1RSCRYUTIL(1) RSCRYUTIL(1)
2
6 rscryutil - Manage Encrypted Log Files
7
9 rscryutil [OPTIONS] [FILE] ...
10
12 This tool performs various operations on encrypted log files. Most
13 importantly, it provides the ability to decrypt them.
14
16 -d, --decrypt
17 Select decryption mode. This is the default mode.
18 -W,--write-keyfile <file>
20 Utility function to write a key to a keyfile. The key can be
21 obtained via any method.
22 -v, --verbose
24 Select verbose mode.
25 -f, --force
27 Forces operations that otherwise would fail.
28 -k,--keyfile <file>
30 Reads the key from <file>. File _must_ contain the key, only, no
31 headers or other meta information. Keyfiles can be generated via
32 the --write-keyfile option.
33 -p,--key-program <path-to-program>
35 In this mode, the key is provided by a so-called "key program".
36 This program is executed and must return the key to (as well as
37 some meta information) via stdout. The core idea of key programs
38 is that using this interface the user can implement as complex
39 (and secure) method to obtain keys as desired, all without the
40 need to make modifications to rsyslog.
41 -K,--key <KEY>
43 TESTING AID, NOT FOR PRODUCTION USE. This uses the KEY specified
44 on the command line. This is the actual key, and as such this
45 mode is highly insecure. However, it can be useful for intial
46 testing steps. This option may be removed in the future.
47 -a,--algo <algo>
49 Sets the encryption algorightm (cipher) to be used. See below
50 for supported algorithms. The default is "AES128".
51 -m,--mode <mode>
53 Sets the ciphermode to be used. See below for supported modes.
54 The default is "CBC".
55 -r,--generate-random-key <bytes>
57 Generates a random key of length <bytes>. This option is meant
58 to be used together with --write-keyfile (and it is hard to
59 envision any other valid use for it).
60
62 The operation mode specifies what exactly the tool does with the pro‐
63 vided files. The default operation mode is "dump", but this may change
64 in the future. Thus, it is recommended to always set the operations
65 mode explicitely. If multiple operations mode are set on the command
66 line, results are unpredictable.
67 decrypt
69 The provided log files are decrypted. Note that the .encinfo side files
70 must exist and be accessible in order for decryption to to work.
71 write-keyfile
73 In this mode no log files are processed; thus it is an error to specify
74 any on the command line. The specified keyfile is written. The key
75 itself is obtained via the usual key commands. If --keyfile is used,
76 that file is effectively copied.
77 For security reasons, existing key files are _not_ overwritten. To per‐
79 mit this, specify the --force option. When doing so, keep in mind that
80 lost keys cannot be recovered and data encrypted with them may also be
81 considered lost.
82 Keyfiles are always created with 0400 permission, that is read access
84 for only the user. An exception is when an existing file is overwritten
85 via the --force option, in which case the former permissions still
86 apply.
87
89 The command returns an exit code of 0 if everything went fine, and some
90 other code in case of failures.
91
93 We basically support what libgcrypt supports. This is:
94 3DES CAST5 BLOWFISH AES128 AES192 AES256 TWOFISH TWOFISH128 ARCFOUR
95 DES SERPENT128 SERPENT192 SERPENT256 RFC2268_40 SEED CAMELLIA128
96 CAMELLIA192 CAMELLIA256
97
99 We basically support what libgcrypt supports. This is:
100 ECB CFB CBC STREAM OFB CTR AESWRAP
101
103 rscryutil logfile
104 Decrypts "logfile" and sends data to stdout.
106 rscryutil --generate-random-key 16 --keyfile /some/secured/path/keyfile
108 Generates random key and stores it in the specified keyfile.
110
112 Encrypted log files can be used together with signing. To verify such a
113 file, it must be decrypted first, and the verification tool rsgtutil(1)
114 must be run on the decrypted file.
115
117 Specifying keys directly on the command line (--key option) is very
118 insecure and should not be done, except for testing purposes with test
119 keys. Even then it is recommended to use keyfiles, which are also easy
120 to handle during testing. Keep in mind that command history is usally
121 be kept by bash and can also easily be monitored.
122 Local keyfiles are also a security risk. At a minimum, they should be
124 used with very restrictive file permissions. For this reason, the
125 rscryutil tool creates them with read permissions for the user, only,
126 no matter what umask is set to.
127 When selecting cipher algorithms and modes, care needs to be taken. The
129 defaults should be reasonable safe to use, but this tends to change
130 over time. Keep up with the most current crypto recommendations.
131
133 rsgtutil(1), rsyslogd(8)
134
136 This page is part of the rsyslog project, and is available under
137 LGPLv2.
138
140 Rainer Gerhards <rgerhards@adiscon.com>
141 2013-04-15 RSCRYUTIL(1)