If you are experiencing problems with Déjà Dup not accepting your encryption passphrase, here are some instructions on how to proceed.
Am I Affected by This?
Do you see Déjà Dup constantly asking for your passphrase? Or refusing to accept the correct passphrase?
Or do you see errors like the following?
GPGError: GPG Failed, see log below: ===== Begin GnuPG log ===== gpg: AES encrypted data gpg: encrypted with 1 passphrase gpg: decryption failed: Bad session key ===== End GnuPG log =====
If so, you are likely affected.
How to Confirm the Issue
First, if your backup files are on another server or on Google Drive, download the backup files to a local folder.
Then run the following command, replacing $BACKUPFOLDER with the path to the folder with your backup folders and $PASSPHRASE with your encryption passphrase:
for i in /$BACKUPFOLDER/*; do echo $i; if gpg --passphrase=$PASSPHRASE --batch --pinentry-mode=loopback --decrypt $i >/dev/null 2>/dev/null; then echo -e "^ \033[0;32mcorrect passphrase\033[0m"; else echo -e "^ \033[0;31mwrong passphrase\033[0m"; fi; done
If you see that some of the files have the correct passphrase and some have the wrong passphrase, you are affected by this bug.
Duplicity, the underlying backup program that Déjà Dup calls, does not always validate that the encryption passphrase used for a backup is the same one used on the previous backup. This is bug 918489.
- Déjà Dup used to not clear out a saved encryption password from your keyring when you entered a passphrase without asking for it to be remembered. Which would cause a saved default passphrase to be lurking on the system, although you backed up with a new passphrase. This has been fixed since 39.1.
- Even if you never saved your passphrase, you may have made a typo one of the times you entered it. In which case, that new passphrase would be used for those backup files. This has been fixed since 39.1.
The result of all three of these problems together means that pieces of your chain of backup volumes might be encrypted with different passwords than other parts.
How to Recover
If you are not actively trying to restore a file, (1) see below to upgrade deja-dup to avoid the problem in the future and then either (2) delete the files with the wrong passphrase and any backup files after them to clean up your backups or (3) just start backing up to a new folder.
Discover the Wrong Passphrase
It’s possible that you could discover what wrong password was used.
- Open up your password manager (search for “Passwords and Keys” in your app launcher). Look for a password entry called “Backup encryption password”. Open it up and click the “Show password” checkbox. Does that passphrase match what you thought your passphrase was? If not, that is probably the wrong passphrase that got used.
- It might be a typo version of your regular passphrase. Try a few common typo versions using the command below, replacing $BACKUPFILE with the path to one of the files that has a wrong passphrase, and $PASSPHRASE with the typo version you are trying:
if gpg --passphrase=$PASSPHRASE --batch --pinentry-mode=loopback --decrypt $BACKUPFILE >/dev/null 2>/dev/null; then echo -e "\033[0;32mpassphrase worked\033[0m"; else echo -e "\033[0;31mpassphrase did not work\033[0m"; fi
If you can't figure out what the wrong passphrase was, that's still OK. You can hopefully still recover the files you care about.
Manually Unpack the Files You Care About
Unfortunately, we have to perform some surgery on the chain of backup volumes. The bottom section of the Worst Case page has instructions on how to manually unpack volumes.
If you know the wrong passphrase, you can decrypt all the files needed when manually unpacking.
If you don't know the wrong password, you are going to have to skip some backup volumes. Because duplicity stores patches to files (rather than full snapshots every backup), skipping volumes might create problems when trying to patch files later. But if you're lucky, you will be able to get all the data you need.
Upgrade Déjà Dup to Avoid This Bug in the Future
You want to upgrade to version 39.1 or later.
The easiest way to get the latest stable release is by installing the snap release:
snap install deja-dup --classic