Hi,
On topic of low entropy: if you're not already familiar with it, please
take a look at https://github.com/jirka-h/haveged especially for
headless systems.
Cheers,
Kees
On 04-05-2022 16:46, Exuvo wrote:
Ah yes my RANDFILE was probably already created long ago when i
initially set up encryption.
From what i have read the random file is not really on most systems as
it is only there to help with low entropy systems (ie server that does
nothing most of the time).
Each time openssl runs it uses that file (if specified) for random
seeds and at command end it replaces the file with 256 new bytes of
randomness for the next invocation.
It is not needed for decryption.
From the man page the digest is only used to create the real
encryption key from the text key you supply. It should not affect
speed at all.
The default digest is sha-256, sha-512 just has more bits. The only
thing you would gain is more protection against brute force attacks i
think.
Anton "exuvo" Olsson
ex...@exuvo.se
On 2022-05-04 13:02, Stefan G. Weichinger wrote:
Am 04.05.22 um 12:46 schrieb Stefan G. Weichinger:
Am 04.05.22 um 11:36 schrieb Exuvo:
Yeah the included ossl usage is using old key derivation. On my
installation i have replaced amcrypt-ossl usage with:
# cat /etc/amanda/encrypt
#!/bin/bash
AMANDA_HOME=~amanda
PASSPHRASE=$AMANDA_HOME/.am_passphrase # required
RANDFILE=$AMANDA_HOME/.rnd
export RANDFILE
at first things were failing, the "not found" was misleading me, as I
assumed the wrapper file was missing (I decided to create
"/usr/sbin/exuvo_crypt" ;-) ).
Turns out that the RANDFILE was missing, created one by:
backup:~$ dd if=/dev/urandom of=.rnd bs=256 count=1
I assume I should store/backup that one alongside the encryption
passphrase somewhere? Is it needed for decryption?
First dump looks good now, on to some restore tests.
btw: I also read of "-md sha512" to speed up ... obsolete when using
"-aes-256-ctr" maybe?
If I change encryption now it would be the time to get it right.
thanks so far!
