How to change the passphrase of a duplicity backup?
How to change the passphrase of a duplicity backup? I tried to just provide a new one when doing a backup but was faced with an error.
GPGError: GPG Failed
How should I proceed to change the passphrase?
Assuming you're using symmetric encryption, you will keep previous backup chains files encrypted with the old passphrase which won't be stored into the cache with the new passphrase since they won't be decrypted.
You will need to run many PASSPHRASE=old duplicity
, PASSPHRASE=new duplicity
in order to recache all files (assuming a new machine scenario) and could easily reach an impossibility to restore your latest backups.
The best method is probably: cleanup first and start a brand new full backup chain using the new passphrase.
All you need to do is to force a new full backup:
env PASSPHRASE='new' duplicity [options...] full $SRC $DST
The reason is that all backups in each chain must use the same passphrase.
In case you were wondering, if you need to restore, you need to pass the $PASSPHRASE
of the chain you're restoring:
# Restore last backup
env PASSPHRASE='new' duplicity [options...] restore $DST ./today
# Restore yesterday's backup
env PASSPHRASE='old' duplicity [options...] --time 1D restore $DST ./yesterday