Results 1 to 2 of 2

Thread: amrecover & amgpgcrypt

  1. #1

    Default amrecover & amgpgcrypt

    Hi all,

    Sorry this is quite long but I've tried to put in some detailed info.

    I am trying to setup my amanda server to do encrypted backups of a partition.
    I'm using 2.6.1p1 and the systems are Debian Etch (server) and Debian Lenny (client).
    This is my dumptype:

    define dumptype gpg-encrypt {
       program "GNUTAR"
       comment "dump with client-side asymmetric encryption"
       compress client fast
       encrypt client
       client_encrypt "/usr/sbin/amgpgcrypt"
       client_decrypt_option "-d"
    Obviously I've setup the GPG public/private keys for the amandabackup user. What I need is a backup which can be restored ONLY from the client itself, or by whom has access to the private key/passphrase. In other words, the administrator (root) of the amanda server host must NOT be able to read dumped data.

    All seems to work fine until I do the dump, but when I try to do an amrecover from the client machine, it gives an error when I extract files. This is an example session:

    root@testhost:~/test-recover-backup# amrecover fullcrypt
    AMRECOVER Version 2.6.1p1. Contacting server on ...
    220 whale AMANDA index server (2.6.1p1) ready.
    Setting restore date to today (2009-09-10)
    200 Working date set to 2009-09-10.
    200 Config set to fullcrypt.
    501 Host testhost is not in your disklist.
    Trying host ...
    200 Dump host set to
    Use the setdisk command to choose dump disk to recover
    amrecover> setdisk /root
    200 Disk set to /root.
    amrecover> ls
    2009-09-10-00-51-17 test-recover-backup/
    2009-09-10-00-51-17 sent
    2009-09-10-00-51-17 gnarwl_3.3-8.5_i386.deb
    2009-09-10-00-51-17 gnarwl.cfg
    2009-09-10-00-51-17 gnarwl-3.6/
    2009-09-10-00-51-17 gnarwl-3.6.tgz
    amrecover> add gnarwl.cfg
    Added file /gnarwl.cfg
    amrecover> extract
    Extracting files using tape drive @DEFAULT_TAPE_DEVICE@ on host
    The following tapes are needed: fullcrypt-05
    Restoring files into directory /root/test-recover-backup
    Continue [?/Y/n]? 
    Extracting files using tape drive @DEFAULT_TAPE_DEVICE@ on host
    Load tape fullcrypt-05 now
    Continue [?/Y/n/s/d]? 
    tar: This does not look like a tar archive
    tar: ./gnarwl.cfg: Not found in archive
    tar: Error exit delayed from previous errors
    Extractor child exited with status 2
    amrecover> quit
    200 Good bye.
    And here's an extract from the amrecover log :
    1252572925.644334: amrecover: Requesting tape fullcrypt-05 from user
    1252572926.004167: amrecover: User prompt: 'Continue [?/Y/n/s/d]? '; response: ''
    1252572926.004213: amrecover: security_getdriver(name=bsdtcp) returns 0xb7eba260
    1252572926.004239: amrecover: security_handleinit(handle=0x92b6348, driver=0xb7eba260 (BSDTCP))
    1252572926.006888: amrecover: security_streaminit(stream=0x92ba1a0, driver=0xb7eba260 (BSDTCP))
    1252572926.039884: amrecover: security_streaminit(stream=0x92c21d8, driver=0xb7eba260 (BSDTCP))
    1252572926.039906: amrecover: amidxtaped_streams[0].fd = 0x92c21d8
    1252572926.039924: amrecover: security_streaminit(stream=0x92ca210, driver=0xb7eba260 (BSDTCP))
    1252572926.039938: amrecover: amidxtaped_streams[1].fd = 0x92ca210
    1252572926.039951: amrecover: security_close(handle=0x92b6348, driver=0xb7eba260 (BSDTCP))
    1252572926.039965: amrecover: security_stream_close(0x92ba1a0)
    1252572930.337882: amrecover: Exec'ing /bin/tar with arguments:
    1252572930.337950: amrecover: 	tar
    1252572930.337965: amrecover: 	--numeric-owner
    1252572930.337976: amrecover: 	-xpGvf
    1252572930.337987: amrecover: 	-
    1252572930.337998: amrecover: 	./gnarwl.cfg
    1252572930.408289: amrecover: security_stream_seterr(0x92ca210, EOF)
    1252572930.408329: amrecover: security_stream_close(0x92ca210)
    1252572930.412733: amrecover: security_stream_seterr(0x92c21d8, EOF)
    1252572930.413253: amrecover: security_stream_close(0x92c21d8)
    1252572936.158367: amrecover: user command: 'quit'
    It seems that amrecover does not even try to decrypt the data. This is supported by the fact that if I move the ~/.gnupg and ~/.am_passphrase files it does not complain anything (which it does when doing the dump). Moreover, I've tried to extract manually the data from the tape using dd , amgpgcrypt -d'ed and untarred and it worked fine - so I do know that data is indeed encrypted with the correct key.

    Is that behavior normal? Do I have to manually restore amgpgcrypted data directly from tapes?

    Thank you in advance.

  2. #2


    I've encountered this same issue. My work around is to extract the file with amfetchdump which automatically decrypts it. At that point you can use tar on the resulting archive to restore the requested files. It's not ideal, but it does work.

    I noticed that the project page is requesting assistance for the encryption parts. Sadly I'm not qualified for taking on such a project to say nothing of already being overcommitted. If you know of someone that might have the knowledge to tackle such a project, send them to [url][/url] and maybe this issue will be resolved.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts