[Nusyne]

Attic seems good. Its encryption makes me uneasy (https://github.com/jborg/attic/blob/master/attic/key.py), and I don't feel qualified to review it:

  * use of pkbdf2(passphrase)[0:32] as encryption key?
  * is AES correctly used? there are many pitfalls

I would be much more comfortable with it using gpg for encryption.

[hsivonen]

Using gpg is not so awesome. Obnam uses gpg. Since Obnam invokes gpg in batch mode, if you want to have a passphrase, you have to use gpg-agent, which at least for me took more effort than I found reasonable to set up on a GUIless server.

Furthermore, all the crypto config depends on gpg defaults or your gpg.conf. Whether this is good or bad depends on whether you are OK with gpg's defaults that are chosen for a non-Obnam use case and whether you like tweaking gpg config.

While figuring this out, I started wishing that Obnam used libsodium instead of gpg to avoid configuration and especially gpg-agent. (libsodium didn't exist when Obnam was created.)

[icebraining]

you have to use gpg-agent, which at least for me took more effort than I found reasonable to set up on a GUIless server.

Did you try Keychain¹? I've used it in the past to auto-sign deb packages, and it was simple to set up.

¹ http://www.funtoo.org/Keychain

[hsivonen]

I didn't.

Having to be aware of tools like this is the problem when you face the requirement of having to set up gpg-agent and you don't already know how to do so in an environment where a desktop environment from your distro hasn't done it for you.

[Nusyne]

Duplicity allows using gpg in a rather painless way:

  PASSPHRASE="myBackupGpgKeyPassphrase" duplicity ...

I use one gpg key per machine for backups, so having the passphrase in cleartext on that machine is not much of a problem.

[drKarl]

Good point, and I'm no cryptologist either to find any flaws on it or to verify its robustness... Maybe someone in the community has the required knowledge about encryption to say something about this?