There is support for kerberos, which does two things authenticates the request from the server to the client encrypts the backup stream
The first step is actually quite important. Without it, someone else can run a backup and get your bits sent to them, even if they are protected from eavesdropping while being sent to the attacker. Kerberos support is currently not in good shape. You have to get the krb bits separately (separate CVS module), and they aren't tagged consistently with releases. I have tried to compile them recently, and had trouble. As others have said, using Kerberos requires, in addition to getting amanda+krb to build correctly, having a Kerberos server and the clue to administer the realm. Using IPsec seems like a good method, since it can provide authentication as well. [The following assumes famililiarity with RFC2401 and discusses BSD systems.] While others have mentioned VPN, one can instead transport mode ESP. The trick is getting Security Policy Database (SPD) entries to match the amanda traffic. Since ports change for the backup stream, it might be best to set per-socket policy in the amanda programs using setsockopt(IP_IPSEC_POLICY). This approach is likely workable on Solaris. Last I checked, the FreeSWAN IPsec implementation for Linux did not support an SPD as requires by RFC2401, and in particular using ports as selectors did not work. One can also just use tunnel-mode ESP for all traffic to the particular remote host. Gregory Troxel <[EMAIL PROTECTED]>