PDA

View Full Version : Client side encryption dumptype.



c-vaughan
March 30th, 2006, 01:58 PM
Now that I've solved server side encryption with Amanda I'd like to get client side encryption working. The documentation that I've found only tells me how to do server side.

define dumptype encrypt-fast {
global
program "GNUTAR"
comment "dump with fast client compression and server symmetric encryption"
encrypt client
server_encrypt "/usr/sbin/amcrypt"
server_decrypt_option "-d"
}

I'm guessing that amcrypt, aespipe, amaespipe and a few other files should be on the client. Is there documentation that contains a client side encryption dump type?

Thanks again,

-Chris Vaughan

ktill
March 30th, 2006, 02:27 PM
define dumptype encrypt-nocomp {
global
program "GNUTAR"
comment "dump with fast client compression and client symmetric encryption"
compress none
encrypt client
client_encrypt "/usr/sbin/amcrypt"
client_decrypt_option "-d"
}

Consider the above dumptype.


>I'm guessing that amcrypt, aespipe, amaespipe and a few other files should be on the >client.
Yes.

When doing restore, you either
1) take the physical tape to the client machine and do the restore on the client machine where it has the key( am_key.gpg) and passphrase(.am_passphrase).

or

2) take the key and passphrase to the server machine where the tape is located.

Hope this helps!

--Kevin Till
Zmanda

c-vaughan
April 3rd, 2006, 08:54 AM
Well I thought this would be a breeze I'm having errors again. I did copy the keys from the server to the client.

Here is my amdump.1 output:

GETTING ESTIMATES...
planner: time 0.004: bind_portrange2: trying port=980
planner: time 0.004: dgram_bind: socket bound to 0.0.0.0.980
driver: tape size 46080000
driver: send-cmd time 0.004 to taper: START-TAPER 20060403
driver: adding holding disk 0 dir /var/tmp size 10485760 chunksize 1048576
reserving 10485760 out of 10485760 for degraded-mode dumps
taper: pid 3938 executable taper version 2.5.0
taper: page size is 4096
taper: buffer size is 32768
taper: buffer[00] at 0xb7e9f000
taper: buffer[01] at 0xb7ea7000
taper: buffer[02] at 0xb7eaf000
taper: buffer[03] at 0xb7eb7000
taper: buffer[04] at 0xb7ebf000
taper: buffer[05] at 0xb7ec7000
taper: buffer[06] at 0xb7ecf000
taper: buffer[07] at 0xb7ed7000taper: buffer[08] at 0xb7edf000
taper: buffer[09] at 0xb7ee7000
taper: buffer[10] at 0xb7eef000
taper: buffer[11] at 0xb7ef7000
taper: buffer[12] at 0xb7eff000
taper: buffer[13] at 0xb7f07000
taper: buffer[14] at 0xb7f0f000
taper: buffer[15] at 0xb7f17000
taper: buffer[16] at 0xb7f1f000
taper: buffer[17] at 0xb7f27000
taper: buffer[18] at 0xb7f2f000
taper: buffer[19] at 0xb7f37000
taper: buffer structures at 0xb7f3f000 for 240 bytes
changer: opening pipe to: /usr/lib/amanda/chg-manual -info
dumper: pid 3939 executable dumper0 version 2.5.0
driver: started dumper0 pid 3939
driver: started dumper1 pid 3942
driver: started dumper2 pid 3943
driver: started dumper3 pid 3944
driver: start time 0.018 inparallel 4 bandwidth 2000 diskspace 10485760 dir OBSOLETE datestamp 20060403 driver: drain-ends tapeq FIRST big-dumpers ttt
dumper: pid 3942 executable dumper1 version 2.5.0
planner: time 0.029: got partial result for host manuel disk /boot: 0 -> -2K, -1 -> -2K, -1 -> -2K
dumper: pid 3943 executable dumper2 version 2.5.0
planner: time 0.038: got partial result for host manuel disk /boot: 0 -> 14470K, -1 -> -2K, -1 -> -2K
planner: time 0.038: got result for host manuel disk /boot: 0 -> 14470K, -1 -> -2K, -1 -> -2K
planner: time 0.039: getting estimates took 0.035 secs
FAILED QUEUE: empty
DONE QUEUE:
0: manuel /boot


ANALYZING ESTIMATES...
pondering manuel:/boot... next_level0 -13242 last_level -1 (due for level 0) (new disk, can't switch to degraded mode)
curr level 0 size 14470 total size 14590 total_lev0 14470 balanced-lev0size 2894
INITIAL SCHEDULE (size 14590):
manuel /boot pri 13243 lev 0 size 14470

DELAYING DUMPS IF NEEDED, total_size 14590, tape length 46080000 mark 8
delay: Total size now 14590.

PROMOTING DUMPS IF NEEDED, total_lev0 14470, balanced_size 2894...
planner: time 0.039: analysis took 0.000 secs

GENERATING SCHEDULE:
--------
DUMP manuel fffffeff9ffeffff07 /boot 20060403 13243 0 1970:1:1:0:0:0 14470 14
--------
dumper: pid 3944 executable dumper3 version 2.5.0
changer: got exit: 0 str: 1 99 1
changer_query: changer return was 99 1
changer_query: searchable = 0
changer_find: looking for NULL changer is searchable = 0
changer: opening pipe to: /usr/lib/amanda/chg-manual -slot current
changer: got exit: 0 str: 1 /dev/tape
taper: wrote label `unsensitive01' date `20060403'
driver: result time 10.834 from taper: TAPER-OK
driver: state time 10.835 free kps: 2000 space: 10485760 taper: idle idle-dumpers: 4 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: not-idle
driver: interface-state time 10.835 if : free 600 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 10.835 hdisk 0: free 10485760 dumpers 0
driver: flush size 0
driver: started chunker0 pid 3970
driver: send-cmd time 10.836 to chunker0: PORT-WRITE 00-00001 /var/tmp/20060403110004/manuel._boot.0 manuel fffffeff9ffeffff07 /boot 0 1970:1:1:0:0:0 1048576 GNUTAR 14560 |;auth=BSD;encrypt-cust=;client-decrypt-option=-d;
chunker: pid 3970 executable chunker0 version 2.5.0
chunker: try_socksize: receive buffer size is 65536
chunker: bind_portrange2: trying port=516
chunker: stream_server: waiting for connection: 0.0.0.0.32955
driver: result time 10.845 from chunker0: PORT 32955
driver: send-cmd time 10.845 to dumper0: PORT-DUMP 00-00001 32955 manuel fffffeff9ffeffff07 /boot NODEVICE 0 1970:1:1:0:0:0 GNUTAR |;auth=BSD;encrypt-cust=;client-decrypt-option=-d;
chunker: stream_accept: connection from 127.0.0.1.32956
chunker: try_socksize: receive buffer size is 32768
dumper: stream_client: connected to 127.0.0.1.32955
dumper: stream_client: our side is 0.0.0.0.32956
dumper: try_socksize: send buffer size is 65536
dumper: bind_portrange2: trying port=996
dumper: dgram_bind: socket bound to 0.0.0.0.996
dumper: stream_client: connected to 192.168.1.56.36016
dumper: stream_client: our side is 0.0.0.0.32957
dumper: try_socksize: send buffer size is 65536
dumper: try_socksize: receive buffer size is 65536
dumper: stream_client: connected to 192.168.1.56.59740
dumper: stream_client: our side is 0.0.0.0.32958
dumper: try_socksize: send buffer size is 65536
dumper: try_socksize: receive buffer size is 65536
driver: state time 10.863 free kps: 967 space: 10471200 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 10.863 if : free -433 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 10.863 hdisk 0: free 10471200 dumpers 1
driver: result time 10.864 from dumper0: FAILED 00-00001 [encrypt returned 1, /bin/tar returned 2]
driver: send-cmd time 10.864 to chunker0: FAILED 00-00001
driver: state time 10.864 free kps: 967 space: 10471200 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 10.864 if : free -433 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 10.864 hdisk 0: free 10471200 dumpers 1
driver: result time 10.864 from chunker0: FAILED 00-00001 [dumper returned FAILED]
driver: started chunker0 pid 3971
driver: send-cmd time 25.865 to chunker0: PORT-WRITE 00-00002 /var/tmp/20060403110004/manuel._boot.0 manuel fffffeff9ffeffff07 /boot 0 1970:1:1:0:0:0 1048576 GNUTAR 14560 |;auth=BSD;encrypt-cust=;client-decrypt-option=-d;
chunker: pid 3971 executable chunker0 version 2.5.0
chunker: try_socksize: receive buffer size is 65536
chunker: bind_portrange2: trying port=529
chunker: stream_server: waiting for connection: 0.0.0.0.32959
driver: result time 25.873 from chunker0: PORT 32959
driver: send-cmd time 25.873 to dumper0: PORT-DUMP 00-00002 32959 manuel fffffeff9ffeffff07 /boot NODEVICE 0 1970:1:1:0:0:0 GNUTAR |;auth=BSD;encrypt-cust=;client-decrypt-option=-d;
dumper: time 15.015: stream_client: connected to 127.0.0.1.32959
dumper: stream_client: our side is 0.0.0.0.32960
dumper: try_socksize: send buffer size is 65536
chunker: stream_accept: connection from 127.0.0.1.32960
chunker: try_socksize: receive buffer size is 32768
dumper: time 15.022: stream_client: connected to 192.168.1.56.36484
dumper: stream_client: our side is 0.0.0.0.32961
dumper: try_socksize: send buffer size is 65536
dumper: try_socksize: receive buffer size is 65536
dumper: time 15.023: stream_client: connected to 192.168.1.56.52374
dumper: stream_client: our side is 0.0.0.0.32962
dumper: try_socksize: send buffer size is 65536
dumper: try_socksize: receive buffer size is 65536
driver: state time 25.888 free kps: 967 space: 10471200 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 25.888 if : free -433 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 25.888 hdisk 0: free 10471200 dumpers 1
driver: result time 25.888 from dumper0: FAILED 00-00002 [encrypt returned 1, /bin/tar returned 2]
driver: send-cmd time 25.888 to chunker0: FAILED 00-00002
driver: state time 25.889 free kps: 967 space: 10471200 taper: idle idle-dumpers: 3 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 25.889 if : free -433 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 25.889 hdisk 0: free 10471200 dumpers 1
driver: result time 25.889 from chunker0: FAILED 00-00002 [dumper returned FAILED]
driver: state time 25.891 free kps: 2000 space: 10485760 taper: idle idle-dumpers: 4 qlen tapeq: 0 runq: 0 roomq: 0 wakeup: 0 driver-idle: no-dumpers
driver: interface-state time 25.891 if : free 600 if ETH0: free 400 if LOCAL: free 1000
driver: hdisk-state time 25.891 hdisk 0: free 10485760 dumpers 0
driver: QUITTING time 25.891 telling children to quit
driver: send-cmd time 25.891 to dumper0: QUIT
driver: send-cmd time 25.891 to dumper1: QUIT
driver: send-cmd time 25.891 to dumper2: QUIT
driver: send-cmd time 25.891 to dumper3: QUIT
driver: send-cmd time 25.891 to taper: QUIT
taper: DONE [idle wait: 15.057 secs]
taper: writing end marker. [unsensitive01 OK kb 0 fm 0]
driver: FINISHED time 32.145
amdump: end at Mon Apr 3 11:00:36 EDT 2006
Scanning /var/tmp...
rc_host_0: skipping cruft file, perhaps you should delete it.



s -la /usr/sbin/amcrypt /usr/sbin/amaespipe /usr/bin/uuencode /usr/bin/aespipe
-rwxr-xr-x 1 root root 60756 2005-09-10 13:32 /usr/bin/aespipe
-rwxr-xr-x 1 root root 6696 2005-07-21 10:58 /usr/bin/uuencode
-rwxr-x--- 1 amanda disk 3105 2006-03-31 15:15 /usr/sbin/amaespipe
-rwxr-x--- 1 amanda disk 803 2006-03-31 15:15 /usr/sbin/amcrypt

From amcrypt:

prefix=/usr
exec_prefix=${prefix}
sbindir=${prefix}/sbin
AMANDA_HOME=/home/amanda

AM_AESPIPE=${prefix}/sbin/amaespipe
AM_PASSPHRASE=$AMANDA_HOME/.am_passphrase
PATH=/usr/bin:/usr/local/bin:/sbin:/usr/sbin
export PATH


Thanks for the help.

ktill
April 3rd, 2006, 09:33 AM
1) check the dumptype definition, make sure the following is there
client_encrypt "/usr/sbin/amcrypt"

2) have you copied the passphrase over too?

3) I'll add some code to catch dumptype misconfiguration in the next update.

Thanks!

Kevin Till
Zmanda