Am 04.05.22 um 11:36 schrieb Exuvo:
Yeah the included ossl usage is using old key derivation. On my
installation i have replaced amcrypt-ossl usage with:
# cat /etc/amanda/encrypt
#!/bin/bash
AMANDA_HOME=~amanda
PASSPHRASE=$AMANDA_HOME/.am_passphrase # required
RANDFILE=$AMANDA_HOME/.rnd
export RANDFILE
if [ "$1" = -d ]; then
/usr/bin/openssl enc -pbkdf2 -d -aes-256-ctr -salt -pass fd:3 3<
"${PASSPHRASE}"
else
/usr/bin/openssl enc -pbkdf2 -e -aes-256-ctr -salt -pass fd:3 3<
"${PASSPHRASE}"
fi
pbkdf2 to fix the deprecated key derivation, aes-256-ctr for better and
faster encryption (ctr can be parallelized). Also padding is not needed
with this encryption method.
But this obviously cant open old backups so keep this file separate from
amcrypt-ossl so you can still use the old one for old backups.
Sounds great, thanks! I currently try to adjust it to the debian
environment (amanda user "backup", paths etc).
While i am at it here is my file for better compression using zstd:
# cat /etc/amanda/zstd-compression3
#!/bin/bash
if [[ "$1" == "-d" ]]; then
zstd -dqcf
else
zstd -qc -3 -T0
fi
That might be a future improvement. I already have a dumptype doing
that, according to an earlier thread you started (?).
