|
|
(3 intermediate revisions by one other user not shown) |
Line 1: |
Line 1: |
| NAME
| | See {{man|8|amcrypto-ossl-asym}}. |
| amcrypt-ossl-asym - crypt program for Amanda asymmetric data encryption
| |
| using OpenSSL
| |
| | |
| SYNOPSIS
| |
| amcrypt-ossl-asym [-d]
| |
| | |
| | |
| DESCRIPTION
| |
| amcrypt-ossl-asym uses OpenSSL to encrypt and decrypt data. OpenSSL is
| |
| available from www.openssl.org. OpenSSL offers a wide variety of cipher
| |
| choices ( amcrypt-ossl-asym defaults to 256-bit AES) and can use hard-
| |
| ware cryptographic accelerators on several platforms.
| |
| | |
| | |
| amcrypt-ossl-asym will search for the OpenSSL program in the following
| |
| directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/lo-
| |
| cal/ssl/bin.
| |
| | |
| | |
| GENERATING PUBLIC AND PRIVATE KEYS
| |
| RSA keys can be generated with the standard OpenSSL commands, e.g.:
| |
| | |
| $ cd /var/lib/amanda
| |
| $ openssl genrsa -aes128 -out backup-key.pem 1024
| |
| Generating RSA private key, 1024 bit long modulus
| |
| [...]
| |
| Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
| |
| Verifying - Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
| |
| | |
| $ openssl rsa -in backup-key.pem -pubout -out backup-pubkey.pem
| |
| Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
| |
| Writing RSA key
| |
| .fi
| |
| | |
| | |
| To generate a private key without a passphrase, omit the -aes128 option. See openssl_genrsa(1) for more key generation options.
| |
| | |
| | |
| Note that it is always possible to generate the public key from the private key.
| |
| | |
| | |
| KEY AND PASSPHRASE MANAGEMENT
| |
| amcrypt-ossl-asym uses the public key to encrypt data. The security of
| |
| the data does not depend on the confidentiality of the public key. The
| |
| private key is used to decrypt data, and must be protected. Encrypted
| |
| backup data cannot be recovered without the private key. The private
| |
| key may optionally be encrypted with a passphrase.
| |
| | |
| | |
| While the public key must be online at all times to perorm backups, the
| |
| private key and optional passphrase are only needed to restore data. It
| |
| is recommended that the latter be stored offline all other times. For
| |
| example, you could keep the private key on removable media, and copy it
| |
| into place for a restore; or you could keep the private key online, en-
| |
| crypted with a passphrase that is present only for a restore.
| |
| | |
| | |
| OpenSSL’s key derivation routines use a salt to guard against dictio-
| |
| nary attacks on the pass phrase; still it is important to pick a pass
| |
| phrase that is hard to guess. The Diceware method (see www.dice-
| |
| ware.com) can be used to create passphrases that are difficult to guess
| |
| and easy to remember.
| |
| | |
| | |
| ==FILES==
| |
| /var/lib/amanda/backup-privkey.pem
| |
| File containing the RSA private key. It should not be readable
| |
| by any user other than the Amanda user.
| |
| | |
| | |
| /var/lib/amanda/backup-pubkey.pem
| |
| File containing the RSA public key.
| |
| | |
| | |
| /var/lib/amanda/.pass
| |
| File containing the pass phrase. It should not be readable by
| |
| any user other than the Amanda user.
| |
| | |
| | |
| ==SEE ALSO==
| |
| [[amanda]](8), [[amanda.conf]](5), openssl(1), [[amcrypt-ossl]](8)
| |