Why does duplicity need a passphrase for OpenPGP encryption?

Solution 1:

You're right, encryption only requires the public key, which is not protected by a passphrase.

There are two reasons Duplicity might require the private key passphrase:

  • You ask duplicity to not only encrypt the backup, but also sign it. Signing is a private key operation (and thus requires the passphrase).
  • Duplicity needs to fetch the (encrypted) meta data information from the remote location, because the local copy is wrong/out of sync. Decryption is also a private key operation and requires the passphrase.