Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Bacula backups and restores

2009-08-31 18:45:32
Subject: Re: [Bacula-users] Bacula backups and restores
From: Cedric Tefft <logicloop AT gmail DOT com>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 31 Aug 2009 15:41:53 -0700 
tqz wrote:
> Hmm...I dont like the fact that if my server and nas devices are all damaged 
> in a fire (for example) then my off site backup copy (the encrypted tape) is 
> useless to me! I dont see the point of having the offsite copy, if what is 
> saved on the tape cant be restored! I'm no system admin, or have any 
> experience in other backup software so dont know if this is the case with 
> them as well or if this is just a down point for using bacula. 
>
> My boss would like the tapes encrypted as there may be confidential data on 
> the tapes so encrypting the tapes is a requirement for him. Is there any way 
> that I could keep the bacula catalog unencrypted on the same tape? Is this 
> possible to specify in the config files? Or is this being illogical as then 
> anyone can restore the data if they have knowledge on bacula even if the 
> other contents on the tape is encrypted...or is just sending a dump of the 
> bacula catalog via email or to an off site location the only option if we 
> encrypt the tape....
>
> Many thanks in advance
> t.
>   

Either you're confused about how encryption works or I'm confused about 
your question.

In order to encrypt (or decrypt) your data you need encryption keys.  
Encryption keys are a bit like passwords, except that they're a little 
bit too long and complex for humans to remember, so we generally store 
them in files.  They have nothing to do with your catalog which is 
basically just a LIST of files you've backed up to tape.

An unencrypted copy of your catalog does not allow you decrypt the 
encrypted data on your tapes.  For that, you need the encryption keys.

I think what you want to do is copy your encryption keys to some type of 
portable media (USB drive, CD, etc.) and store them in a SECURE off-site 
location, but -- and here is the important part -- SEPARATE from where 
you store your tapes.  A safe-deposit box at a bank is a typical example.

Anyone who has your encrypted tapes AND your encryption keys has your 
data, so you need to make sure only trusted individuals have access to 
both.  For added security, I'd suggest you wrap your off-site encryption 
keys in another layer of encryption.  Using PGP (or GPG) to 
conventionally encrypt the key files before writing them to the USB/CD 
would be a good example -- just make sure you don't forget your password!

- Cedric


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] adding my first windows client, Syn, Joonho
Next by Date:  [Bacula-users] (Feature Suggestion) Decouple Jobs and Pools from storage daemon Devices, Jesse Peterson
Previous by Thread:  [Bacula-users] Bacula backups and restores, tqz
Next by Thread:  [Bacula-users] Client backups crash director until full backup is run, Corey Shaw
Indexes:  [Date] [Thread] [Top] [All Lists]