2 Chapter 16. How to do Amanda-server-side gpg-encrypted backups.
3 Prev Part III. HOWTOs Next
5 -------------------------------------------------------------------------------
7 Chapter 16. How to do Amanda-server-side gpg-encrypted backups.
27 Refer to http://www.amanda.org/docs/howto-gpg.html for the current version of
32 THIS IS *NOT* YET INTENDED FOR PRODUCTION SERVERS !!!
33 Bruce Fletcher asked for a "simple" encryption method to be used with Amanda-
34 server. gpg-amanda http://security.uchicago.edu/tools/gpg-amanda/ seems to
35 create problems at restore-time, as it uses a wrapper for gzip.
36 My solution uses a wrapper for GNU-tar instead, so there are several
37 disadvantages avoided.
41 This is based on a Amanda-vtape-setup with the Amanda-release 2.4.5. As this is
42 still in the testing-stage, I have coded the home-dir of the Amanda-user into
43 my scripts (/var/lib/amanda). This should be done with variables later, I agree
47 * aespipe http://loop-aes.sourceforge.net/aespipe/aespipe-v2.3b.tar.bz2 and the
48 bz2aespipe-wrapper that comes with it. It gets patched as described later.
49 * the wrapper-script /usr/local/libexec/amgtar, as listed down below,
50 * GNU-PG http://www.gnupg.org/(en)/download/index.html. This should be part of
51 most current operating systems already.
58 * Configure and compile aespipe:
60 tar -xjf aespipe-v2.3b.tar.bz2
66 * Generate and store the gpg-key for the Amanda-user:
68 # taken from the aespipe-README
69 head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | \
70 gpg --symmetric -a > /var/lib/amanda/.gnupg/am_key.gpg
72 This will ask for a passphrase. Remember this passphrase as you will need it
74 Store the passphrase inside the home-directory of the Amanda-user and protect
75 it with proper permissions:
77 echo my_secret_passphrase > ~amanda/.am_passphrase
78 chown amanda:disk ~amanda/.am_passphrase
79 chmod 700 ~amanda/.am_passphrase
81 We need this file because we don't want to have to enter the passphrase
82 manually everytime we run amdump. We have to patch bz2aespipe to read the
83 passphrase from a file. I have called that file ~amanda/.am_passphrase.
84 It should NOT ;) look like this:
86 # cat ~amanda/.am_passphrase
92 Store the key and the passphrase in some other place as well, without these
93 information you can't access any tapes that have been encrypted with it (this
94 is exactly why we are doing all this, isn't it? ;) ).
95 * Create the wrapper for GNU-tar:
96 Example 16.1. /usr/local/libexec/amgtar
100 # Original wrapper by Paul Bijnens
102 # crippled by Stefan G. Weichinger
103 # to enable gpg-encrypted dumps via aespipe
106 AM_AESPIPE=/usr/local/bin/amaespipe
107 AM_PASSPHRASE=/var/lib/amanda/.am_passphrase
111 if [ "$LOG_ENABLED" = "1" ]
113 LOG=/var/log/amanda/amgtar.debug
118 if [ "$3" = "/dev/null" ]
120 echo "Estimate only" >> $LOG
123 echo "Real backup" >> $LOG
124 $GTAR --use-compress-program="$AM_AESPIPE" "$@" 3< $AM_PASSPHRASE
131 * Copy the wrapper-script bz2aespipe, which comes with the aespipe-tarball, to
132 /usr/local/bin/amaespipe and edit it this way:
133 Example 16.2. /usr/local/bin/amaespipe
138 # 10 bytes: constant string 'bz2aespipe'
139 # 10 bytes: itercountk digits
140 # 1 byte: '0' = AES128, '1' = AES192, '2' = AES256
141 # 1 byte: '0' = SHA256, '1' = SHA384, '2' = SHA512, '3' = RMD160
142 # 24 bytes: random seed string
143 # remaining bytes are bzip2 compressed and aespipe encrypted
145 # These definitions are only used when encrypting.
146 # Decryption will autodetect these definitions from archive.
151 GPGKEY="/var/lib/amanda/.gnupg/am_key.gpg"
154 if test x$1 = x-d ; then
156 n=`head -c 10 - | tr -d -c 0-9a-zA-Z`
157 if test x${n} != xbz2aespipe ; then
158 echo "bz2aespipe: wrong magic - aborted" >/dev/tty
161 itercountk=`head -c 10 - | tr -d -c 0-9`
162 if test x${itercountk} = x ; then itercountk=0; fi
163 n=`head -c 1 - | tr -d -c 0-9`
165 if test x${n} = x1 ; then encryption=AES192; fi
166 if test x${n} = x2 ; then encryption=AES256; fi
167 n=`head -c 1 - | tr -d -c 0-9`
169 if test x${n} = x1 ; then hashfunc=SHA384; fi
170 if test x${n} = x2 ; then hashfunc=SHA512; fi
171 if test x${n} = x3 ; then hashfunc=RMD160; fi
172 seedstr=`head -c 24 - | tr -d -c 0-9a-zA-Z+/`
173 #aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
174 S "${seedstr}" -C ${itercountk} -d | bzip2 -d -q
175 aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
176 S "${seedstr}" -C ${itercountk} -d
180 echo ${ITERCOUNTK} | awk '{printf "%10u", $1;}'
181 n=`echo ${ENCRYPTION} | tr -d -c 0-9`
183 if test x${n} = x192 ; then aesstr=1; fi
184 if test x${n} = x256 ; then aesstr=2; fi
185 n=`echo ${HASHFUNC} | tr -d -c 0-9`
187 if test x${n} = x384 ; then hashstr=1; fi
188 if test x${n} = x512 ; then hashstr=2; fi
189 if test x${n} = x160 ; then hashstr=3; fi
190 seedstr=`head -c 18 /dev/urandom | uuencode -m - | head -n 2 | tail -
192 echo -n ${aesstr}${hashstr}${seedstr}
193 #bzip2 | aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H $
194 {HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
195 aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -
196 S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
201 or apply this small patch
202 Example 16.3. bz2aespipe.patch
208 +GPGKEY="/var/lib/amanda/.gnupg/am_key.gpg"
212 seedstr=`head -c 24 - | tr -d -c 0-9a-zA-Z+/`
213 - aespipe -e ${encryption} -H ${hashfunc} -S "${seedstr}" -C $
214 {itercountk} -d | bzip2 -d -q
215 + #aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
216 S "${seedstr}" -C ${itercountk} -d | bzip2 -d -q
217 + aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
218 S "${seedstr}" -C ${itercountk} -d
221 echo -n ${aesstr}${hashstr}${seedstr}
222 - bzip2 | aespipe -e ${ENCRYPTION} -H ${HASHFUNC} -S ${seedstr} -C $
223 {ITERCOUNTK} -T -w ${WAITSECONDS}
224 + #bzip2 | aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H $
225 {HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
226 + aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -
227 S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
231 Things I have changed:
233 o Decreased WAITSECONDS: No need to wait for 10 seconds to read the
235 o Removed bzip2 from the pipes: Amanda triggers GNU-zip-compression by
236 itself, no need to do this twice (slows down things, blows up size).
237 o Added options -K and -p: This enables aespipe to use the generated gpg-key
238 and tells it the number of the file-descriptor to read the passphrase from.
243 You may set various parameters inside bz2aespipe. You may also call
244 bz2aespipe with various command-line-parameters to choose the encryption-
245 algorithm, hash-function etc. . For a start I have chosen to call bz2aespipe
246 without command-line-options.
247 * Reconfigure and recompile Amanda (yes, I'm sorry ...):
248 As described in How_to_use_a_wrapper you have to run configure again with the
249 option --with-gnutar=/usr/local/libexec/amgtar, after that recompile and
250 reinstall Amanda. These steps are described in the mentioned document.
259 There are several wishes:
261 * Ability to switch encryption inside a dumptype. This HOWTO describes a method
262 that enables/disables encryption for the whole installation. You might remove
263 the amgtar-wrapper and simply link to plain GNU-tar again to disable
264 encryption, but be aware that you also disable decryption with this step. You
265 will hit problems when you then try to restore encrypted tapes.
266 * Ability to switch encryption-parameters inside a dumptype. Choice of
267 algorithm, hash-functions etc. I don't know if it makes sense to put it into
268 a dumptype or if it would be enough to configure it once inside amaespipe (I
270 * All this leads to the need to code this into Amanda itself: new dumptype-
271 options and corresponding calls to GNU-tar etc. inside client-src/sendbackup-
274 This is it so far. Release early, release often. Feel free to contact me with
275 your thoughts on this paper.
276 -------------------------------------------------------------------------------
279 Chapter 15. How to use a wrapper Home Chapter 17. How to use different auth