Ah yes my RANDFILE was probably already created long ago when i initially set
up encryption.
From what i have read the random file is not really on most systems as it is
only there to help with low entropy systems (ie server that does nothing most
of the time).
Each time openssl runs it uses that file (if specified) for random seeds and at
command end it replaces the file with 256 new bytes of randomness for the next
invocation.
It is not needed for decryption.
From the man page the digest is only used to create the real encryption key
from the text key you supply. It should not affect speed at all.
The default digest is sha-256, sha-512 just has more bits. The only thing you
would gain is more protection against brute force attacks i think.
Anton "exuvo" Olsson
[email protected]
On 2022-05-04 13:02, Stefan G. Weichinger wrote:
Am 04.05.22 um 12:46 schrieb Stefan G. Weichinger:
Am 04.05.22 um 11:36 schrieb Exuvo:
Yeah the included ossl usage is using old key derivation. On my installation i
have replaced amcrypt-ossl usage with:
# cat /etc/amanda/encrypt
#!/bin/bash
AMANDA_HOME=~amanda
PASSPHRASE=$AMANDA_HOME/.am_passphrase # required
RANDFILE=$AMANDA_HOME/.rnd
export RANDFILE
at first things were failing, the "not found" was misleading me, as I assumed the wrapper
file was missing (I decided to create "/usr/sbin/exuvo_crypt" ;-) ).
Turns out that the RANDFILE was missing, created one by:
backup:~$ dd if=/dev/urandom of=.rnd bs=256 count=1
I assume I should store/backup that one alongside the encryption passphrase
somewhere? Is it needed for decryption?
First dump looks good now, on to some restore tests.
btw: I also read of "-md sha512" to speed up ... obsolete when using
"-aes-256-ctr" maybe?
If I change encryption now it would be the time to get it right.
thanks so far!
