Skip to content

Re encrypt remote back end files

Jump to bottom Edit New page
wjansenw edited this page Jan 14, 2020 · 1 revision

If you really want to, you can re-encrypt your database to change the encryption settings. You can go from any encryption (or no encryption) to any other settings you want, but only rsa->asymmetric gpg will be shown here since it is a bit more involved.

First, you need to install some dependencies: python3, pip3, gpg:

sudo apt install python3 python3-pip gnupg

Then, you need the python dependencies:

sudo pip3 install pyAesCrypt python-gnupg

Generate a private key if you don't have one yet:

gpg --gen-key

Download the script that is used to re-encrypt your database:

wget https://raw.githubusercontent.com/duplicati/duplicati/master/Tools/Commandline/ReEncrypt/ReEncrypt.py

Download the default config too (or start from scratch):

wget https://raw.githubusercontent.com/duplicati/duplicati/master/Tools/Commandline/ReEncrypt/config.txt

And edit the config. Set "recipients" to the name you entered while generating the key. You obviously should use another location for the new backup. Now, re-encrypt your data (this may take a while):

python3 ReEncrypt.py -c config.txt

Optionally back up your backup settings by exporting them and the local database. Change the encryption to GPG and set the password to something meaningless. It won't be used. Go to "Options" and add the following advanced options:

gpg-encryption-command: "--encrypt"
gpg-decryption-command: "--decrypt"
gpg-encryption-switches: "--recipient my_email@mail.com"

Save your changes and confirm that you are brave. Delete and rebuild your local database. If everything works correctly you will be asked to enter the password of the GPG key you are using. Verify your database.

Now, run a backup. You shouldn't be asked for the password. Optionally try restoring parts of the backup to make really sure it isn't broken.

Now, delete the original backup. You are done.

Hints

  • Don't forget to backup your private key somewhere too. Without it, you can't restore your backup.
  • The python script will decrypt all files from the backup to a temporary location. Mount /tmp to RAM to increase performance by quite a bit.

This is a footer.

Add a custom sidebar
Clone this wiki locally