On Fri, Jun 24, 2011 at 7:48 AM, Chris Poole
<address@hidden> wrote:
Here's my understanding of how GPG works:
1. Generate a random key. (This is what I was calling the 'session key'.)
2. Use generated random key to symmetrically encrypt plaintext
3. Use public key to encrypt the random key generated in (1)
4. Glue the encrypted data in (2) to the encrypted key in (3), together forming
the output
That's how PGP works. I looked up GPG and could find no reference to session key or similar.
As such, my assumption is that Duplicity assembles a plaintext volume, which is
then run though GPG before being uploaded somewhere.
Then it grabs more plaintext data, packs it into a volume of a certain size
again, and runs GPG again. As such, each volume will have a different 'session
key' generated.
That is correct, except for the session key.
My question really pertains to how Duplicity, or perhaps how the GPG library
that it uses, works. I assume it doesn't start up GPG, generate a session key
once, then somehow keep that session going such that each volume uses the same
random key for all the symmetric encryption.
I've never used the GPG library though, just the standard CLI program, so I'm
unsure.
There is no GPG library per se, at least from Gnu, so duplicity is forced to go through the CLI as well.
Note, there may be one now. There was not when duplicity was first written.
(Perhaps it's a daft question and there's no way GPG would ever be made to do
this, I'm just curious. (Fortunately I'm not a cat.))