summaryrefslogtreecommitdiff
path: root/doc/man-sections/encryption-options.rst
blob: ee34f14e46d07e2456d7e415e74e3f8fb4030fdd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
Encryption Options
==================

SSL Library information
-----------------------

--show-ciphers
  (Standalone) Show all cipher algorithms to use with the ``--cipher``
  option.

--show-digests
  (Standalone) Show all message digest algorithms to use with the
  ``--auth`` option.

--show-tls
  (Standalone) Show all TLS ciphers supported by the crypto library.
  OpenVPN uses TLS to secure the control channel, over which the keys that
  are used to protect the actual VPN traffic are exchanged. The TLS
  ciphers will be sorted from highest preference (most secure) to lowest.

  Be aware that whether a cipher suite in this list can actually work
  depends on the specific setup of both peers (e.g. both peers must
  support the cipher, and an ECDSA cipher suite will not work if you are
  using an RSA certificate, etc.).

--show-engines
  (Standalone) Show currently available hardware-based crypto acceleration
  engines supported by the OpenSSL library.

--show-groups
  (Standalone) Show all available elliptic curves/groups to use with the
  ``--ecdh-curve`` and ``tls-groups`` options.

Generating key material
-----------------------

--genkey args
  (Standalone) Generate a key to be used of the type keytype. if keyfile
  is left out or empty the key will be output on stdout. See the following
  sections for the different keytypes.

  Valid syntax:
  ::

     --genkey keytype keyfile

  Valid keytype arguments are:

  :code:`secret`                Standard OpenVPN shared secret keys

  :code:`tls-crypt`             Alias for :code:`secret`

  :code:`tls-auth`              Alias for :code:`secret`

  :code:`auth-token`            Key used for ``--auth-gen-token-key``

  :code:`tls-crypt-v2-server`   TLS Crypt v2 server key

  :code:`tls-crypt-v2-client`   TLS Crypt v2 client key


  Examples:
  ::

     $ openvpn --genkey secret shared.key
     $ openvpn --genkey tls-crypt shared.key
     $ openvpn --genkey tls-auth shared.key
     $ openvpn --genkey tls-crypt-v2-server v2crypt-server.key
     $ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key

  * Generating *Shared Secret Keys*
    Generate a shared secret, for use with the ``--secret``, ``--tls-auth``
    or ``--tls-crypt`` options.

    Syntax:
    ::

       $ openvpn --genkey secret|tls-crypt|tls-auth keyfile

    The key is saved in ``keyfile``. All three variants (``--secret``,
    ``tls-crypt`` and ``tls-auth``) generate the same type of key. The
    aliases are added for convenience.

    If using this for ``--secret``, this file must be shared with the peer
    over a pre-existing secure channel such as ``scp``\(1).

  * Generating *TLS Crypt v2 Server key*
    Generate a ``--tls-crypt-v2`` key to be used by an OpenVPN server.
    The key is stored in ``keyfile``.

    Syntax:
    ::

       --genkey tls-crypt-v2-server keyfile

  * Generating *TLS Crypt v2 Client key*
    Generate a --tls-crypt-v2 key to be used by OpenVPN clients.  The
    key is stored in ``keyfile``.

    Syntax
    ::

       --genkey tls-crypt-v2-client keyfile [metadata]

    If supplied, include the supplied ``metadata`` in the wrapped client
    key. This metadata must be supplied in base64-encoded form. The
    metadata must be at most 735 bytes long (980 bytes in base64).

    If no metadata is supplied, OpenVPN will use a 64-bit unix timestamp
    representing the current time in UTC, encoded in network order, as
    metadata for the generated key.

    A tls-crypt-v2 client key is wrapped using a server key. To generate a
    client key, the user must therefore supply the server key using the
    ``--tls-crypt-v2`` option.

    Servers can use ``--tls-crypt-v2-verify`` to specify a metadata
    verification command.

  * Generate *Authentication Token key*
    Generate a new secret that can be used with **--auth-gen-token-secret**

    Syntax:
    ::

       --genkey auth-token [keyfile]

    *Note:*
       This file should be kept secret to the server as anyone that has
       access to this file will be able to generate auth tokens that the
       OpenVPN server will accept as valid.

.. include:: renegotiation.rst
.. include:: tls-options.rst
.. include:: pkcs11-options.rst