3 Prev Chapter 36. The Amanda Manual Pages. Next
5 -------------------------------------------------------------------------------
9 amcrypt-ossl-asym
\14 crypt program for Amanda asymmetric data encryption using
14 amcrypt-ossl-asym [-d]
18 amcrypt-ossl-asym uses OpenSSL to encrypt and decrypt data. OpenSSL is
19 available from www.openssl.org. OpenSSL offers a wide variety of cipher choices
20 ( amcrypt-ossl-asym defaults to 256-bit AES) and can use hardware cryptographic
21 accelerators on several platforms.
22 amcrypt-ossl-asym will search for the OpenSSL program in the following
23 directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/local/ssl/bin.
25 GENERATING PUBLIC AND PRIVATE KEYS
27 RSA keys can be generated with the standard OpenSSL commands, e.g.:
30 $ openssl genrsa -aes128 -out backup-key.pem 1024
31 Generating RSA private key, 1024 bit long modulus
33 Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
34 Verifying - Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
36 $ openssl rsa -in backup-key.pem -pubout -out backup-pubkey.pem
37 Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
40 To generate a private key without a passphrase, omit the -aes128 option. See
41 openssl_genrsa(1) for more key generation options.
42 Note that it is always possible to generate the public key from the private
45 KEY AND PASSPHRASE MANAGEMENT
47 amcrypt-ossl-asym uses the public key to encrypt data. The security of the data
48 does not depend on the confidentiality of the public key. The private key is
49 used to decrypt data, and must be protected. Encrypted backup data cannot be
50 recovered without the private key. The private key may optionally be encrypted
52 While the public key must be online at all times to perorm backups, the private
53 key and optional passphrase are only needed to restore data. It is recommended
54 that the latter be stored offline all other times. For example, you could keep
55 the private key on removable media, and copy it into place for a restore; or
56 you could keep the private key online, encrypted with a passphrase that is
57 present only for a restore.
58 OpenSSL's key derivation routines use a salt to guard against dictionary
59 attacks on the pass phrase; still it is important to pick a pass phrase that is
60 hard to guess. The Diceware method (see www.diceware.com) can be used to create
61 passphrases that are difficult to guess and easy to remember.
67 /var/lib/amanda/backup-privkey.pem
68 File containing the RSA private key. It should not be readable by any
69 user other than the Amanda user.
71 /var/lib/amanda/backup-pubkey.pem
72 File containing the RSA public key.
75 File containing the pass phrase. It should not be readable by any user
76 other than the Amanda user.
81 amanda(8), amanda.conf(5), openssl(1), amcrypt-ossl(8)
82 -------------------------------------------------------------------------------
85 amcrypt-ossl Home amdd