RSA encryption only applies to file chunks, not metadata chunks. To decrypt such a chunk, Duplicacy will first recover the key from the RSA encrypted key (which requires the RSA private key), and then use that key to decrypt the chunk content. Instead, the key is randomly generated (unique to each chunk), and then encrypted by the RSA public key, and stored after the chunk header:ĭuplicacy\002 | RSA encrypted key | nonce | encrypted chunk content The key to encrypt the chunk content is no longer derived from the hash of the chunk content. Rather, that key is derived from the hash of the chunk content.Ĭhunks with the RSA encryption enabled will start with a new header duplicacy\002. Note that the key used to encrypt the chunk content isn’t stored here. Previously, an encrypted chunk always starts with the header duplicacy\000, followed by the nonce and encrypted chunk content:ĭuplicacy\000 | nonce | encrypted chunk content The RSA encryption is performed on the chunk level. Openssl rsa -in private.pem -pubout -out public.pem You can run these commands to generate the private and public key pair: openssl genrsa -aes256 -out private.pem 2048 Vice versa, you can copy from an RSA encrypted storage to a new storage without RSA encryption:ĭuplicacy add -e -copy default new_storage_name repository_id new_storage_urlĭuplicacy copy -key private.pem -from default -to new_storage_name If you want to switch to the RSA encryption for an existing storage, you can create a new encrypted storage with the RSA encryption enabled and then copy existing backups to the new storage:ĭuplicacy add -e -key public.pem -copy default new_storage_name repository_id new_storage_urlĭuplicacy copy -from default -to new_storage_name You can run the check and prune commands without the RSA private key to manage backups encrypted with the RSA public key. Other commands that take the RSA private key are list, check, cat, diff, and copy.įor the check command, you'll only need the RSA private key with the -files option, which is used to verify the integrity of every file. $ duplicacy restore -r 1 -key private.pem To restore you'll need the RSA private key: File metadata, such as modification times, permissions, and extended attributes are not protected by the RSA encryption (but still protected by the storage password). Note that when the RSA encryption is enabled, only file contents are encrypted by the RSA encryption. You'll see a log message that says RSA encryption is enabled. No extra option is needed when you run the backup command. You can verify if the RSA encryption is turned on by running the info command in the following way: The RSA public key, along with other configuration parameters, will be stored in the file named config which is then uploaded to the storage. The RSA encryption can be only enabled if the storage is encrypted (by the -e option). $ duplicacy init -e -key public.pem repository_id storage_url To initialize a new encrypted storage with the RSA encryption enabled, run the following command: Duplicacy with RSA Encryption Initialization Backups can be created as usual, but to restore files you'll need to provide the corresponding private key. Starting from version 2.3.0, you can initialize a storage with an RSA public key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |