--- /dev/null
+
+Chapter 16. How to do Amanda-server-side gpg-encrypted backups.
+Prev Part III. HOWTOs Next
+
+-------------------------------------------------------------------------------
+
+Chapter 16. How to do Amanda-server-side gpg-encrypted backups.
+
+
+Stefan G. Weichinger
+
+Original text
+AMANDA Core Team
+<sgw@amanda.org>
+Table of Contents
+
+
+ Setup
+
+ Test
+
+ Plans
+
+
+Note
+
+Refer to http://www.amanda.org/docs/howto-gpg.html for the current version of
+this document.
+
+Note
+
+THIS IS *NOT* YET INTENDED FOR PRODUCTION SERVERS !!!
+Bruce Fletcher asked for a "simple" encryption method to be used with Amanda-
+server. gpg-amanda http://security.uchicago.edu/tools/gpg-amanda/ seems to
+create problems at restore-time, as it uses a wrapper for gzip.
+My solution uses a wrapper for GNU-tar instead, so there are several
+disadvantages avoided.
+
+Note
+
+This is based on a Amanda-vtape-setup with the Amanda-release 2.4.5. As this is
+still in the testing-stage, I have coded the home-dir of the Amanda-user into
+my scripts (/var/lib/amanda). This should be done with variables later, I agree
+...
+What you need:
+
+* aespipe http://loop-aes.sourceforge.net/aespipe/aespipe-v2.3b.tar.bz2 and the
+ bz2aespipe-wrapper that comes with it. It gets patched as described later.
+* the wrapper-script /usr/local/libexec/amgtar, as listed down below,
+* GNU-PG http://www.gnupg.org/(en)/download/index.html. This should be part of
+ most current operating systems already.
+* Amanda ;)
+
+
+Setup
+
+
+* Configure and compile aespipe:
+
+ tar -xjf aespipe-v2.3b.tar.bz2
+ cd aespipe-v2.3b
+ ./configure
+ make
+ make install
+
+* Generate and store the gpg-key for the Amanda-user:
+
+ # taken from the aespipe-README
+ head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | \
+ gpg --symmetric -a > /var/lib/amanda/.gnupg/am_key.gpg
+
+ This will ask for a passphrase. Remember this passphrase as you will need it
+ in the next step.
+ Store the passphrase inside the home-directory of the Amanda-user and protect
+ it with proper permissions:
+
+ echo my_secret_passphrase > ~amanda/.am_passphrase
+ chown amanda:disk ~amanda/.am_passphrase
+ chmod 700 ~amanda/.am_passphrase
+
+ We need this file because we don't want to have to enter the passphrase
+ manually everytime we run amdump. We have to patch bz2aespipe to read the
+ passphrase from a file. I have called that file ~amanda/.am_passphrase.
+ It should NOT ;) look like this:
+
+ # cat ~amanda/.am_passphrase
+ my_secret_passphrase
+
+
+ Note
+
+ Store the key and the passphrase in some other place as well, without these
+ information you can't access any tapes that have been encrypted with it (this
+ is exactly why we are doing all this, isn't it? ;) ).
+* Create the wrapper for GNU-tar:
+ Example 16.1. /usr/local/libexec/amgtar
+
+ #!/bin/sh
+ #
+ # Original wrapper by Paul Bijnens
+ #
+ # crippled by Stefan G. Weichinger
+ # to enable gpg-encrypted dumps via aespipe
+
+ GTAR=/bin/tar
+ AM_AESPIPE=/usr/local/bin/amaespipe
+ AM_PASSPHRASE=/var/lib/amanda/.am_passphrase
+ LOG=/dev/null
+ LOG_ENABLED=1
+
+ if [ "$LOG_ENABLED" = "1" ]
+ then
+ LOG=/var/log/amanda/amgtar.debug
+ date >> $LOG
+ echo "$@" >> $LOG
+ fi
+
+ if [ "$3" = "/dev/null" ]
+ then
+ echo "Estimate only" >> $LOG
+ $GTAR "$@"
+ else
+ echo "Real backup" >> $LOG
+ $GTAR --use-compress-program="$AM_AESPIPE" "$@" 3< $AM_PASSPHRASE
+ fi
+
+ rc=$?
+ exit $rc
+
+
+* Copy the wrapper-script bz2aespipe, which comes with the aespipe-tarball, to
+ /usr/local/bin/amaespipe and edit it this way:
+ Example 16.2. /usr/local/bin/amaespipe
+
+ #! /bin/sh
+
+ # FILE FORMAT
+ # 10 bytes: constant string 'bz2aespipe'
+ # 10 bytes: itercountk digits
+ # 1 byte: '0' = AES128, '1' = AES192, '2' = AES256
+ # 1 byte: '0' = SHA256, '1' = SHA384, '2' = SHA512, '3' = RMD160
+ # 24 bytes: random seed string
+ # remaining bytes are bzip2 compressed and aespipe encrypted
+
+ # These definitions are only used when encrypting.
+ # Decryption will autodetect these definitions from archive.
+ ENCRYPTION=AES256
+ HASHFUNC=SHA256
+ ITERCOUNTK=100
+ WAITSECONDS=1
+ GPGKEY="/var/lib/amanda/.gnupg/am_key.gpg"
+ FDNUMBER=3
+
+ if test x$1 = x-d ; then
+ # decrypt
+ n=`head -c 10 - | tr -d -c 0-9a-zA-Z`
+ if test x${n} != xbz2aespipe ; then
+ echo "bz2aespipe: wrong magic - aborted" >/dev/tty
+ exit 1
+ fi
+ itercountk=`head -c 10 - | tr -d -c 0-9`
+ if test x${itercountk} = x ; then itercountk=0; fi
+ n=`head -c 1 - | tr -d -c 0-9`
+ encryption=AES128
+ if test x${n} = x1 ; then encryption=AES192; fi
+ if test x${n} = x2 ; then encryption=AES256; fi
+ n=`head -c 1 - | tr -d -c 0-9`
+ hashfunc=SHA256
+ if test x${n} = x1 ; then hashfunc=SHA384; fi
+ if test x${n} = x2 ; then hashfunc=SHA512; fi
+ if test x${n} = x3 ; then hashfunc=RMD160; fi
+ seedstr=`head -c 24 - | tr -d -c 0-9a-zA-Z+/`
+ #aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
+ S "${seedstr}" -C ${itercountk} -d | bzip2 -d -q
+ aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
+ S "${seedstr}" -C ${itercountk} -d
+ else
+ # encrypt
+ echo -n bz2aespipe
+ echo ${ITERCOUNTK} | awk '{printf "%10u", $1;}'
+ n=`echo ${ENCRYPTION} | tr -d -c 0-9`
+ aesstr=0
+ if test x${n} = x192 ; then aesstr=1; fi
+ if test x${n} = x256 ; then aesstr=2; fi
+ n=`echo ${HASHFUNC} | tr -d -c 0-9`
+ hashstr=0
+ if test x${n} = x384 ; then hashstr=1; fi
+ if test x${n} = x512 ; then hashstr=2; fi
+ if test x${n} = x160 ; then hashstr=3; fi
+ seedstr=`head -c 18 /dev/urandom | uuencode -m - | head -n 2 | tail -
+ n 1`
+ echo -n ${aesstr}${hashstr}${seedstr}
+ #bzip2 | aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H $
+ {HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
+ aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -
+ S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
+ fi
+ exit 0
+
+
+ or apply this small patch
+ Example 16.3. bz2aespipe.patch
+
+ @@ -15,3 +15,5 @@
+ ITERCOUNTK=100
+ -WAITSECONDS=10
+ +WAITSECONDS=1
+ +GPGKEY="/var/lib/amanda/.gnupg/am_key.gpg"
+ +FDNUMBER=3
+
+ @@ -36,3 +38,4 @@
+ seedstr=`head -c 24 - | tr -d -c 0-9a-zA-Z+/`
+ - aespipe -e ${encryption} -H ${hashfunc} -S "${seedstr}" -C $
+ {itercountk} -d | bzip2 -d -q
+ + #aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
+ S "${seedstr}" -C ${itercountk} -d | bzip2 -d -q
+ + aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${encryption} -H ${hashfunc} -
+ S "${seedstr}" -C ${itercountk} -d
+ else
+ @@ -52,3 +55,4 @@
+ echo -n ${aesstr}${hashstr}${seedstr}
+ - bzip2 | aespipe -e ${ENCRYPTION} -H ${HASHFUNC} -S ${seedstr} -C $
+ {ITERCOUNTK} -T -w ${WAITSECONDS}
+ + #bzip2 | aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H $
+ {HASHFUNC} -S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
+ + aespipe -K ${GPGKEY} -p ${FDNUMBER} -e ${ENCRYPTION} -H ${HASHFUNC} -
+ S ${seedstr} -C ${ITERCOUNTK} -w ${WAITSECONDS}
+ fi
+
+
+ Things I have changed:
+
+ o Decreased WAITSECONDS: No need to wait for 10 seconds to read the
+ passphrase.
+ o Removed bzip2 from the pipes: Amanda triggers GNU-zip-compression by
+ itself, no need to do this twice (slows down things, blows up size).
+ o Added options -K and -p: This enables aespipe to use the generated gpg-key
+ and tells it the number of the file-descriptor to read the passphrase from.
+
+
+ Note
+
+ You may set various parameters inside bz2aespipe. You may also call
+ bz2aespipe with various command-line-parameters to choose the encryption-
+ algorithm, hash-function etc. . For a start I have chosen to call bz2aespipe
+ without command-line-options.
+* Reconfigure and recompile Amanda (yes, I'm sorry ...):
+ As described in How_to_use_a_wrapper you have to run configure again with the
+ option --with-gnutar=/usr/local/libexec/amgtar, after that recompile and
+ reinstall Amanda. These steps are described in the mentioned document.
+
+
+Test
+
+Still to come ...
+
+Plans
+
+There are several wishes:
+
+* Ability to switch encryption inside a dumptype. This HOWTO describes a method
+ that enables/disables encryption for the whole installation. You might remove
+ the amgtar-wrapper and simply link to plain GNU-tar again to disable
+ encryption, but be aware that you also disable decryption with this step. You
+ will hit problems when you then try to restore encrypted tapes.
+* Ability to switch encryption-parameters inside a dumptype. Choice of
+ algorithm, hash-functions etc. I don't know if it makes sense to put it into
+ a dumptype or if it would be enough to configure it once inside amaespipe (I
+ assume the latter).
+* All this leads to the need to code this into Amanda itself: new dumptype-
+ options and corresponding calls to GNU-tar etc. inside client-src/sendbackup-
+ gnutar.c.
+
+This is it so far. Release early, release often. Feel free to contact me with
+your thoughts on this paper.
+-------------------------------------------------------------------------------
+
+Prev Up Next
+Chapter 15. How to use a wrapper Home Chapter 17. How to use different auth
+ with Amanda
+
projects / debian / amanda / blobdiff