a question on duplicity and gpg

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

a question on duplicity and gpg

duplicity-talk mailing list
Hello to all, 

after installing duplicity I find a new behaviour of gpg. 

I have in my computer several files that I have gpg-encrypted and for accessing them 
I had to give a passphrase. 

After installing duplicity suddenly to access the files gpg encrypted it is not 
necessary a passphrase anymore. It seems that duplicity activate a gpg-agent that 
read the passphrase to automatize duplicity. At the moment I use duplicity with 
symmetric encryption because I save a backup in a disk in my home. 

This behaviour of gpg  makes all the files I had unsafe as anybody entering in my computer 
can open any gpg encrypted file. Is it possible to use duplicity, but not having this effect?

Thanks 


Giuliano




_

Giuliano Franchetti

Storage Rings/ Accelerator Operations

Office:         C26 1.019
phone:       +49 6159 71 1535
fax:             +49 6159 71 3099
[hidden email]
http://web-docs.gsi.de/~giuliano 

GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Dr. Ulrich Breuer, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
State Secretary / Staatssekretär Dr. Georg Schütte

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Ursula Weyrich, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
Ministerialdirigent Dr. Volkmar Dietz





_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: a question on duplicity and gpg

duplicity-talk mailing list
hey Giuliano,

On 11/20/2020 9:36, Giuliano Franchetti via Duplicity-talk wrote:
> Hello to all, 
>
> after installing duplicity I find a new behaviour of gpg. 

which duplicity, gpg versions?

that's not exactly caused by duplicity. gpg2 uses gpg-agent by default for all password related stuff. duplicity enables '--pinentry-mode=loopback' for it's gpg calls to prevent that.

you can research gpg documentation to find out how to disable gpg-agent or set a very short password caching time (ttl).

> I have in my computer several files that I have gpg-encrypted and for accessing them 
> I had to give a passphrase. 
>
> After installing duplicity suddenly to access the files gpg encrypted it is not 
> necessary a passphrase anymore. It seems that duplicity activate a gpg-agent that 
> read the passphrase to automatize duplicity. At the moment I use duplicity with 
> symmetric encryption because I save a backup in a disk in my home. 
>
> This behaviour of gpg  makes all the files I had unsafe as anybody entering in my computer 
> can open any gpg encrypted file. Is it possible to use duplicity, but not having this effect?
>

you shouldn't leave your system unlocked then :). but yeah, obviously not what you intended.

it's possible that you have a special combination of duplicity/gpg2 installed that does not disable gpg-agent properly, but i need to know which versions you are running.
it's also possible that gpg-agent is running from your manual gpg calls because written that's the new default gpg2 behaviour.

..ede/duply.net

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: a question on duplicity and gpg

duplicity-talk mailing list
Hi Edgar, 


this is my gpg version 

gpg (GnuPG) 2.2.24
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/giuliano/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

and this is the duplicity version 

duplicity 0.7.18.1


Giuliano




On 20. Nov 2020, at 11:32, edgar.soldin--- via Duplicity-talk <[hidden email]> wrote:

hey Giuliano,

On 11/20/2020 9:36, Giuliano Franchetti via Duplicity-talk wrote:
Hello to all, 

after installing duplicity I find a new behaviour of gpg. 

which duplicity, gpg versions?

that's not exactly caused by duplicity. gpg2 uses gpg-agent by default for all password related stuff. duplicity enables '--pinentry-mode=loopback' for it's gpg calls to prevent that.

you can research gpg documentation to find out how to disable gpg-agent or set a very short password caching time (ttl).

I have in my computer several files that I have gpg-encrypted and for accessing them 
I had to give a passphrase. 

After installing duplicity suddenly to access the files gpg encrypted it is not 
necessary a passphrase anymore. It seems that duplicity activate a gpg-agent that 
read the passphrase to automatize duplicity. At the moment I use duplicity with 
symmetric encryption because I save a backup in a disk in my home. 

This behaviour of gpg  makes all the files I had unsafe as anybody entering in my computer 
can open any gpg encrypted file. Is it possible to use duplicity, but not having this effect?


you shouldn't leave your system unlocked then :). but yeah, obviously not what you intended.

it's possible that you have a special combination of duplicity/gpg2 installed that does not disable gpg-agent properly, but i need to know which versions you are running.
it's also possible that gpg-agent is running from your manual gpg calls because written that's the new default gpg2 behaviour.

..ede/duply.net

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk


_

Giuliano Franchetti

Storage Rings/ Accelerator Operations

Office:         C26 1.019
phone:       +49 6159 71 1535
fax:             +49 6159 71 3099
[hidden email]
http://web-docs.gsi.de/~giuliano 

GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Dr. Ulrich Breuer, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
State Secretary / Staatssekretär Dr. Georg Schütte

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Ursula Weyrich, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
Ministerialdirigent Dr. Volkmar Dietz





_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: a question on duplicity and gpg

duplicity-talk mailing list
On 11/20/2020 13:27, Giuliano Franchetti wrote:
> Hi Edgar, 
>
>
> this is my gpg version 
>
> gpg (GnuPG) 2.2.24
> libgcrypt 1.8.6
SNIP
>
> and this is the duplicity version 
>
> duplicity 0.7.18.1

duplicity 0.7 is eol. you should update to latest 0.8 if possible at all.

the switch seems to be in since duplicity 0.7.13 at least
"
New in v0.7.13 (2017/06/12)
---------------------------
* Fixed bug #1680682 with patch supplied from Dave Allan
  - Only specify --pinentry-mode=loopback when --use-agent is not specified
"

do you maybe specify '--use-agent' as dupicity parameter?

please test as follows.
1. kill all gpg-agent instances
2. run duplicity
3. check if gpg-agent is suddenly running in background or not

..ede/duply.net

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: a question on duplicity and gpg

duplicity-talk mailing list
I made a test, kill all gpg-agents. Afterwords If I use gpg to decrypt a file 
it does not ask for a passphrase and decrypt with the first line as 


> gpg --decrypt clt.zgpg 
gpg: encrypted with 4096-bit ELG key, ID D3BE5743BC446527, created 2009-01-01
      "Giuliano1 (c) <[hidden email]>"
clt.f0000644000076600000000000000076113755763202011553 0ustar00giulianowheel

.
.
.




and at the same time it launch an agent

gpg-agent --homedir /Users/giuliano/.gnupg --use-standard-socket —daemon





On 20. Nov 2020, at 13:44, [hidden email] wrote:

On 11/20/2020 13:27, Giuliano Franchetti wrote:
Hi Edgar, 


this is my gpg version 

gpg (GnuPG) 2.2.24
libgcrypt 1.8.6
SNIP

and this is the duplicity version 

duplicity 0.7.18.1

duplicity 0.7 is eol. you should update to latest 0.8 if possible at all.

the switch seems to be in since duplicity 0.7.13 at least
"
New in v0.7.13 (2017/06/12)
---------------------------
* Fixed bug #1680682 with patch supplied from Dave Allan
 - Only specify --pinentry-mode=loopback when --use-agent is not specified
"

do you maybe specify '--use-agent' as dupicity parameter?

please test as follows.
1. kill all gpg-agent instances
2. run duplicity
3. check if gpg-agent is suddenly running in background or not

..ede/duply.net


_

Giuliano Franchetti

Storage Rings/ Accelerator Operations

Office:         C26 1.019
phone:       +49 6159 71 1535
fax:             +49 6159 71 3099
[hidden email]
http://web-docs.gsi.de/~giuliano 

GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Dr. Ulrich Breuer, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
State Secretary / Staatssekretär Dr. Georg Schütte

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Ursula Weyrich, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
Ministerialdirigent Dr. Volkmar Dietz





_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: a question on duplicity and gpg

duplicity-talk mailing list
Hi,

Please upgrade to the current version of duplicity.  This will assure that any bugs fixed since your release are available and may fix your issue.

There are multiple options both stable and daily:

Note 1: UNINSTALL duplicity first if it was installed from a different source..  This is due to divergent install locations, especially between repository installs and the other forms.

Note 2: Launchpad PPAs contain builds for Bionic 18.04, Eoan 19.10, Focal 20.04, and Hirsute 20.10.  Xenial 16.04 works with Snap and Pip installs, but cannot be built under Launchpad PPAs at the moment.

...Thanks,
...Ken


On Fri, Nov 20, 2020 at 9:59 AM Giuliano Franchetti via Duplicity-talk <[hidden email]> wrote:
I made a test, kill all gpg-agents. Afterwords If I use gpg to decrypt a file 
it does not ask for a passphrase and decrypt with the first line as 


> gpg --decrypt clt.zgpg 
gpg: encrypted with 4096-bit ELG key, ID D3BE5743BC446527, created 2009-01-01
      "Giuliano1 (c) <[hidden email]>"
clt.f0000644000076600000000000000076113755763202011553 0ustar00giulianowheel

.
.
.




and at the same time it launch an agent

gpg-agent --homedir /Users/giuliano/.gnupg --use-standard-socket —daemon





On 20. Nov 2020, at 13:44, [hidden email] wrote:

On 11/20/2020 13:27, Giuliano Franchetti wrote:
Hi Edgar, 


this is my gpg version 

gpg (GnuPG) 2.2.24
libgcrypt 1.8.6
SNIP

and this is the duplicity version 

duplicity 0.7.18.1

duplicity 0.7 is eol. you should update to latest 0.8 if possible at all.

the switch seems to be in since duplicity 0.7.13 at least
"
New in v0.7.13 (2017/06/12)
---------------------------
* Fixed bug #1680682 with patch supplied from Dave Allan
 - Only specify --pinentry-mode=loopback when --use-agent is not specified
"

do you maybe specify '--use-agent' as dupicity parameter?

please test as follows.
1. kill all gpg-agent instances
2. run duplicity
3. check if gpg-agent is suddenly running in background or not

..ede/duply.net


_

Giuliano Franchetti

Storage Rings/ Accelerator Operations

Office:         C26 1.019
phone:       +49 6159 71 1535
fax:             +49 6159 71 3099
[hidden email]
http://web-docs.gsi.de/~giuliano 

GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Dr. Ulrich Breuer, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
State Secretary / Staatssekretär Dr. Georg Schütte

Commercial Register / Handelsregister: Amtsgericht Darmstadt, HRB 1528
Managing Directors / Geschäftsführung:
Professor Dr. Paolo Giubellino, Ursula Weyrich, Jörg Blaurock
Chairman of the Supervisory Board / Vorsitzender des GSI-Aufsichtsrats:
Ministerialdirigent Dr. Volkmar Dietz




_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk

_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk