Re: [Bacula-users] Encryption errors

Sorry by master I meant the bacula director, when I look at the files there, they seem encrypted, I can see other files from systems which don't use PKI.

Right, now that I do a stop/start on the bacula-fd ( client ) rather than a restart, I see the error when trying to recover the file, which is good.

JobId 866: Error: No private decryption keys have been defined to decrypt encrypted backup data.

Here is the further output for the streams:

Stream=19

Date written      : 23-Jan-2010 22:41
bscan: bscan.c:521 SOS_LABEL: Found Job record for JobId: 850
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=1 Stream=1 len=79
bscan JobId 0: drwxr-xr-x   2 root     root          4096 2009-11-11 11:10:53 /usr/local/bin/
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=1 len=73
bscan JobId 0: -rw-r--r--   1 root     root           187 2009-11-11 11:15:58 /etc/hosts
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=22 len=640
bscan: bscan.c:771 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=20 len=176
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=20 len=16
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=19 len=322
bscan: bscan.c:778 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=3 len=16
bscan: bscan.c:739 Got MD5 record: P2vF/aw3NH4saRMllHCunA
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=1 len=75
bscan JobId 0: -rw-r--r--   1 root     root          1184 2009-12-03 15:38:15 /etc/profile
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=22 len=640
bscan: bscan.c:771 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=20 len=1184
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=20 len=16
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=19 len=322
bscan: bscan.c:778 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=3 len=16

Stream=22

Date written      : 23-Jan-2010 22:41
bscan: bscan.c:521 SOS_LABEL: Found Job record for JobId: 850
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=1 Stream=1 len=79
bscan JobId 0: drwxr-xr-x   2 root     root          4096 2009-11-11 11:10:53 /usr/local/bin/
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=1 len=73
bscan JobId 0: -rw-r--r--   1 root     root           187 2009-11-11 11:15:58 /etc/hosts
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=22 len=640
bscan: bscan.c:771 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=20 len=176
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=20 len=16
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=19 len=322
bscan: bscan.c:778 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2 Stream=3 len=16
bscan: bscan.c:739 Got MD5 record: P2vF/aw3NH4saRMllHCunA
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=1 len=75
bscan JobId 0: -rw-r--r--   1 root     root          1184 2009-12-03 15:38:15 /etc/profile
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=22 len=640
bscan: bscan.c:771 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=20 len=1184
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=20 len=16
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=19 len=322
bscan: bscan.c:778 Got signed digest record
bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3 Stream=3 len=16

So it looks like the files have been encrypted correctly right? Ok, so here is what I did.

Change configuration on director once more ( to point to new recovery box ).
Stop / Start bacula ( fd/sd/dir )

Stop/Start bacula-fd on the new recovery box

Try once more to recover with bconsole from the director

Now it recovers without the errors! So it seems that my restart on the director, was causing some confusion. That's the only conclusion I can draw from this. Thanks for your help Martin.

2010/1/25 Martin Simmons <martin AT lispworks DOT com>

>>>>> On Mon, 25 Jan 2010 09:26:53 +0000, Conor O'Callaghan said:
>
> 2010/1/22 Martin Simmons <martin AT lispworks DOT com>
>
> > >>>>> On Fri, 22 Jan 2010 10:31:39 +0000, Conor O'Callaghan said:
> > >
> > > 2010/1/21 Martin Simmons <martin AT lispworks DOT com>
> > >
> > > > >>>>> On Wed, 20 Jan 2010 17:23:34 +0000, Conor O'Callaghan said:
> > > > >
> > > > > Hi everyone,
> > > > >
> > > > > Client/Server both 3.02 on linux x64
> > > > >
> > > > > I have made some encrypted backups from my client, I can successfully
> > > > > recover from the backup using bconsole. When I try to simulate a
> > machine
> > > > > crash, by using another machine with the keys and config from the
> > > > original
> > > > > client, I get the following errors on restoration of files. The files
> > > > appear
> > > > > to restore correctly regardless of the error relating to the
> > encryption
> > > > > missing.
> > > > >
> > > > > http://pastebin.ca/1759144 and http://pastebin.ca/1759151 ( most
> > recent
> > > > )
> > > > >
> > > > > Is there any way to resolve this issue? Or is it normal since the
> > machine
> > > > > has changed? I have found very little relating to this issue in the
> > > > > archives.
> > > >
> > > > The "Missing cryptographic signature" message is generated after the
> > file
> > > > has
> > > > been restored, which is why the files appear OK. I'm not sure why that
> > > > would
> > > > happen, but it means that restore failed to find the signature that
> > should
> > > > have been generated when the file was backed up. Maybe the PKI
> > > > configuration
> > > > is incorrect or you changed it between backup and restore?
> > >
> > > I am just thinking that the issue might be caused by the fact that the
> > keys
> > > were generated on the original client box, I didn't import them in the
> > new (
> > > recovery ) box, simply put them on disk and pointed the bacula
> > configuration
> > > to them ( identical to the client ). Could that be the cause? I may be
> > able
> > > to investigate further today.
> >
> > AFAIK, there is no need to import them (or indeed anywhere to import them
> > to).
> > The keys must have been used, because otherwise you couldn't decrypt the
> > backup.
> >
> > That error would also be generated if the signature was not recorded. Are
> > you
> > 100% sure that it was actually encrypted and signed? What does the restore
> > do
> > on the original box if you remove the pki lines from the config? Also look
> > at
> > the output of bscan -v -v -r path-to-volume, to check for Stream=22
> > (encrypted
> > data) and Stream=19 (signature). The output will be large, so I suggest
> > writing it to file.
>

> Hi Martin,
>
> Ok I find this a bit strange, I can restore the files to the original client
> when I comment out the PKI lines in the config on it. However when I try to
> view this file on the master, it shows as encrypted garbage.

Yes, that is strange (though I'm not sure what you mean by "on the master").

Do you see any errors during the restore with no PKI lines? I would expect an
error like "No private decryption keys have been defined..." to appear.

> I have this information from the bscan also:
>
> bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2
> Stream=22 len=640
> bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3
> Stream=22 len=640
>
> [root@ tmp]$ cat mysqlbscan-2010012501 | grep -i Stream=19
> bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=2
> Stream=19 len=322
> bscan: bscan.c:425 Record: SessId=30 SessTim=1264090948 FileIndex=3
> Stream=19 len=322

That looks correct, assuming those lines correspond to the files of interest
and that is the correct job. It is worth looking at a few lines before that,
which should show the filename (maybe use grep --context=6).

__Martin

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users