setDefault gpg
}
-do_dup_gpg() {
-
- set -o noglob
-
- # encryptkey ?
+do_dup_gpg_encryptkey() {
REPLY=
while [ -z "$REPLY" -o -z "$dup_gpg_encryptkey" ]; do
- inputBox "$dup_title - GnuPG" "Enter the GnuPG key ID to be used to encrypt the backups:" "$dup_gpg_encryptkey"
+ inputBox "$dup_title - GnuPG" "Enter ID of the public GnuPG key to be used to encrypt the backups:" "$dup_gpg_encryptkey"
[ $? = 0 ] || return 1
dup_gpg_encryptkey="$REPLY"
done
+}
+
+do_dup_gpg_sign() {
+ # sign ?
+ booleanBox "$dup_title - GnuPG" "Sign the backups?" "$dup_gpg_sign"
+ if [ $? = 0 ]; then
+ dup_gpg_sign=yes
+ else
+ dup_gpg_sign=no
+ fi
+}
+
+do_dup_gpg_signkey() {
+ # one key pair ?
+ booleanBox "$dup_title - GnuPG" "Use the same GnuPG key pair for encryption and signing?" "$dup_gpg_onekeypair"
+ if [ $? = 0 ]; then
+ dup_gpg_onekeypair=yes
+ else
+ dup_gpg_onekeypair=no
+ fi
- # passphrase ?
+ if [ "$dup_gpg_onekeypair" == "no" }; then
+ # signkey ?
+ REPLY=
+ while [ -z "$REPLY" -o -z "$dup_gpg_signkey" ]; do
+ inputBox "$dup_title - GnuPG" "Enter the ID of the private GnuPG key to be used to sign the backups:" "$dup_gpg_signkey"
+ [ $? = 0 ] || return 1
+ dup_gpg_signkey="$REPLY"
+ done
+ fi
+}
+
+do_dup_gpg_passphrase() {
+ local question="Enter the passphrase needed to $@:"
REPLY=
while [ -z "$REPLY" -o -z "$dup_gpg_password" ]; do
- passwordBox "$dup_title - GnuPG" "Enter the passphrase needed to unlock the key 0x$dup_gpg_encryptkey"
+ passwordBox "$dup_title - GnuPG" "$question"
[ $? = 0 ] || return 1
dup_gpg_password="$REPLY"
done
+}
- # sign ?
- booleanBox "$dup_title - GnuPG" "Sign the backups?" "$dup_gpg_sign"
+do_dup_gpg() {
+
+ # symmetric or public key encryption ?
+ booleanBox "$dup_title - GnuPG" "Use public key encryption? Else, symmetric encryption will be used, and data signing will be impossible." "$dup_gpg_asymmetric_encryption"
if [ $? = 0 ]; then
- dup_gpg_sign=yes
+ dup_gpg_asymmetric_encryption=yes
else
- dup_gpg_sign=no
+ dup_gpg_asymmetric_encryption=no
+ fi
+
+ # when using public/private key pair encryption, ask for the keys to use
+ if [ "$dup_gpg_asymmetric_encryption" == yes ]; then
+ do_dup_gpg_encryptkey ; [ $? = 0 ] || return 1
+ do_dup_gpg_sign ; [ $? = 0 ] || return 1
+ if [ "$dup_gpg_sign" == yes ]; then
+ do_dup_gpg_signkey ; [ $? = 0 ] || return 1
+ fi
+ fi
+
+ # a passphrase is only needed when signing, or when symmetric encryption is used
+ if [ "$dup_gpg_asymmetric_encryption" == "no" ]; then
+ do_dup_gpg_passphrase "encrypt the backups"
+ [ $? = 0 ] || return 1
+ elif [ "$dup_gpg_sign" == "yes" ]; then
+ if [ -z "$dup_gpg_signkey" ]; then
+ do_dup_gpg_passphrase "unlock the GnuPG 0x$dup_gpg_signkey key used to sign the backups"
+ [ $? = 0 ] || return 1
+ else
+ do_dup_gpg_passphrase "unlock the GnuPG 0x$dup_gpg_encryptkey key used to sign the backups"
+ [ $? = 0 ] || return 1
+ fi
fi
- set +o noglob
_gpg_done="(DONE)"
setDefault adv
# TODO: replace the above line by the following when do_dup_conn is written
######################################################
## gpg section
## (how to encrypt and optionnally sign the backups)
+##
+## WARNING: old (pre-0.9.2) example.dup used to give wrong information about
+## the way the following options are used. Please read ahead
+## carefully.
+##
+## If the encryptkey variable is set:
+## - data is encrypted with the GnuPG public key specified by the encryptkey
+## variable
+## - if signing is enabled, the password variable is used to unlock the GnuPG
+## private key used for signing; else, you do not need to set the password
+## variable
+## If the encryptkey option is not set:
+## - data signing is not possible
+## - the password variable is used to encrypt the data with symmetric
+## encryption: no GnuPG key pair is needed
[gpg]
-# passphrase needed to unlock the GnuPG key
-# NB: do not quote it, and it should not contain any quote
-password = $dup_gpg_password
-
+# when set to yes, encryptkey variable must be set bellow; if you want to use
+# two different keys for encryption and signing, you must also set the signkey
+# variable bellow.
# default is no, for backward compatibility with backupninja <= 0.5.
-# when set to yes, encryptkey option must be set below.
sign = $dup_gpg_sign
-# key ID used for data encryption and, optionnally, signing.
-# if not set, local root's default gpg key is used.
+# ID of the GnuPG public key used for data encryption.
+# if not set, symmetric encryption is used, and data signing is not possible.
encryptkey = $dup_gpg_encryptkey
+# ID of the GnuPG private key used for data signing.
+# if not set, encryptkey will be used.
+signkey = $dup_gpg_signkey
+
+# password
+# NB: do not quote it, and it should not contain any quote
+password = $dup_gpg_password
+
######################################################
## source section
## (where the files to be backed up are coming from)
dup_destdir="/backups/`hostname`"
dup_desthost=
dup_destuser=
- dup_gpg_sign="yes"
+ dup_gpg_asymmetric_encryption="yes"
dup_gpg_encryptkey=""
+ dup_gpg_sign="yes"
+ dup_gpg_onekeypair="yes"
+ dup_gpg_signkey=""
dup_gpg_password=""
dup_nicelevel=19
dup_testconnect=yes