I noticed amanda supports Kerberos authentication

I suspect that you noticed that amanda says it supports Kerberos
authentication.  The kerberos support is significantly broken in the
released bits.  When fixed, it supports encrypting the backup streams
between the client and server; cleartext bits go onto the tape.

Using TLS is not as straightforward as it might seem, because it is
still necessary to authenticate the backup request from the server to
the client, and to authenticate the server to the client so that the
bits are sent only to the correct server.  That said, using TLS with
no authentication can be helpful against passive eavesdropping.

There is another notion, which is quite separate, of encrypting the
backup files themselves.  They are then transferred over the network
(with encryption or not) and placed, still encrypted, on the tapes.
This has benefits of keeping plaintext off the tapes, but makes
restoring harder.  With such a scheme, you may not feel the need to
encrypt the client-server connection.  See

  http://security.uchicago.edu/tools/gpg-amanda/

for information about this option.  Still, one probably wishes to
ensure that only the authorized backup server can request dumps, or at
least that all dumps be processed by gpg.  Otherwise, a malicious host
claiming to be the server could request a dump without gpg treatment
(e.g. by not using the client-compress option, omitting the call to
the special gzip script which calls gpg).

        Greg Troxel <gdt AT ir.bbn DOT com>