2 .\" Title: amcrypt-ossl-asym
3 .\" Author: Kevin Till <kevin.till@zmanda.com>
4 .\" Generator: DocBook XSL Stylesheets vsnapshot_8273 <http://docbook.sf.net/>
6 .\" Manual: System Administration Commands
7 .\" Source: Amanda 3.2.1
10 .TH "AMCRYPT\-OSSL\-ASYM" "8" "12/14/2010" "Amanda 3\&.2\&.1" "System Administration Commands"
11 .\" -----------------------------------------------------------------
12 .\" * set default formatting
13 .\" -----------------------------------------------------------------
14 .\" disable hyphenation
16 .\" disable justification (adjust text to left margin only)
18 .\" -----------------------------------------------------------------
19 .\" * MAIN CONTENT STARTS HERE *
20 .\" -----------------------------------------------------------------
22 amcrypt-ossl-asym \- crypt program for Amanda asymmetric data encryption using OpenSSL
24 .HP \w'\fBamcrypt\-ossl\-asym\fR\ 'u
25 \fBamcrypt\-ossl\-asym\fR [\-d]
29 \fBamcrypt\-ossl\-asym\fR
32 to encrypt and decrypt data\&. OpenSSL is available from
33 www\&.openssl\&.org\&. OpenSSL offers a wide variety of cipher choices (
34 \fBamcrypt\-ossl\-asym\fR
35 defaults to 256\-bit AES) and can use hardware cryptographic accelerators on several platforms\&.
38 \fBamcrypt\-ossl\-asym\fR
39 will search for the OpenSSL program in the following directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/local/ssl/bin\&.
40 .SH "GENERATING PUBLIC AND PRIVATE KEYS"
42 RSA keys can be generated with the standard OpenSSL commands, e\&.g\&.:
45 $ openssl genrsa \-aes128 \-out backup\-privkey\&.pem 1024
46 Generating RSA private key, 1024 bit long modulus
48 Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR
49 Verifying \- Enter pass phrase for backup\-key\&.pem: \fIENTER YOUR PASS PHRASE\fR
51 $ openssl rsa \-in backup\-privkey\&.pem \-pubout \-out backup\-pubkey\&.pem
52 Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR
56 To generate a private key without a passphrase, omit the
59 \fBopenssl_genrsa\fR(1)
60 for more key generation options\&.
62 Note that it is always possible to generate the public key from the private key\&.
63 .SH "KEY AND PASSPHRASE MANAGEMENT"
66 \fBamcrypt\-ossl\-asym\fR
69 to encrypt data\&. The security of the data does not depend on the confidentiality of the public key\&. The
71 is used to decrypt data, and must be protected\&. Encrypted backup data cannot be recovered without the private key\&. The private key may optionally be encrypted with a passphrase\&.
73 While the public key must be online at all times to perorm backups, the private key and optional passphrase are only needed to restore data\&. It is recommended that the latter be stored offline all other times\&. For example, you could keep the private key on removable media, and copy it into place for a restore; or you could keep the private key online, encrypted with a passphrase that is present only for a restore\&.
75 OpenSSL\'s key derivation routines use a salt to guard against dictionary attacks on the pass phrase; still it is important to pick a pass phrase that is hard to guess\&. The Diceware method (see
76 www\&.diceware\&.com) can be used to create passphrases that are difficult to guess and easy to remember\&.
79 /var/lib/amanda/backup\-privkey\&.pem
81 File containing the RSA private key\&. It should not be readable by any user other than the Amanda user\&.
84 /var/lib/amanda/backup\-pubkey\&.pem
86 File containing the RSA public key\&.
89 /var/lib/amanda/\&.am_passphrase
91 File containing the passphrase\&. It should not be readable by any user other than the Amanda user\&.
101 : http://wiki.zmanda.com/
104 \fBKevin Till\fR <\&kevin\&.till@zmanda\&.com\&>
106 Zmanda, Inc\&. (http://www\&.zmanda\&.com)
112 \%http://www.openssl.org/
117 \%http://www.diceware.com/