I am trying to create an ansible role to automate backups. However, it fails with the error:
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: ADD3F11Easdsdfs: skipped: public key not found
gpg: [stdin]: encryption failed: public key not found
===== End GnuPG log =====
The PGP key was generated using gpg --gen-key <filename> with these settings:
Key-Type: DSA
Key-Length: 4096
Name-Real: {{ gpg_name }}
Name-Comment: Used primarily for backup encryption on {{ inventory_hostname }}
Name-Email: {{ gpg_email }}
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
%echo done
As you can see, it has no expiry date (so it cannot have expired) and no passphrase. Both properties have been manually verified using the CLI.
This is the command I am using to run duplicity:
duplicity full /var/www gs://backups2/{{ inventory_hostname }} --encrypt-key {{ gpg_email }}
I have also tried using the key ID:
duplicity full /var/www gs://backups2/hostname --encrypt-key ADD3F11E
Any idea what could be going wrong?
Run
gpg --versionand/usr/bin/gpg --versionand check whether they are the same.Duplicity might fall back to version 1.x.x, whereas your terminal might have an alias to invoke GnuPG version 2.x.x. In that case the key is created/imported with GnuPG 2, but GnuPG 1 might not know about it(?)
Alternatively, if you would like Duplicity to use GnuPG 2 and you are on debian (or related), you can divert /usr/bin/gpg2 to /usr/bin/gpg as described here or here. In that case duplicity will be forced to use version 2.
As noted in the reference, diverting might have undesirable side-effects on other programs expecting GnuPG version 1 when they call /usr/bin/gpg.