Why does duplicity need a passphrase for OpenPGP encryption?
Solution 1:
You're right, encryption only requires the public key, which is not protected by a passphrase.
There are two reasons Duplicity might require the private key passphrase:
- You ask duplicity to not only encrypt the backup, but also sign it. Signing is a private key operation (and thus requires the passphrase).
- Duplicity needs to fetch the (encrypted) meta data information from the remote location, because the local copy is wrong/out of sync. Decryption is also a private key operation and requires the passphrase.