1RSCRYUTIL(1)                                                      RSCRYUTIL(1)
2
3
4

NAME

6       rscryutil - Manage Encrypted Log Files
7

SYNOPSIS

9          rscryutil [OPTIONS] [FILE] ...
10

DESCRIPTION

12       This tool performs various operations on encrypted log files.  Most im‐
13       portantly, it provides the ability to decrypt them.
14

OPTIONS

16       -d, --decrypt
17              Select decryption mode. This is the default mode.
18
19       -W,--write-keyfile <file>
20              Utility function to write a key to a keyfile. The key can be ob‐
21              tained via any method.
22
23       -v, --verbose
24              Select verbose mode.
25
26       -f, --force
27              Forces operations that otherwise would fail.
28
29       -k,--keyfile <file>
30              Reads the key from <file>. File _must_ contain the key, only, no
31              headers or other meta information. Keyfiles can be generated via
32              the --write-keyfile option.
33
34       -p,--key-program <path-to-program>
35              In  this mode, the key is provided by a so-called "key program".
36              This program is executed and must return the key to (as well  as
37              some meta information) via stdout. The core idea of key programs
38              is that using this interface the user can implement  as  complex
39              (and  secure)  method to obtain keys as desired, all without the
40              need to make modifications to rsyslog.
41
42       -K,--key <KEY>
43              TESTING AID, NOT FOR PRODUCTION USE. This uses the KEY specified
44              on  the  command  line. This is the actual key, and as such this
45              mode is highly insecure. However, it can be  useful  for  intial
46              testing steps. This option may be removed in the future.
47
48       -a,--algo <algo>
49              Sets  the  encryption  algorightm (cipher) to be used. See below
50              for supported algorithms. The default is "AES128".
51
52       -m,--mode <mode>
53              Sets the ciphermode to be used. See below for  supported  modes.
54              The default is "CBC".
55
56       -r,--generate-random-key <bytes>
57              Generates  a  random key of length <bytes>. This option is meant
58              to be used together with --write-keyfile (and it is hard to  en‐
59              vision any other valid use for it).
60

OPERATION MODES

62       The  operation  mode specifies what exactly the tool does with the pro‐
63       vided files. The default operation mode is "dump", but this may  change
64       in  the  future.   Thus, it is recommended to always set the operations
65       mode explicitely. If multiple operations mode are set  on  the  command
66       line, results are unpredictable.
67
68   decrypt
69       The provided log files are decrypted. Note that the .encinfo side files
70       must exist and be accessible in order for decryption to to work.
71
72   write-keyfile
73       In this mode no log files are processed; thus it is an error to specify
74       any  on the command line. The specified keyfile is written. The key it‐
75       self is obtained via the usual key commands. If --keyfile is used, that
76       file is effectively copied.
77
78       For security reasons, existing key files are _not_ overwritten. To per‐
79       mit this, specify the --force option. When doing so, keep in mind  that
80       lost  keys cannot be recovered and data encrypted with them may also be
81       considered lost.
82
83       Keyfiles are always created with 0400 permission, that is  read  access
84       for only the user. An exception is when an existing file is overwritten
85       via the --force option, in which case the former permissions still  ap‐
86       ply.
87

EXIT CODES

89       The command returns an exit code of 0 if everything went fine, and some
90       other code in case of failures.
91

SUPPORTED ALGORITHMS

93       We basically support what libgcrypt supports. This is:
94          3DES CAST5 BLOWFISH AES128 AES192 AES256 TWOFISH TWOFISH128  ARCFOUR
95          DES  SERPENT128  SERPENT192  SERPENT256  RFC2268_40 SEED CAMELLIA128
96          CAMELLIA192 CAMELLIA256
97

SUPPORTED CIPHER MODES

99       We basically support what libgcrypt supports. This is:
100          ECB CFB CBC STREAM OFB CTR AESWRAP
101

EXAMPLES

103       rscryutil logfile
104
105       Decrypts "logfile" and sends data to stdout.
106
107       rscryutil --generate-random-key 16 --keyfile /some/secured/path/keyfile
108
109       Generates random key and stores it in the specified keyfile.
110

LOG SIGNATURES

112       Encrypted log files can be used together with signing. To verify such a
113       file, it must be decrypted first, and the verification tool rsgtutil(1)
114       must be run on the decrypted file.
115

SECURITY CONSIDERATIONS

117       Specifying keys directly on the command line (--key option) is very in‐
118       secure  and  should  not be done, except for testing purposes with test
119       keys. Even then it is recommended to use keyfiles, which are also  easy
120       to  handle during testing.  Keep in mind that command history is usally
121       be kept by bash and can also easily be monitored.
122
123       Local keyfiles are also a security risk. At a minimum, they  should  be
124       used  with  very  restrictive  file  permissions.  For this reason, the
125       rscryutil tool creates them with read permissions for the  user,  only,
126       no matter what umask is set to.
127
128       When selecting cipher algorithms and modes, care needs to be taken. The
129       defaults should be reasonable safe to use, but  this  tends  to  change
130       over time. Keep up with the most current crypto recommendations.
131

SEE ALSO

133       rsgtutil(1), rsyslogd(8)
134
136       This  page  is  part  of  the  rsyslog  project, and is available under
137       LGPLv2.
138

AUTHOR

140       Rainer Gerhards <rgerhards@adiscon.com>
141
142
143
144
145                                  2013-04-15                      RSCRYUTIL(1)
Impressum