1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
libgcrypt Log Crypto Provider (gcry)
====================================
**Crypto Provider Name:** gcry
**Author:** Rainer Gerhards <rgerhards@adiscon.com>
**Supported Since:** since 7.3.10
**Description**:
Provides encryption support to rsyslog.
**Configuration Parameters**:
Crypto providers are loaded by omfile, when the provider is selected in
its "cry.providerName" parameter. Parameters for the provider are given
in the omfile action instance line.
This provider creates an encryption information file with the same base
name but the extension ".encinfo" for each log file (both for fixed-name
files as well as dynafiles). Both files together form a set. So you need
to archive both in order to prove integrity.
- **cry.algo** <Encryption Algorithm>
The algorithm (cipher) to be used for encryption. The default algorithm is "AES128".
Currently, the following Algorithms are supported:
- 3DES
- CAST5
- BLOWFISH
- AES128
- AES192
- AES256
- TWOFISH
- TWOFISH128
- ARCFOUR
- DES
- SERPENT128
- SERPENT192
- SERPENT256
- RFC2268\_40
- SEED
- CAMELLIA128
- CAMELLIA192
- CAMELLIA256
The actual availability of an algorithms depends on which ones are
compiled into libgcrypt. Note that some versions of libgcrypt simply
abort the process (rsyslogd in this case!) if a supported algorithm
is select but not available due to libgcrypt build settings. There is
nothing rsyslog can do against this. So in order to avoid production
downtime, always check carefully when you change the algorithm.
- **cry.mode** <Algorithm Mode>
The encryption mode to be used. Default ist Cipher Block Chaining
(CBC). Note that not all encryption modes can be used together with
all algorithms.
Currently, the following modes are supported:
- ECB
- CFB
- CBC
- STREAM
- OFB
- CTR
- AESWRAP
- **cry.key** <encryption key>
TESTING AID, NOT FOR PRODUCTION USE. This uses the KEY specified
inside rsyslog.conf. This is the actual key, and as such this mode is
highly insecure. However, it can be useful for initial testing steps.
This option may be removed in the future.
- **cry.keyfile** <filename>
Reads the key from the specified file. The file must contain the
key, only, no headers or other meta information. Keyfiles can be
generated via the rscrytool utility.
- **cry.keyprogram** <path to program>
If given, the key is provided by a so-called "key program". This
program is executed and must return the key (as well as some meta
information) via stdout. The core idea of key programs is that using
this interface the user can implement as complex (and secure) method
to obtain keys as desired, all without the need to make modifications
to rsyslog.
**Caveats/Known Bugs:**
- currently none known
**Samples:**
This encrypts a log file. Default parameters are used, they key is
provided via a keyfile.
::
action(type="omfile" file="/var/log/somelog" cry.provider="gcry"
cry.keyfile="/secured/path/to/keyfile")
Note that the keyfile can be generated via the rscrytool utility (see its
documentation for how to actually do that).
|
