Trying to configure obnam to use one repository for 3 clients using encryption has been a bit of search.
Initialising the first client was straightforward. I simply set it up to use a gpg key for encryption per the manual. Since that key is only used for encrypting backups from this client, making it not have a passphrase seemed to be a good option.
For the next client, things got a bit trickier. Since the backup repository is now encrypted, that client couldn't access it. The solution I ended up with was to temporarily ensure client 2 has access to client 1's secret key too.
On client 1: gpg --export-secret-key -a LONG_KEY > client1.private.key
That file I had to copy to the other client, and import it using:
On client 2: gpg --import client1.private.key
Now I could configure this client with its own gpg key and perform an initial backup.
After this, client 1's secret key can be removed again:
gpg --delete-secret-key LONG_KEY
followed by
gpg --delete-key LONG_KEY
.
(Not removing it defeats the purpose of having a specific key per client - the workaround above doesn't seem entirely sensible from that perspective either, as the secret key needs to be shared temporarily.)
The third client should have been easy, but gpg-agent made it a bit more
tricky. Obnam failed to run because it couldn't find gpg-agent. Several
workarounds have been documented in the past, but they all ended up not
working anymore since version 2.1 of gpg-agent. I ended up 1 having
to modify ~/.bashrc
as follows:
function gpg-update() { GPG_PID=$(pidof gpg-agent) GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:$GPG_PID:1 export GPG_AGENT_INFO } gpg-update
Footnotes:
Courtesy of Brian Lane on RedHat's bugtracker
Posted on Thursday 9 June 2016 at 20:41