Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Restore with data encryption?

2011-12-21 13:41:35
Subject: Re: [Bacula-users] Restore with data encryption?
From: Oliver Hoffmann <oh AT dom DOT de>
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 21 Dec 2011 19:39:30 +0100 
> * Am Mon, Dec 19 2011 at 17:14:15 +0100 , schrieb Oliver Hoffmann:
> > Hi all,
> > 
> > I do backups with data encryption. Backups as well as restores on
> > the clients work without problems. 
> > Now I want to be able to do restores with the server (or another
> > one) only. The doc says that adding the following line would be
> > enough.
> > 
> > PKI Keypair = "/etc/bacula/keys/master.keypair"
> > 
> > So my working bacula-fd.conf on the server looks like this (just
> > the PKI part):
> > 
> > PKI Signatures = Yes            
> > PKI Encryption = Yes            
> > PKI Keypair = "/etc/bacula/keys/server-fd.pem"
> > PKI Master Key = "/etc/bacula/keys/master.cert"
> > 
> > Next I replaced server-fd.pem with master.keypair like mentioned in
> > the doc. I made the master.keypair accordingly.
> > That doesn't work. Neither putting the client-fd.pem in place.
> > 
> > I got this error:
> > 
> > Error: restore.c:944 Missing cryptographic signature
> > for /path/to/my/file
> > 
> > Thus the question is how to do a restore on a fd other than the one
> > the Backup was made with.
> 
> This looks correct. That is exactly the way we do it and it works.
> Maybe your master.keypair is broken ? Does the output of
> "openssl x509 -in /path/to/master.keypair -noout -text" 
> look good ? Is the private key in the keypair-file ?
> 
> Good luck,
>   Christoph
> 
> > 
> > Thank you for enlighten me ;-)
> > 
> > Oliver
> > 

The keypair looks sane. I did 'cat master.key master.cert >
master.keypair' like written in the doc.

Well, I got it. The password of the master.key has to be removed!
Furthermore I saw that the keys are valid for 30 days only. Again the
doc concerning encryption is very lousy. Sorry to say that. Maybe
there'll be a more recent and complete version? At least of the TLS and
data encryption part.

Cheers,

Oliver














------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] feature request: improve status messages by differentiating excessive concurrent jobs from actual errors, Mark Bergman
Next by Date:  [Bacula-users] Fatal error: bsock.c:488 Packet size too big from, Ron Herman
Previous by Thread:  Re: [Bacula-users] Restore with data encryption?, Christoph Kluenter
Next by Thread:  [Bacula-users] Assign Multiple IPs, DMS
Indexes:  [Date] [Thread] [Top] [All Lists]