barman.encryption module#

This module is responsible to manage the encryption features of Barman

class barman.encryption.Encryption(path=None)View on GitHub #

Bases: ABC

Abstract class for handling encryption.

Variables:: NAME – The name of the encryption

NAME = None#

__init__(path=None)View on GitHub #

Constructor.

Parameters:: path (None|str) – An optional path to prepend to the system PATH when locating binaries.

_abc_impl = <_abc._abc_data object>#

abstractmethod decrypt(file, dest, **kwargs)View on GitHub #

Decrypts a given file.

Parameters:

file (str) – The full path to the file to be decrypted.
dest (str) – The destination directory for the decrypted file.

Returns str:

The path to the decrypted file.

abstractmethod encrypt(file, dest)View on GitHub #

Encrypts a given file.

Parameters:

file (str) – The full path to the file to be encrypted
dest (str) – The destination directory for the encrypted file

Returns str:

The path to the encrypted file

abstractmethod static recognize_encryption(filename)View on GitHub #

Check if a file is encrypted with the class’ encryption algorithm.

Parameters:: filename (str) – The path to the file to be checked
Returns bool:: True if the encryption type is recognized, False otherwise

class barman.encryption.EncryptionManager(config, path=None)View on GitHub #

Bases: object

Manager class to validate encryption configuration and initialize instances of barman.encryption.Encryption.

Variables:: REGISTRY – The registry of available encryption classes. Each key is a supported config.encryption algorithm. The corresponding value is a tuple of 3 items: the respective class of the encryption algorithm, a method used to validate the config object for its respective encryption, and a method used to instantiate the class used by the algorithm.

REGISTRY = {'gpg': (<class 'barman.encryption.GPGEncryption'>, '_validate_gpg', '_initialize_gpg')}#

__init__(config, path=None)View on GitHub #

Initialize an encryption manager instance.

Parameters:

config (barman.config.ServerConfig) – A server configuration object
path (None|str) – An optional path to prepend to the system PATH when locating binaries

_initialize_gpg()View on GitHub #

Initialize a GPG encryption instance.

Returns:: barman.encryption.GPGEncryption instance

_validate_gpg()View on GitHub #

Validate required configuration for GPG encryption.

Raises:: ValueError – If the configuration is invalid

get_encryption(encryption=None)View on GitHub #

Get an encryption instance for the requested encryption type.

Parameters:: encryption (None|str) – The encryption requested. If not passed, falls back to config.encryption. This flexibility is useful for cases where encryption is disabled midway, i.e. no longer present in config, but an encryption instance is still needed, e.g. for decrypting an old backup.

:returns None|:class:barman.encryption.Encryption: A respective encryption: instance, if encryption is set, otherwise None.

Raises:: ValueError – If the encryption handler is unknown

classmethod identify_encryption(filename)View on GitHub #: Try to identify the encryption algorithm of a file. :param str filename: The path of the file to identify :returns: The encryption name, if found

validate_config()View on GitHub #

Validate the configuration parameters against the present encryption.

Raises:: ValueError – If the configuration is invalid for the present encryption

class barman.encryption.GPGEncryption(key_id=None, path=None)View on GitHub #

Bases: Encryption

Implements the GPG encryption and decryption logic.

Variables:: NAME – The name of the encryption

NAME = 'gpg'#

__init__(key_id=None, path=None)View on GitHub #

Initialize a GPGEncryption instance.

Note

If encrypting, a GPG key ID is required and is used throughout the instance’s lifetime.

Parameters:

key_id (None|str) – A valid key ID of an existing GPG key available in the system. Only used for encryption.
path (None|str) – An optional path to prepend to the system PATH when locating GPG binaries

_abc_impl = <_abc._abc_data object>#

decrypt(file, dest, **kwargs)View on GitHub #

Decrypts a file using GPG and a provided passphrase.

This method uses GPG to decrypt a given file and output the decrypted file under the dest directory. The decryption process requires a valid passphrase, which is given through the passphrase keyworded argument. If the decryption fails due to an incorrect or missing passphrase, appropriate exceptions are raised.

Parameters:

file (str) – The full path to the file to be decrypted.
dest (str) – The destination directory for the decrypted file.
passphrase (bytearray) – The passphrase used to decrypt the file.

Returns str:

The path to the decrypted file.

Raises:

ValueError – If no passphrase is provided or if the passphrase is incorrect.

encrypt(file, dest)View on GitHub #

Encrypts a given file.

Parameters:

file (str) – The full path to the file to be encrypted
dest (str) – The destination directory for the encrypted file

Returns str:

The path to the encrypted file

static recognize_encryption(filename)View on GitHub #

Check if a file is encrypted with the class’ encryption algorithm.

Parameters:: filename (str) – The path to the file to be checked
Returns bool:: True if the encryption type is recognized, False otherwise

barman.encryption.get_passphrase_from_command(command)View on GitHub #

Execute a shell command to retrieve a passphrase.

This function runs the given shell command, captures its standard output, and returns the value as a :class`bytearray`. It’s commonly used to retrieve a decryption passphrase in non-interactive workflows.

Parameters:

command (str) – The shell command to execute.

Returns:

The passphrase from the command output.

Return type:

bytearray

Raises:

EncryptionCommandException – If the command fails.
ValueError – If the command returns a falsy output.

barman.encryption module#

This Page