February 29th, 2016, 04:07 AM
Implement separate encryption keys on a per-host basis
Amanda does a nice job encrypting backups and most users probably configure multiple hosts to be backed up with it. However, this means that all hosts have the same encryption key and that encryption key can't be changed if one of the hosts is decommissioned and no longer backed up. This means you have to leave unencryptable data in your tape scheme (which could extend for a year or more if you have a monthly archive backup scheme) for a decommissioned server until it eventually gets overwritten once a tape cycle is complete.
What I'd like to see is Amanda support the ability to have a separate encryption key per host. This would probably mean providing a conf option like "amcrypt_key_per_host" (set to no by default, so continues to use $AMANDA_HOME/.am_passphrase as usual). If that new option is set to yes, then an environmental variable (e.g. AMCRYPT_HOSTNAME) could be set before calling any encryption/decryption script such as /usr/sbin/amcrypt-ossl. The script would then check for that variable and if it's set, then read the key from, say, $AMANDA_HOME/.am_passphrases/$AMCRYPT_HOSTNAME instead.
This change would mean that all you have to do with a decommissioned server (other than securely wipe its disks of course) is 1) take it out of the disklist config for future backups and 2) delete all copies of that server's individual key. This way, that server's data in your tapecycle instantly becomes unencryptable and you can be certain sensitive data on the tapes can't be read back by anyone (plus no tape wiping required, which is nice).