Trying to configure obnam to use one repository for 3 clients using encryption has been a bit of search.

Initialising the first client was straightforward. I simply set it up to use a gpg key for encryption per the manual. Since that key is only used for encrypting backups from this client, making it not have a passphrase seemed to be a good option.

For the next client, things got a bit trickier. Since the backup repository is now encrypted, that client couldn't access it. The solution I ended up with was to temporarily ensure client 2 has access to client 1's secret key too.

On client 1: gpg --export-secret-key -a LONG_KEY > client1.private.key

That file I had to copy to the other client, and import it using:

On client 2: gpg --import client1.private.key

Now I could configure this client with its own gpg key and perform an initial backup.

After this, client 1's secret key can be removed again: gpg --delete-secret-key LONG_KEY followed by gpg --delete-key LONG_KEY.

(Not removing it defeats the purpose of having a specific key per client - the workaround above doesn't seem entirely sensible from that perspective either, as the secret key needs to be shared temporarily.)

The third client should have been easy, but gpg-agent made it a bit more tricky. Obnam failed to run because it couldn't find gpg-agent. Several workarounds have been documented in the past, but they all ended up not working anymore since version 2.1 of gpg-agent. I ended up ¹ having to modify ~/.bashrc as follows:

function gpg-update() {
    GPG_PID=$(pidof gpg-agent)
    GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:$GPG_PID:1
    export GPG_AGENT_INFO
}

gpg-update