|
|
| Line 1: |
Line 1: |
| See {{man|8|amcrypt}}. | | See {{man|8|amcrypt}}. |
|
| |
| Below are notes about setting up amcrypt under Solaris 5.10 with Amanda 2.6.0p2
| |
|
| |
| * Download gnupg-1.4.8 and build from sources. The sunfreeware version of gnupg did not pass the aespipe tests.
| |
| * Install aespipe: It is important to run the aespipe tests. If the aespipe tests fail, then running amcrypt might fail with "Error: gpg key file decryption failed". As root, run:
| |
|
| |
| wget http://loop-aes.sourceforge.net/aespipe-latest.tar.bz2
| |
| gtar -jxf downloads/aespipe-latest.tar.bz2
| |
| cd aespipe-v2.3e/
| |
| ./configure
| |
| gmake
| |
| gmake tests
| |
| gmake install
| |
|
| |
| * Solaris: As root, install coreutils from http://www.sunfreeware.com so that head and tail have the -c argument. If this head and tail are not updated, then the amdump.1 log file might contain:
| |
| yourhost.yourdomain.com /dev/dsk/c1t0d0s0 lev 0 FAILED [data write: Broken pipe]
| |
|
| |
| * Solaris: As root, edit ~dumper/amanda/sbin/amaespipe so that it uses /usr/local/bin/head and /usr/local/bin/tail. Also, change the tr command to use [:digit:] and [:alnum:]:
| |
| #! /bin/bash
| |
| #
| |
| # Copyright (c) 2005 Zmanda Inc. All Rights Reserved.
| |
| #
| |
| # This program is free software; you can redistribute it and/or modify it
| |
| # under the terms of the GNU General Public License version 2 as published
| |
| # by the Free Software Foundation.
| |
| #
| |
| # This program is distributed in the hope that it will be useful, but
| |
| # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
| |
| # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
| |
| # for more details.
| |
| #
| |
| # You should have received a copy of the GNU General Public License along
| |
| # with this program; if not, write to the Free Software Foundation, Inc.,
| |
| # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
| |
| #
| |
| # Contact information: Zmanda Inc, 505 N Mathlida Ave, Suite 120
| |
| # Sunnyvale, CA 94085, USA, or: http://www.zmanda.com
| |
| #
| |
|
| |
| prefix="/usr/local/amanda-2.6.0p2"
| |
| exec_prefix="${prefix}"
| |
| sbindir="/usr/local/amanda-2.6.0p2/sbin"
| |
| amlibexecdir="/usr/local/amanda-2.6.0p2/libexec/amanda"
| |
| . "${amlibexecdir}/amanda-sh-lib.sh"
| |
|
| |
| # add sbin and ucb dirs
| |
| PATH="$PATH:/usr/sbin:/sbin:/usr/ucb"
| |
| export PATH
| |
|
| |
| # wrapper script to use aespipe
| |
| # based on bz2aespipe distributed by aespipe from
| |
| # http://loop-aes.sourceforge.net/
| |
| # FILE FORMAT
| |
| # 10 bytes: constant string 'bz2aespipe'
| |
| # 10 bytes: itercountk digits
| |
| # 1 byte: '0' = AES128, '1' = AES192, '2' = AES256
| |
| # 1 byte: '0' = SHA256, '1' = SHA384, '2' = SHA512, '3' = RMD160
| |
| # 24 bytes: random seed string
| |
| # remaining bytes are aespipe encrypted
| |
|
| |
| # These definitions are only used when encrypting.
| |
| # Decryption will autodetect these definitions from archive.
| |
| ENCRYPTION=AES256
| |
| HASHFUNC=SHA256
| |
| ITERCOUNTK=100
| |
| WAITSECONDS=1
| |
| AMANDA_HOME=/users/dumper
| |
| GPGKEY="$AMANDA_HOME/.gnupg/am_key.gpg"
| |
| FDNUMBER=3
| |
|
| |
| if test x$1 = x-d ; then
| |
| # decrypt
| |
| #n=`/usr/local/bin/head -c 10 - | tr -d -c 0-9a-zA-Z`
| |
| n=`/usr/local/bin/head -c 10 - | /usr/bin/tr -d -c '[:alnum:]'`
| |
| if test x${n} != xbz2aespipe ; then
| |
| echo `_ 'bz2aespipe: wrong magic - aborted'` >/dev/tty
| |
| exit 1
| |
| fi
| |
| #itercountk=`/usr/local/bin/head -c 10 - | tr -d -c 0-9`
| |
| itercountk=`/usr/local/bin/head -c 10 - | /usr/bin/tr -d -c '[:digit:]'`
| |
| if test "x${itercountk}" = x ; then itercountk=0; fi
| |
| #n=`/usr/local/bin/head -c 1 - | tr -d -c 0-9`
| |
| n=`/usr/local/bin/head -c 1 - | /usr/bin/tr -d -c '[:digit:]'`
| |
| encryption=AES128
| |
| if test x${n} = x1 ; then encryption=AES192; fi
| |
| if test x${n} = x2 ; then encryption=AES256; fi
| |
| #n=`/usr/local/bin/head -c 1 - | tr -d -c 0-9`
| |
| n=`/usr/local/bin/head -c 1 - | /usr/bin/tr -d -c '[:digit:]'`
| |
| hashfunc=SHA256
| |
| if test x${n} = x1 ; then hashfunc=SHA384; fi
| |
| if test x${n} = x2 ; then hashfunc=SHA512; fi
| |
| if test x${n} = x3 ; then hashfunc=RMD160; fi
| |
| #seedstr=`/usr/local/bin/head -c 24 - | tr -d -c 0-9a-zA-Z+/`
| |
| seedstr=`/usr/local/bin/head -c 24 - | /usr/bin/tr -d -c '[:alnum:]'/`
| |
| #echo "aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -S ${seedstr} -C ${itercountk} -d" >> /tmp/amaespipe
| |
| aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -S ${seedstr} -C ${itercountk} -d
| |
| else
| |
| # encrypt
| |
| echo -n bz2aespipe
| |
| echo ${ITERCOUNTK} | awk '{printf "%10u", $1;}'
| |
| #n=`echo ${ENCRYPTION} | tr -d -c 0-9`
| |
| n=`echo ${ENCRYPTION} | /usr/bin/tr -d -c '[:digit:]'`
| |
| aesstr=0
| |
| if test x${n} = x192 ; then aesstr=1; fi
| |
| if test x${n} = x256 ; then aesstr=2; fi
| |
| n=`echo ${HASHFUNC} | /usr/bin/tr -d -c '[:digit:]'`
| |
| hashstr=0
| |
| if test x${n} = x384 ; then hashstr=1; fi
| |
| if test x${n} = x512 ; then hashstr=2; fi
| |
| if test x${n} = x160 ; then hashstr=3; fi
| |
| seedstr=`/usr/local/bin/head -c 18 /dev/urandom | uuencode -m - | /usr/local/bin/head -n 2 | /usr/local/bin/tail -n 1`
| |
| echo -n ${aesstr}${hashstr}${seedstr}
| |
| #echo "encrypt: aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}" >> /tmp/amaespipe
| |
| aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
| |
| fi
| |
| exit 0
| |
|
| |
| * As dumper, create the keys, which are then encrypted:
| |
| mkdir ~/.gnupg
| |
| chmod 0700 ~/.gnupg
| |
| /usr/local/bin/head -c 5000 /dev/random | uuencode -m - | /usr/local/bin/head -n 66 | /usr/local/bin/tail -n 65 | gpg --symmetric -a > ~dumper/.gnupg/am_key.gpg
| |
|
| |
| Note that the amcrypt man page says to get 2925 characters. This is not enough since when the text is uuencoded, the header will look like:
| |
|
| |
| begin-base64 644 -
| |
|
| |
| The problem is that the line is not 20 characters long. Instead, we get 5000 characters and then grab 65 lines that are at least 20 characters long. This problem ends up causing the "Error: gpg key file decryption failed" message.
| |
| * As dumper, stash the passphrased used above
| |
| echo "mysecretpassphrase" > ~dumper/.am_passphrase
| |
| chown dumper ~dumper/.am_passphrase
| |
| chmod 0700 ~dumper/.am_passphrase
| |
|
| |
| * Check the test Amanda configuration. The disktype in amanda.conf should include:
| |
| encrypt server
| |
| server_encrypt "/usr/local/amanda/sbin/amcrypt"
| |
| server_decrypt_option "-d"
| |
|
| |
| * Try the test dump:
| |
| amcheck test
| |
| amdump test
| |