Gary Holzer wrote:
>I am about to install a test rsyncrypto best, the only thing I am not
>sure of is how to create a single AES key (certificate)? Any pointers
>would be much appreciated.
AES keys (a.k.a. symmetric keys) are generated automatically by
rsyncrypto per encrypted files. This is what is stored in the "key" file
name you specify as the third parameter. What you are likely asking
about is generating the PKCS X509 certificate, which is an RSA key
(asymmetric key), which is the fourth parameter.
The rsyncrypto manual points you to the req(1) and x509(1) manual pages
of openssl. Off the top of my head, the command line to generate would
probably be something like:
openssl req -new -nodes -x509 -out backup.crt -keyout backup.key
The *.crt file is the certificate (public key) file. rsyncrypto ignores
just about all fields of the resulting certificate except the actual
key. This file is not secret. This file can be used for backup
(encryption), as well as restore (decryption) assuming you have not lost
the symmetric key files mentioned above (hot restore).
If the symmetric keys were lost, you will need the *.key RSA key
(private key), which must therefor be kept totally safe and secret, or
the entire encryption is worthless.
Repeating for briefty's sake:
- Each file is encrypted using AES. Each file gets its own key (called
the symmetric key). This is stored in a file given as the third
parameter to rsyncrypto, and should not be backed up. Each file should
be 68 bytes long. This file can be used, along with the public key, to
perform a restore (assuming you still have it).
- This file is also encrypted inside the encrypted file that should be
backed up. It is encrypted using the asymmetric key, or the RSA key.
This key should be specifically generated by you, using the command line
- The *.key file is the secret part of the key, and should be kept,
well, secret. It is only ever needed by rsyncrypto if you need to
perform a restore after the key files were lost.
- The *.crt file is the public key. It is the key rsyncrypto should be
usually given as its fourth parameter, for both encryption and
decryption with key file present.
I hope this makes things a little clearer.
Lingnu Open Source Consulting ltd.
Have you backed up today's work? http://www.lingnu.com/backup.html