Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Encrypting backups

2008-07-25 17:13:31
Subject: Re: Encrypting backups
From: Chad Kotil <ckotil AT grnoc.iu DOT edu>
To: amanda List <amanda-users AT amanda DOT org>
Date: Fri, 25 Jul 2008 16:33:29 -0400
For a while I was successfully running an encryption scheme on all my local hosts including two solaris 9 hosts. I followed the instructions on the wiki.
I used the open ssl encrption scheme /usr/sbin/amcrypt-ossl w/ the aes-256-cbc cipher. I settled on this type of encryption because at first I used amcrypt and it was killing some of my slower machines.

Eventually I switched to an ssh auth scheme using ssh keys. I think it performs better, none of my machines load spike any more.

--Chad




On Jul 25, 2008, at 4:17 PM, Paul Crittenden wrote:

Johan,
I am running a Sun server with Solaris 9 and had no luck with amcrypt, aespipe failed. I was able to get amgpgcrypt and amcryptsimple to work. There are wickies for them on the zmanda site. I am at home so I cannot help with the links since I have them bookmarked at work.
Paul

From: owner-amanda-users AT amanda DOT org on behalf of Johan Booysen
Sent: Fri 7/25/2008 12:10 PM
To: amanda-users AT amanda DOT org
Subject: Encrypting backups

I’m trying to set up encryption for Amanda 2.6.0p1.  I’ve followed the instructions on http://wiki.zmanda.com/index.php/How_To:Set_up_data_encryption.

 

I did not specifically install gnupg or aespipe as they  appeared to be present already.  I did install sharutils for uuencode.

 

I generated the gpg-key as per the instructions, created .am_passphrase, and then modified the dumptype in amanda.conf accordingly:

 

define dumptype comp-tar {
     program "GNUTAR"
     tape_splitsize 1Gb
     compress fast
     index yes
     record yes
     exclude list "/etc/amanda/exclude-list"
     encrypt  server
     server_encrypt "/usr/sbin/amcrypt"
     server_decrypt_option "-d"
   }

 

Amcheck runs ok.  But when I start the backup job, it fails with:

 

FAILED DUMP DETAILS:

 

/--  server /bla/bla lev 0 FAILED [data write: Broken pipe]
sendbackup: start [server:/bla/bla level 0]
sendbackup: info BACKUP=/bin/tar
sendbackup: info RECOVER_CMD=/bin/gzip -dc |/bin/tar -f... -
sendbackup: info COMPRESS_SUFFIX=.gz
sendbackup: info end
\--------

 

/--  server /bla/bla lev 0 FAILED [data write: Broken pipe]
sendbackup: start [server:/bla/bla level 0]
sendbackup: info BACKUP=/bin/tar
sendbackup: info RECOVER_CMD=/bin/gzip -dc |/bin/tar -f... -
sendbackup: info COMPRESS_SUFFIX=.gz
sendbackup: info end
\--------

 

And this is an extract from amdump.1 in the Amanda config directory.  It appears not to have been able to find “aespipe”, which is strange because it’s right there:

 

-sh-3.2$ ls -l /usr/sbin/amaespipe
-rwxr-x--- 1 amandabackup disk 3193 May 14 03:45 /usr/sbin/amaespipe

 

amdump.1 extract:

 

which: no aespipe in (/usr/sbin:/usr/libexec/amanda:/usr/sbin:/usr/libexec/amanda:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/usr/sbin:/sbin:/us
r/ucb:/usr/sbin:/sbin:/usr/ucb:/opt/csw/bin)
/usr/sbin/amcrypt: aespipe was not found in /usr/sbin:/usr/libexec/amanda:/usr/sbin:/usr/libexec/amanda:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/sb
in:/usr/sbin:/sbin:/usr/ucb:/usr/sbin:/sbin:/usr/ucb:/opt/csw/bin
dumper: kill encrypt command
dumper: kill index command
driver: state time 16.240 free kps: 5116 space: 456602272 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 16.240 if default: free 5116
driver: hdisk-state time 16.240 hdisk 0: free 198176768 dumpers 0 hdisk 1: free 258425504 dumpers 1
driver: result time 16.240 from dumper0: FAILED 00-00002 "[data write: Broken pipe]"
driver: send-cmd time 16.240 to chunker0: FAILED 00-00002
driver: state time 16.240 free kps: 5116 space: 456602272 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 16.240 if default: free 5116
driver: hdisk-state time 16.240 hdisk 0: free 198176768 dumpers 0 hdisk 1: free 258425504 dumpers 1
driver: result time 16.240 from chunker0: FAILED 00-00002 "[dumper returned FAILED]"
driver: state time 16.241 free kps: 8000 space: 456613888 taper: idle idle-dumpers: 4 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 16.241 if default: free 8000
driver: hdisk-state time 16.241 hdisk 0: free 198176768 dumpers 0 hdisk 1: free 258437120 dumpers 0
driver: QUITTING time 16.241 telling children to quit
driver: send-cmd time 16.241 to dumper0: QUIT
driver: send-cmd time 16.241 to dumper1: QUIT
driver: send-cmd time 16.241 to dumper2: QUIT
driver: send-cmd time 16.241 to dumper3: QUIT
driver: send-cmd time 16.241 to taper: QUIT
taper: DONE
driver: FINISHED time 17.244
amdump: end at Fri Jul 25 16:59:01 BST 2008

 

I did notice that an example dumptype in amanda.conf mentions "/usr/sbin/amgpgcrypt" as opposed to "/usr/sbin/amcrypt", but get the same results as above when using that one.

 

Am I maybe not using the correct version of aespipe?  The Amanda server is a simple clean install of RHEL5 U2.

 

Any advice?

 

Thanks.

Chad E. Kotil
Global Research NOC
Phone: 812 855-5288

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Encrypting backups, Paul Crittenden
Next by Date:  Re: Is there a log that tells me the block size of a Backup Job, Doyle Collings
Previous by Thread:  RE: Encrypting backups, Paul Crittenden
Next by Thread:  RE: Encrypting backups, Johan Booysen
Indexes:  [Date] [Thread] [Top] [All Lists]