass
Reviewer Review Type Date Requested Status
duplicity-team Pending
Review via email: mp+375468@code.launchpad.net

Description of the change

This branch arose from a Debian patch that has been disabling the encryption validation of volume1 during restarts for years.

Debian has been preserving the ability to back up with just an encrypt key and no password (i.e. to have no secrets on the backup machine).

This seems like a reasonable use case. So here's a patch to skip encryption validation in that scenario.

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'duplicity/dup_main.py'
--- duplicity/dup_main.py 2019-09-22 23:44:56 +0000
+++ duplicity/dup_main.py 2019-11-13 04:19:44 +0000
@@ -153,14 +153,14 @@
153 # there is no sign_key and there are recipients153 # there is no sign_key and there are recipients
154 elif (action == u"full" and154 elif (action == u"full" and
155 (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not155 (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
156 globals.gpg_profile.sign_key and not globals.restart):156 globals.gpg_profile.sign_key):
157 return u""157 return u""
158158
159 # for an inc backup, we don't need a password if159 # for an inc backup, we don't need a password if
160 # there is no sign_key and there are recipients160 # there is no sign_key and there are recipients
161 elif (action == u"inc" and161 elif (action == u"inc" and
162 (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not162 (globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
163 globals.gpg_profile.sign_key and not globals.restart):163 globals.gpg_profile.sign_key):
164 return u""164 return u""
165165
166 # Finally, ask the user for the passphrase166 # Finally, ask the user for the passphrase
@@ -346,6 +346,13 @@
346 from encrypted to non in the middle of a backup chain), so we check346 from encrypted to non in the middle of a backup chain), so we check
347 that the vol1 filename on the server matches the settings of this run.347 that the vol1 filename on the server matches the settings of this run.
348 """348 """
349 if ((globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and
350 not globals.gpg_profile.sign_key):
351 # When using gpg encryption without a signing key, we skip this validation
352 # step to ensure that we can still backup without needing the secret key
353 # on the machine.
354 return
355
349 vol1_filename = file_naming.get(backup_type, 1,356 vol1_filename = file_naming.get(backup_type, 1,
350 encrypted=globals.encryption,357 encrypted=globals.encryption,
351 gzipped=globals.compression)358 gzipped=globals.compression)
352359
=== modified file 'testing/functional/test_restart.py'
--- testing/functional/test_restart.py 2019-09-26 14:58:52 +0000
+++ testing/functional/test_restart.py 2019-11-13 04:19:44 +0000
@@ -79,6 +79,22 @@
79 self.backup(u"full", u"testfiles/largefiles")79 self.backup(u"full", u"testfiles/largefiles")
80 self.verify(u"testfiles/largefiles")80 self.verify(u"testfiles/largefiles")
8181
82 def test_restart_encrypt_without_password(self):
83 u"""
84 Test that we can successfully restart a encrypt-key-only backup without
85 providing a password for it. (Normally, we'd need to decrypt the first
86 volume, but there is special code to skip that with an encrypt key.)
87 """
88 self.set_environ(u'PASSPHRASE', None)
89 self.set_environ(u'SIGN_PASSPHRASE', None)
90 self.make_largefiles()
91 enc_opts = [u"--encrypt-key", self.encrypt_key1]
92 self.backup(u"full", u"testfiles/largefiles", options=enc_opts, fail=2)
93 self.backup(u"full", u"testfiles/largefiles", options=enc_opts)
94
95 self.set_environ(u'PASSPHRASE', self.sign_passphrase)
96 self.verify(u"testfiles/largefiles")
97
82 def test_restart_sign_and_encrypt(self):98 def test_restart_sign_and_encrypt(self):
83 u"""99 u"""
84 Test restarting a backup using same key for sign and encrypt100 Test restarting a backup using same key for sign and encrypt

Subscribers

People subscribed via source and target branches