Yeah the included ossl usage is using old key derivation. On my installation i
have replaced amcrypt-ossl usage with:
# cat /etc/amanda/encrypt
#!/bin/bash
AMANDA_HOME=~amanda
PASSPHRASE=$AMANDA_HOME/.am_passphrase # required
RANDFILE=$AMANDA_HOME/.rnd
export RANDFILE
if [ "$1" = -d ]; then
/usr/bin/openssl enc -pbkdf2 -d -aes-256-ctr -salt -pass fd:3 3<
"${PASSPHRASE}"
else
/usr/bin/openssl enc -pbkdf2 -e -aes-256-ctr -salt -pass fd:3 3<
"${PASSPHRASE}"
fi
pbkdf2 to fix the deprecated key derivation, aes-256-ctr for better and faster
encryption (ctr can be parallelized). Also padding is not needed with this
encryption method.
But this obviously cant open old backups so keep this file separate from
amcrypt-ossl so you can still use the old one for old backups.
While i am at it here is my file for better compression using zstd:
# cat /etc/amanda/zstd-compression3
#!/bin/bash
if [[ "$1" == "-d" ]]; then
zstd -dqcf
else
zstd -qc -3 -T0
fi
Anton "exuvo" Olsson
[email protected]
On 2022-05-04 08:28, Stefan G. Weichinger wrote:
Am 17.12.21 um 04:35 schrieb Stefan G. Weichinger:
That's an old one, but as far as I see, not fixed yet:
I get problems with DLEs using amcrypt-ossl.
The message in amstatus contains "deprecated key derivation used".
This seems to point to something like this issue:
https://unix.stackexchange.com/questions/507131/openssl-1-1-1b-warning-using-iter-or-pbkdf2-would-be-better-while-decrypting
Ah, and we have an zmanda/amanda issue for more than two years here also:
https://github.com/zmanda/amanda/issues/112
Still hitting this issue.
patched a server today, but I get FAILED:
"[missing size line from sendbackup]"
Anyone having seen that?
