1 #+date 2016-06-09 20:41:06 +0800
2 #+title obnam multi client encrypted backups
4 Trying to configure [[http://obnam.org][obnam]] to use one repository
5 for 3 clients using encryption has been a bit of search.
7 Initialising the first client was straightforward. I simply set it up to
8 use a gpg key for encryption per the manual. Since that key is only used
9 for encrypting backups from this client, making it not have a passphrase
10 seemed to be a good option.
12 For the next client, things got a bit trickier. Since the backup
13 repository is now encrypted, that client couldn't access it. The
14 solution I ended up with was to temporarily ensure client 2 has access
15 to client 1's secret key too.
17 On client 1: =gpg --export-secret-key -a LONG_KEY > client1.private.key=
19 That file I had to copy to the other client, and import it using:
21 On client 2: =gpg --import client1.private.key=
23 Now I could configure this client with its own gpg key and perform an
26 After this, client 1's secret key can be removed again:
27 =gpg --delete-secret-key LONG_KEY= followed by
28 =gpg --delete-key LONG_KEY=.
30 (Not removing it defeats the purpose of having a specific key per
31 client - the workaround above doesn't seem entirely sensible from that
32 perspective either, as the secret key needs to be shared temporarily.)
34 The third client should have been easy, but gpg-agent made it a bit more
35 tricky. Obnam failed to run because it couldn't find gpg-agent. Several
36 workarounds have been documented in the past, but they all ended up not
37 working anymore since version 2.1 of gpg-agent. I ended up [fn:1] having
38 to modify =~/.bashrc= as follows:
41 function gpg-update() {
42 GPG_PID=$(pidof gpg-agent)
43 GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:$GPG_PID:1
51 [[https://bugzilla.redhat.com/show_bug.cgi?id=1221234#c5][Brian
52 Lane on RedHat's bugtracker]]