I'm currently working on a new backup setup using duplicity (sysutils/duplicity). For this purpose I'm using separate keys for encrypting and signing the backup. Each host has its own signature key which enables the backup server to verify the integrity and authenticity of the backup. Since the backup is performed automatically, these keys should have no pass-phrase set. Using batch mode (and a little bit of python - duplicity is written in python anyway) creating signature keys is easy to do and doesn't require the installation of any of the pin-entry ports for GnuPG.