Re: [Duplicity-talk] PASSPHRASE, the environment, memory, etc.

[Charles Duffy]

Neal Clark wrote:
> so I'm not sure how I could specify the --encrypt option to say "use 
> the public key and not the private key and don't ask me for a 
> password." Do I do something on the gpg end, changing the public key's 
> ID somehow or something to that effect (c/f above, only experienced 
> with encrypting e-mails :)

GPG doesn't need the private key to encrypt; it needs the private key to 
*sign*. So what you lose when you get rid of the private key is the 
ability to detect whether your backup has been tampered with (but anyone 
who captures the private key could then tamper with it anyway).

Tell GPG to encrypt without signing, and you should be able to take the 
private key out of your private keyring. (You'll need to keep it 
somewhere to be able to do restores, of course).