1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en">
<title>libgcryt Log Crypto Provider (gcry)</title>
</head>
<body>
<a href="rsyslog_conf_modules.html">back to rsyslog module overview</a>
<h1>libgcrypt Log Crypto Provider (gcry)</h1>
<p><b>Signature Provider Name: gt</b></p>
<p><b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p>
<p><b>Supported Since: </b>since 7.3.10
<p><b>Description</b>:</p>
<p>Provides encryption support to rsyslog.
</p>
<p><b>Configuration Parameters</b>:</p>
<p>Crypto providers are loaded by omfile, when the
provider is selected in its "cry.providerName" parameter.
Parameters for the provider are given in the omfile action instance
line.
<p>This provider creates an encryption information file with the same base name but
the extension ".encinfo" for each log file (both for fixed-name files
as well as dynafiles). Both files together form a set. So you need to
archive both in order to prove integrity.
<ul>
<li><b>cry.algo</b> <Encryption Algorithm><br>
The algorithm (cipher) to be used for encryption.
The default algorithm is "AES128".
<br>Currently, the following Algorithms are supported:
<ul>
<li>3DES
<li>CAST5
<li>BLOWFISH
<li>AES128
<li>AES192
<li>AES256
<li>TWOFISH
<li>TWOFISH128
<li>ARCFOUR
<li>DES
<li>SERPENT128
<li>SERPENT192
<li>SERPENT256
<li>RFC2268_40
<li>SEED
<li>CAMELLIA128
<li>CAMELLIA192
<li>CAMELLIA256
</ul>
<br>
The actual availability of an algorithms depends on which ones
are compiled into libgcrypt. Note that some versions of libgcrypt
simply abort the process (rsyslogd in this case!) if a supported
algorithm is select but not available due to libgcrypt build
settings. There is nothing rsyslog can do against this. So in
order to avoid production downtime, always check carefully when
you change the algorithm.
</li>
<li><b>cry.mode</b> <Algorithm Mode><br>
The encryption mode to be used. Default ist Cipher Block Chaining (CBC).
Note that not all encryption modes can be used together with all
algorithms.
<br>Currently, the following modes are supported:
<ul>
<li>ECB
<li>CFB
<li>CBC
<li>STREAM
<li>OFB
<li>CTR
<li>AESWRAP
</ul>
<li><b>cry.key</b> <encryption key><br>
TESTING AID, NOT FOR PRODUCTION USE. This uses the KEY specified
inside rsyslog.conf. This is the actual key, and as such this mode
is highly insecure. However, it can be useful for intial testing
steps. This option may be removed in the future.
</li>
<li><b>cry.keyfile</b> <filename><br>
Reads the key from the specified file. The file must contain the key, only,
no headers or other meta information. Keyfiles can be generated via the
rscrytool utility.
</li>
<li><b>cry.keyprogram</b> <path to program><br>
If given, the key is provided by a so-called "key program". This program
is executed and must return the key to (as well as some meta information)
via stdout. The core idea of key programs is that using this interface the
user can implement as complex (and secure) method to obtain keys as
desired, all without the need to make modifications to rsyslog.
</li>
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li>currently none known
</li>
</ul>
<p><b>Samples:</b></p>
<p>This encrypts a log file. Default parameters are used, they key is
provided via a keyfile.
</p>
<textarea rows="3" cols="60">
action(type="omfile" file="/var/log/somelog"
cry.provider="gcry" keyfile="/secured/path/to/keyfile")
</textarea>
Note that the keyfile can be generated via the rscrytool utility (see its
documentation for how to actually do that).
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright © 2013 by
<a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>
|
