cmccallum@thecsl.org
Daniel.Bonniot@inria.fr
Brad Fritz <brad@fritzfam.com> -- trac patch
+garcondumonde@riseup.net
duplicity:
. globbing support fixed in include and exclude options
. different signing and encrypting key support added
+ . fixed erroneous comments in example.dup about the way
+ GnuPG-related options are used
mysql:
. handler vserver bugs fixed and debug output enhanced
ninjahelper(s) changes
+WARNING FOR DUPLICITY USERS
+
+Old (pre-0.9.2) example.dup file used to give false information about the way
+the GnuPG-related options are used. Please read the new example.dup file, and
+update your own configuration files if needed.
######################################################
## gpg section
## (how to encrypt and optionnally sign the backups)
+##
+## WARNING: old (pre-0.9.2) example.dup used to give wrong information about
+## the way the following options are used. Please read ahead
+## carefully.
+##
+## If the encryptkey variable is set:
+## - data is encrypted with the GnuPG public key specified by the encryptkey
+## variable
+## - if signing is enabled, the password variable is used to unlock the GnuPG
+## private key used for signing; else, you do not need to set the password
+## variable
+## If the encryptkey option is not set:
+## - data signing is not possible
+## - the password variable is used to encrypt the data with symmetric
+## encryption: no GnuPG key pair is needed
[gpg]
-# passphrase needed to unlock the GnuPG key
-# NB: do not quote it, and it should not contain any quote
-password = a_very_complicated_passphrase
-
+# when set to yes, encryptkey variable must be set bellow; if you want to use
+# two different keys for encryption and signing, you must also set the signkey
+# variable bellow.
# default is no, for backward compatibility with backupninja <= 0.5.
-# when set to yes, either signkey or encryptkey option must be set below.
sign = yes
-# key ID used for data encryption.
-# if not set, local root's default GnuPG key is used.
+# ID of the GnuPG public key used for data encryption.
+# if not set, symmetric encryption is used, and data signing is not possible.
encryptkey = 04D9EA79
-# key ID used for data signing.
+# ID of the GnuPG private key used for data signing.
# if not set, encryptkey will be used.
#signkey = 04D9EA79
+# password
+# NB: do not quote it, and it should not contain any quote
+password = a_very_complicated_passphrase
+
######################################################
## source section
## (where the files to be backed up are coming from)
[ "$destdir" != "" ] || fatal "Destination directory not set"
[ "$include" != "" ] || fatal "No source includes specified"
-[ "$password" != "" ] || fatal "No password specified"
### vservers stuff ###
execstr="$options --no-print-statistics --scp-command 'scp $scpoptions' --ssh-command 'ssh $sshoptions' "
-# if encryptkey is set, add --encrypt-key to the command-line
-[ -z "$encryptkey" ] || execstr="${execstr}--encrypt-key $encryptkey "
-# if signkey is not set, set it to encryptkey
-[ -n "$signkey" ] || signkey="$encryptkey"
-# if needed, add --sign-key to command-line
-if [ "$sign" == "yes" ]; then
- if [ -n "$signkey" ]; then
- execstr="${execstr}--sign-key $signkey "
- else
- fatal "Either encryptkey or signkey option must be set when signing."
- fi
+# deal with symmetric or asymmetric (public/private key pair) encryption
+if [ -n "$encryptkey" ]; then
+ execstr="${execstr}--encrypt-key $encryptkey "
+ debug "Data will be encrypted with the GnuPG key $encryptkey."
+else
+ [ -n "$password" ] || fatal "The password option must be set when using symmetric encryption."
+ debug "Data will be encrypted using symmetric encryption."
+fi
+
+# deal with data signing
+if [ "$sign" == yes ]; then
+ # duplicity is not able to sign data when using symmetric encryption
+ [ -n "$encryptkey" ] || fatal "The encryptkey option must be set when signing."
+ # if needed, initialize signkey to a value that is not empty (checked above)
+ [ -n "$signkey" ] || signkey="$encryptkey"
+ # check password validity
+ [ -n "$password" ] || fatal "The password option must be set when signing."
+ execstr="${execstr}--sign-key $signkey "
+ debug "Data will be signed will the GnuPG key $signkey."
+else
+ debug "Data won't be signed."
fi
if [ "$keep" != "yes" ]; then