Michael's Daemonic Doodles
...blogging bits of BSD

Tue, 05 Jun 2012

Creating backup signature keys using GnuPG batch mode

I'm currently working on a new backup setup using duplicity (sysutils/duplicity). For this purpose I'm using separate keys for encrypting and signing the backup. Each host has its own signature key which enables the backup server to verify the integrity and authenticity of the backup. Since the backup is performed automatically, these keys should have no pass-phrase set. Using batch mode (and a little bit of python - duplicity is written in python anyway) creating signature keys is easy to do and doesn't require the installation of any of the pin-entry ports for GnuPG.

The following python script (genbackupsignkey.py) can be used to automatize the process (written and tested using python 2.7):

#!/usr/bin/env python

import subprocess
import sys
import tempfile

if len(sys.argv) != 2:
  sys.stderr.write("Usage "+sys.argv[0]+" <hostname>\n")
  sys.exit(254)

hostname = sys.argv[1]

config = tempfile.NamedTemporaryFile()
config.write('''%echo generating backup signing key for "'''+hostname+'''"
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
Name-Real: '''+hostname+''' backup signing key
Name-Comment: only for signing backups
Name-Email: backupsign@'''+hostname+'''
Expire-Date: 0
%commit
%echo done. key email is: backupsign@'''+hostname+'''
''')
config.flush()

subprocess.check_call(["gpg", "--batch", "--gen-key", config.name])
sys.stdout.write("\nPublic key is:\n")
subprocess.check_call(["gpg", "-a", "--export", "backupsign@"+hostname])

This can be used like this (the resulting public key is exported to stdout, so it can be copy and pasted easily):

[root ~]# ./genbackupsignkey.py testserver
gpg: generating backup signing key for "testserver"
gpg: key D966CB30 marked as ultimately trusted
gpg: done. key email is: backupsign@testserver

Public key is:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.11 (FreeBSD)

mQINBE/OPOsBEACnvIG2l8hbhZtI1FIAy2tIQMj/NqqFSkMar4SFRmmA8XQJjxCA
pf4ukmlq5Xvopn9CWCOKu0fPNSbBRm/8GXw+PTl73FvfQzWvsOlJWRrC808M49Nu
YX775FiVR5jEcz0Mt5+z1S9FMcSRPJMvz0PR8msuZWTqyJOjjQHmAmvic0GxlXzO
MfR0cS7dUm79fYOd848w+30f08tteRjsFQ0UvmWm+mPwyXDMfgHXGgo/PcKMu9q2
J5O2Q8jj46cgyBrebIhiq6uDysZ/ABYIVShP/QrMwqa1bt0NU6pydcm9F/Z0eLsP
xqgTdTX0Z8A/U89C1sL0WKN/y3aXbQPsLSaxmMixKkOfmScogdmOa3fYXXn5ZywE
Dzw1k4WA8jXbE1nbYLUnamNHDZ7nKq9ERDWCT+cUoDEki28ZvMLMlgCtV0aYsuGf
kHKuM9A5qb2xi/BUk1Awy/TadzHu+xGoEiGT/gWKDwebN1gIS67ZRTVOFdvgFeZr
wJD86/BsNDBoJa5UIq27OwyUpLNbINC0QlcWCf7wbfNldy+SCSN5fnAjVCP2+75l
wob7wICGfkme3+T4c3Pi7R66MJyKlqqasm2oRIVbP0g+cw7JFcPBf1Tuue5ZRwu+
ZgJ9CeOqVGxxNkb7JSggFolghwLi9T1PX+gRafVSNMFSqXCxoOD6sSGJEQARAQAB
tFB0ZXN0c2VydmVyIGJhY2t1cCBzaWduaW5nIGtleSAob25seSBmb3Igc2lnbmlu
ZyBiYWNrdXBzKSA8YmFja3Vwc2lnbkB0ZXN0c2VydmVyPokCOAQTAQIAIgUCT848
6wIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQj2fimtlmyzC7zg/+I+gd
tOGJNUi6TqyOffozXDGnJQEvrjURIP23BMlbYRnv3H3C9dkn13sPpzj/S+tbIElU
JlNzTMnEIc6uoCiuzrTM6r1JbumEBzkA4nqCdIqVvlycIq5soiYMM5iu+ADzD8DA
CmokHkkfN52N1KOMDTCFFpcPmGXuP0kYb0efduaMgjMPbIFZioTRJZaE9PMi2VfC
2JVQqgVAy9q/hEa8oN+uEA0z+5tKkRxMHwmKReZGcTvXTj/rMCBt+2SpGhk0f5+c
aoEpAHdp8qMrxJ1vX6+Xz7yCO/aSyLtzyONYBVUFPLmiEQH/T6EVIhUcDjKuYKCJ
SFZVinfK3345LeZtD0VE8jQ3kaU7K2bx3FGFdsQuEbVqyT2ZdSZ95rh1AM+OIxPl
MeNZUSLhCppU+FWrFtdyhxT7ANr5NOi/m/XaGO7kG6oZamoqVgyHU9jYm6sqeQhW
KUfjO7mVB1MZTpHzNzcl40NsZzR2OJuHM7Pa2oFW8mY2GmgFqgH+38zuLoc5UzhE
GCC11rdVyyEsYp0DW4/0jUfgNDMBFagXf/KIr8gQhVa+QqlCk6Vf1mM2/QRC8tDV
bJwTOsw1i/qB73E0hYzZr5QKBeU/X7DOU2rlw7FnsNPKGKJYyBZUqL/6ReZhJr3E
0FCZZK+SEjhG5nn1BBubkzp0jFgPjkOE3DywFuY=
=eqKf
-----END PGP PUBLIC KEY BLOCK-----
[root ~]#

Test the signing key:

[root ~]# gpg -b -u backupsign@testserver -o t.sig /etc/passwd
[root ~]# gpg --verify t.sig /etc/passwd
gpg: Signature made Tue Jun  5 19:17:49 2012 CEST using RSA key ID D966CB30
gpg: Good signature from "testserver backup signing key (only for signing backup
s) <backupsign@testserver>"

Batch mode provides many more useful features, check the official GPG manual on automatic key creation for details.

FreeBSD, GnuPG, duplicity | /sysadmin | permalink