'\" t
.\"     Title: amcrypt-ossl-asym
.\"    Author: Kevin Till <kevin.till@zmanda.com>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 12/01/2017
.\"    Manual: System Administration Commands
.\"    Source: Amanda 3.5.1
.\"  Language: English
.\"
.TH "AMCRYPT\-OSSL\-ASYM" "8" "12/01/2017" "Amanda 3\&.5\&.1" "System Administration Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
amcrypt-ossl-asym \- crypt program for Amanda asymmetric data encryption using OpenSSL
.SH "SYNOPSIS"
.HP \w'\fBamcrypt\-ossl\-asym\fR\ 'u
\fBamcrypt\-ossl\-asym\fR [\-d]
.SH "DESCRIPTION"
.PP
\fBamcrypt\-ossl\-asym\fR
uses
\fBOpenSSL\fR
to encrypt and decrypt data\&. OpenSSL is available from
www\&.openssl\&.org\&. OpenSSL offers a wide variety of cipher choices (
\fBamcrypt\-ossl\-asym\fR
defaults to 256\-bit AES) and can use hardware cryptographic accelerators on several platforms\&.
.PP
\fBamcrypt\-ossl\-asym\fR
will search for the OpenSSL program in the following directories: /bin:/usr/bin:/usr/local/bin:/usr/ssl/bin:/usr/local/ssl/bin\&.
.SH "GENERATING PUBLIC AND PRIVATE KEYS"
.PP
RSA keys can be generated with the standard OpenSSL commands, e\&.g\&.:
.nf
$ cd /var/lib/amanda
$ openssl genrsa \-aes128 \-out backup\-privkey\&.pem 1024
Generating RSA private key, 1024 bit long modulus
[\&.\&.\&.]
Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR
Verifying \- Enter pass phrase for backup\-key\&.pem: \fIENTER YOUR PASS PHRASE\fR

$ openssl rsa \-in backup\-privkey\&.pem \-pubout \-out backup\-pubkey\&.pem
Enter pass phrase for backup\-privkey\&.pem: \fIENTER YOUR PASS PHRASE\fR
Writing RSA key
.fi
.PP
To generate a private key without a passphrase, omit the
\fB\-aes128\fR
option\&. See
\fBopenssl_genrsa\fR(1)
for more key generation options\&.
.PP
Note that it is always possible to generate the public key from the private key\&.
.SH "KEY AND PASSPHRASE MANAGEMENT"
.PP
\fBamcrypt\-ossl\-asym\fR
uses the
\fIpublic key\fR
to encrypt data\&. The security of the data does not depend on the confidentiality of the public key\&. The
\fIprivate key\fR
is used to decrypt data, and must be protected\&. Encrypted backup data cannot be recovered without the private key\&. The private key may optionally be encrypted with a passphrase\&.
.PP
While the public key must be online at all times to perorm backups, the private key and optional passphrase are only needed to restore data\&. It is recommended that the latter be stored offline all other times\&. For example, you could keep the private key on removable media, and copy it into place for a restore; or you could keep the private key online, encrypted with a passphrase that is present only for a restore\&.
.PP
OpenSSL\*(Aqs key derivation routines use a salt to guard against dictionary attacks on the pass phrase; still it is important to pick a pass phrase that is hard to guess\&. The Diceware method (see
www\&.diceware\&.com) can be used to create passphrases that are difficult to guess and easy to remember\&.
.SH "FILES"
.PP
/var/lib/amanda/backup\-privkey\&.pem
.RS 4
File containing the RSA private key\&. It should not be readable by any user other than the Amanda user\&.
.RE
.PP
/var/lib/amanda/backup\-pubkey\&.pem
.RS 4
File containing the RSA public key\&.
.RE
.PP
/var/lib/amanda/\&.am_passphrase
.RS 4
File containing the passphrase\&. It should not be readable by any user other than the Amanda user\&.
.RE
.SH "SEE ALSO"
.PP
\fBamanda\fR(8),
\fBamanda.conf\fR(5),
\fBopenssl\fR(1),
\fBamcrypt-ossl\fR(8)
.PP
The Amanda Wiki:
: http://wiki.zmanda.com/
.SH "AUTHOR"
.PP
\fBKevin Till\fR <\&kevin\&.till@zmanda\&.com\&>
.RS 4
Zmanda, Inc\&. (http://www\&.zmanda\&.com)
.RE
.SH "NOTES"
.IP " 1." 4
www.openssl.org
.RS 4
\%http://www.openssl.org/
.RE
.IP " 2." 4
www.diceware.com
.RS 4
\%http://www.diceware.com/
.RE