-
- amcrypt-ossl-asym
-Prev Chapter 36. The Amanda Manual Pages. Next
-
--------------------------------------------------------------------------------
-
-Name
-
-amcrypt-ossl-asym \14 crypt program for Amanda asymmetric data encryption using
-OpenSSL
-
-Synopsis
-
-amcrypt-ossl-asym [-d]
-
-DESCRIPTION
-
-amcrypt-ossl-asym uses OpenSSL to encrypt and decrypt data. OpenSSL is
-available from www.openssl.org. OpenSSL offers a wide variety of cipher choices
-( amcrypt-ossl-asym defaults to 256-bit AES) and can use hardware cryptographic
-accelerators on several platforms.
-amcrypt-ossl-asym will search for the OpenSSL program in the following
-directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/local/ssl/bin.
-
-GENERATING PUBLIC AND PRIVATE KEYS
-
-RSA keys can be generated with the standard OpenSSL commands, e.g.:
-
- $ cd /var/lib/amanda
- $ openssl genrsa -aes128 -out backup-key.pem 1024
- Generating RSA private key, 1024 bit long modulus
- [...]
- Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
- Verifying - Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
-
- $ openssl rsa -in backup-key.pem -pubout -out backup-pubkey.pem
- Enter pass phrase for backup-key.pem: ENTER YOUR PASS PHRASE
- Writing RSA key
-
-To generate a private key without a passphrase, omit the -aes128 option. See
-openssl_genrsa(1) for more key generation options.
-Note that it is always possible to generate the public key from the private
-key.
-
-KEY AND PASSPHRASE MANAGEMENT
-
-amcrypt-ossl-asym uses the public key to encrypt data. The security of the data
-does not depend on the confidentiality of the public key. The private key is
-used to decrypt data, and must be protected. Encrypted backup data cannot be
-recovered without the private key. The private key may optionally be encrypted
-with a passphrase.
-While the public key must be online at all times to perorm backups, the private
-key and optional passphrase are only needed to restore data. It is recommended
-that the latter be stored offline all other times. For example, you could keep
-the private key on removable media, and copy it into place for a restore; or
-you could keep the private key online, encrypted with a passphrase that is
-present only for a restore.
-OpenSSL's key derivation routines use a salt to guard against dictionary
-attacks on the pass phrase; still it is important to pick a pass phrase that is
-hard to guess. The Diceware method (see www.diceware.com) can be used to create
-passphrases that are difficult to guess and easy to remember.
-
-FILES
-
-
-
- /var/lib/amanda/backup-privkey.pem
- File containing the RSA private key. It should not be readable by any
- user other than the Amanda user.
-
- /var/lib/amanda/backup-pubkey.pem
- File containing the RSA public key.
-
- /var/lib/amanda/.pass
- File containing the pass phrase. It should not be readable by any user
- other than the Amanda user.
-
-
-SEE ALSO
-
-amanda(8), amanda.conf(5), openssl(1), amcrypt-ossl(8)
--------------------------------------------------------------------------------
-
-Prev Up Next
-amcrypt-ossl Home amdd
-