[[!meta date="2016-06-09 20:41:06 +0800"]]

Trying to configure [obnam](http://obnam.org) to use one repository for 3 clients using encryption has been a bit of search.

Initialising the first client was straightforward. I simply set it up to use a gpg key for encryption per the manual. Since that key is only used for encrypting backups from this client, making it not have a passphrase seemed to be a good option.

For the next client, things got a bit trickier. Since the backup repository is now encrypted, that client couldn't access it. The solution I ended up with was to temporarily ensure client 2 has access to client 1's secret key too.

On client 1: `gpg --export-secret-key -a LONG_KEY > client1.private.key`

That file I had to copy to the other client, and import it using:

On client 2: `gpg --import client1.private.key`

Now I could configure this client with its own gpg key and perform an initial backup.

After this, client 1's secret key can be removed again: `gpg --delete-secret-key LONG_KEY` followed by `gpg --delete-key LONG_KEY`.

(Not removing it defeats the purpose of having a specific key per client - the workaround above doesn't seem entirely sensible from that perspective either, as the secret key needs to be shared temporarily.)

The third client should have been easy, but gpg-agent made it a bit more tricky. Obnam failed to run because it couldn't find gpg-agent. Several workarounds have been documented in the past, but they all ended up not working anymore since version 2.1 of gpg-agent. I ended up [^1] having to modify `~/.bashrc` as follows: 

	function gpg-update() {
		GPG_PID=$(pidof gpg-agent)
		GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:$GPG_PID:1
		export GPG_AGENT_INFO
	}

	gpg-update

[^1]: Courtesy of [Brian Lane on RedHat's bugtracker](https://bugzilla.redhat.com/show_bug.cgi?id=1221234#c5)