'\" t .\" Title: amcrypt-ossl-asym .\" Author: Kevin Till .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 12/01/2017 .\" Manual: System Administration Commands .\" Source: Amanda 3.5.1 .\" Language: English .\" .TH "AMCRYPT\-OSSL\-ASYM" "8" "12/01/2017" "Amanda 3\&.5\&.1" "System Administration Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" amcrypt-ossl-asym \- crypt program for Amanda asymmetric data encryption using OpenSSL .SH "SYNOPSIS" .HP \w'\fBamcrypt\-ossl\-asym\fR\ 'u \fBamcrypt\-ossl\-asym\fR [\-d] .SH "DESCRIPTION" .PP \fBamcrypt\-ossl\-asym\fR uses \fBOpenSSL\fR to encrypt and decrypt data\&. OpenSSL is available from www\&.openssl\&.org\&. OpenSSL offers a wide variety of cipher choices ( \fBamcrypt\-ossl\-asym\fR defaults to 256\-bit AES) and can use hardware cryptographic accelerators on several platforms\&. .PP \fBamcrypt\-ossl\-asym\fR will search for the OpenSSL program in the following directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/local/ssl/bin\&. .SH "GENERATING PUBLIC AND PRIVATE KEYS" .PP RSA keys can be generated with the standard OpenSSL commands, e\&.g\&.: .nf $ cd /var/lib/amanda $ openssl genrsa \-aes128 \-out backup\-privkey\&.pem 1024 Generating RSA private key, 1024 bit long modulus [\&.\&.\&.] Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR Verifying \- Enter pass phrase for backup\-key\&.pem: \fIENTER YOUR PASS PHRASE\fR $ openssl rsa \-in backup\-privkey\&.pem \-pubout \-out backup\-pubkey\&.pem Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR Writing RSA key .fi .PP To generate a private key without a passphrase, omit the \fB\-aes128\fR option\&. See \fBopenssl_genrsa\fR(1) for more key generation options\&. .PP Note that it is always possible to generate the public key from the private key\&. .SH "KEY AND PASSPHRASE MANAGEMENT" .PP \fBamcrypt\-ossl\-asym\fR uses the \fIpublic key\fR to encrypt data\&. The security of the data does not depend on the confidentiality of the public key\&. The \fIprivate key\fR is used to decrypt data, and must be protected\&. Encrypted backup data cannot be recovered without the private key\&. The private key may optionally be encrypted with a passphrase\&. .PP While the public key must be online at all times to perorm backups, the private key and optional passphrase are only needed to restore data\&. It is recommended that the latter be stored offline all other times\&. For example, you could keep the private key on removable media, and copy it into place for a restore; or you could keep the private key online, encrypted with a passphrase that is present only for a restore\&. .PP OpenSSL\*(Aqs key derivation routines use a salt to guard against dictionary attacks on the pass phrase; still it is important to pick a pass phrase that is hard to guess\&. The Diceware method (see www\&.diceware\&.com) can be used to create passphrases that are difficult to guess and easy to remember\&. .SH "FILES" .PP /var/lib/amanda/backup\-privkey\&.pem .RS 4 File containing the RSA private key\&. It should not be readable by any user other than the Amanda user\&. .RE .PP /var/lib/amanda/backup\-pubkey\&.pem .RS 4 File containing the RSA public key\&. .RE .PP /var/lib/amanda/\&.am_passphrase .RS 4 File containing the passphrase\&. It should not be readable by any user other than the Amanda user\&. .RE .SH "SEE ALSO" .PP \fBamanda\fR(8), \fBamanda.conf\fR(5), \fBopenssl\fR(1), \fBamcrypt-ossl\fR(8) .PP The Amanda Wiki: : http://wiki.zmanda.com/ .SH "AUTHOR" .PP \fBKevin Till\fR <\&kevin\&.till@zmanda\&.com\&> .RS 4 Zmanda, Inc\&. (http://www\&.zmanda\&.com) .RE .SH "NOTES" .IP " 1." 4 www.openssl.org .RS 4 \%http://www.openssl.org/ .RE .IP " 2." 4 www.diceware.com .RS 4 \%http://www.diceware.com/ .RE