Duplicity restore failing: No secret key

I'm setting up a backup from a local machine to a remote server.
I generated gpg keys on the local machine and ran a test backup with:

PASSPHRASE="MyGPGPassphrase" duplicity --encrypt-key KeyID test scp://user@server/path

The backup seems to work fine, three files are created on the server.

My problem is I can't get the restore to work.
I deleted the test file on the local machine and try to restore it with:

PASSPHRASE="MyGPGPassphrase" duplicity --encrypt-key KeyID scp://user@server/path test

I get the following error:

Synchronizing remote metadata to local cache...
Copying duplicity-full-signatures.20151011T011134Z.sigtar.gpg to local cache.
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: encrypted with 2048-bit RSA key, ID KeyID(of ssb), created 2015-10-11
"Name <email>"
gpg: public key decryption failed: Inappropriate ioctl for device
gpg: decryption failed: No secret key
===== End GnuPG log =====

I exported the gpg keys on the local machine with:
gpg --export-secret-key KeyID > secret.key
gpg --armor --export KeyID > public.key

And imported them on the server with:
gpg --import secret.key
gpg --import public.key

Is there anything else that needs to be done for the restore to work?

Edit:
If I execute the command without the PASSPHRASE env duplicity --encrypt-key Key D test scp://user@host/path the backup is created anyway without asking for the passphrase.

Output of file duplicity-full.20151011T115714Z.vol1.difftar.gpg lists a different KeyID then the one specified in --encrypt-key. I dont have the listed key in my keyring.


Solution 1:

The problem is, like the linked post stated, that gpg 2.1 retires passphrase from pipe for key auth.
The gpg agents needs to be enabled and configured for the restore to work.

Add the following to ~/.gnupg/gpg.conf:

use-agent
pinentry-mode loopback

And to your ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-gtk-2
allow-loopback-pinentry

Then restart the agent with echo RELOADAGENT | gpg-connect-agent.

The restore work even if the keys are only on the local machine. I still don't get why it does not ask for the passphrase when making incremental though.

Solution 2:

Are you using gpg 2.1? if yes, duplicity and gpg need some extra parameters if you want to deliver the passphrase via env var.
https://lists.launchpad.net/duplicity-team/msg02653.html

Alternatively simply do not set PASSPHRASE and gpg-agent will ask you and memorize the secret for you.

Solution 3:

I have had this issue when using sudo to execute duplicity, which makes it search for the private key into root's home directory. Not finding the private key on it, the "No secret key" error appears and -at least for me- was not immediately clear why.

The most simple solution to this problem was to avoid using sudo, in my case, by setting the correct permissions on the destination directory.

If sudo is a must, then the appropriate GPG options need to set so it uses the user's GPG keychain: adding --gpg-options "~user/.gnupg" to the duplicity command, as stated on this answer

Maybe this helps someone else :-)