Sorry. This should have gone to the list. :P
---------- Forwarded message ----------
From: Jon Amundsen <jamundsen AT gmail DOT com>
Date: Tue, Apr 22, 2008 at 7:55 AM
Subject: Re: [Bacula-users] disaster recovery with data encryption
Here's the information you asked for:
Bacula version 2.0.3
OS is Fedora Core 8
openssl 0.9.8b
Bacula is running as root.
Postgres is running as postgres.
The director and sd and fd are running on the machine I'm trying to
redirect the restore to. The original client has the fd running.
Here is a listing of the config files on the machine I'm trying to
redirect the restore to:
[root@mstore2 bacula]# ls -al
total 104
drwxr-xr-x 3 root root 4096 2008-04-22 07:26 .
drwxr-xr-x 104 root root 12288 2008-04-18 04:54 ..
-rw-r--r-- 1 root root 4975 2008-04-11 10:29 bacula.dir.clients.conf
-rw-r----- 1 root root 5942 2008-04-18 09:45 bacula-dir.conf
-rw-r----- 1 root root 2677 2008-04-17 15:11 bacula.dir.filesets.conf
-rw-r----- 1 root root 10255 2008-04-21 10:17 bacula.dir.jobs.conf
-rw-r----- 1 root root 1431 2008-04-21 16:25 bacula-fd.conf
-rw-r----- 1 root root 6131 2008-03-28 10:51 bacula-sd.conf
-rw-r----- 1 root root 194 2008-03-28 10:53 bconsole.conf
-rw-r--r-- 1 root root 1627 2008-04-08 10:38 fd-example.cert
-rw-r--r-- 1 root root 1675 2008-04-08 10:38 fd-example.key
-rw-r--r-- 1 root root 3302 2008-04-08 10:39 fd-example.pem
drwxr-xr-x 2 root root 4096 2008-04-22 07:28 keys
-rw-r--r-- 1 root root 1545 2008-04-08 10:37 master.cert
-rw-r--r-- 1 root root 1675 2008-04-08 10:36 master.key
-rw-r--r-- 1 root root 3220 2008-04-21 10:04 master.keypair
-rw-r--r-- 1 root root 6614 2007-09-05 11:04 query.sql
I've run a few more tests since my first post yesterday. These may be
useful. First of all I am able to copy the original clients keypair
to the machine that I'm trying to redirect to, change the config file
to point to that, and restart the fd. When I do that the restore is
completely successful. As a temporary workaround I've gathered all my
clients keys and keep that as an option.
I tried setting the "PKI Signatures = No" option in the fd's config on
the original client, touching some files, running a backup job and
then trying the redirected restore with the master key. In this test,
BOTH the fd and director died.
In addition I've looked through the changelog in the mantis system and
I don't see any changes that seem to reference this issue.
Any help would be appreciated.
Regards,
Jon Amundsen
On Mon, Apr 21, 2008 at 1:22 PM, Arno Lehmann <al AT its-lehmann DOT de> wrote:
> Hi,
>
>
> 21.04.2008 19:05, Jon Amundsen wrote:
> > Landon,
> >
> > After searching through the list archives I came across this thread
> > from last May. I'm having a similar issue with the 'fd' where it will
> > crash after I attempt a redirected restore of an encrypted file using
> > the master key.
> >
> > Here is a tail of the output with a couple names edited for
confidentiality:
>
> You should report which version of Bacula you're using, which OS,
> which OpenSSL and the corresponding configuration and file system
> entries (like, which certificate / key files you include, how their
> metadata is set up - "ls -l /path/to/file" - and which user the FD
> runs as). Hopefully, then, Landon doesn't have to ask for that
> information himself :-)
>
> Arno
>
>
>
> > fd restore.c:1101 Flush write 34351 bytes, JobBytes=362031
> > fd restore.c:839 Could not find a valid public key for signature on
> > /mnt/database/bacula_restores/etc/services
> > Kaboom! bacula-fd, fd got signal 11. Attempting traceback.
> > Kaboom! exepath=/usr/sbin
> > Calling: /usr/sbin/btraceback /usr/sbin/bacula-fd 11254
> > Traceback complete, attempting cleanup ...
> > fd: pythonlib.c:237 No startup module.
> >
> > Unfortunately putting the "PKI Signatures = no" in the config file of
> > the 'fd' where I'm redirecting the restore to does not seem to solve
> > the problem. I can copy the original fd's key pair over to the host
> > where I'm redirecting the output and everything works fine.
> >
> > Has there been any movement on this issue? Something that stops the
> > daemon from crashing and allows the restore to continue in an
> > emergency?
> >
> > Regards,
> >
> > Jon Amundsen
> > jamundsen AT gmail DOT com
> >
> >
> > Massano,
> >
> > Thanks for the debugging output, it's exactly what's needed. The
> > crash-causing logic error was already fixed in subversion by Kern,
> > and I believe a release is planned soon; As a temporary work-around,
> > you can set "PKI Signatures = no" in the configuration file when
> > doing the emergency restore.
> >
> > The "Could not find a valid public key for signature" message is
> > expected -- the signatures are created using available signing keys,
> > and your signing public key is no longer available to Bacula. Since
> > the master private key is not available at encryption time, the files
> > are not signed with it. This should obviously not cause a crash, though.
> >
> > I eventually intend on implementing HMAC signing -- in addition to
> > being much faster, it will allow any valid decryption key to verify
> > the signature, regardless of public key availability.
> >
> > -landonf
> >
> > On May 11, 2007, at 8:32 AM, massano jerome wrote:
> >
> >> Here is the output of the debug (followed the instructions on the
> >> manual
> >> to get more debugging infos) :
> >>
> >>
> >> sme-fd: bnet.c:1154 who=client host=192.168.0.1 port=36387
> >> [New Thread -1211208784 (LWP 4619)]
> >> sme-fd: find.c:81 init_find_files ff=8e528e0
> >> sme-fd: job.c:232 <dird: Hello Director nec-dir calling
> >> sme-fd: job.c:248 Executing Hello command.
> >> sme-fd: job.c:351 Calling Authenticate
> >> sme-fd: cram-md5.c:71 send: auth cram-md5
> >> <1352298699.1178897275 <at> sme-fd>
> >> ssl=0
> >> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
> >> <446678098.1178897276 <at> nec-dir> ssl=0
> >> sme-fd: cram-md5.c:150 sending resp to challenge: bEU/R4lTp/+WMm+N/i
> >> +saA
> >> sme-fd: job.c:355 OK Authenticate
> >> sme-fd: job.c:232 <dird: JobId=401 Job=RestoreFiles.
> >> 2007-05-11_17.27.53
> >> SDid=28 SDtime=1178874819
> >> Authorization=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-IONP
> >> sme-fd: job.c:248 Executing JobId= command.
> >> sme-fd: job.c:449 JobId=401 Auth=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-
> >> IONP
> >> sme-fd: job.c:232 <dird: storage address=192.168.0.1 port=9103 ssl=0
> >> sme-fd: job.c:248 Executing storage command.
> >> sme-fd: job.c:1253 StorageCmd: storage address=192.168.0.1 port=9103
> >> ssl=0
> >> sme-fd: job.c:1259 Open storage: 192.168.0.1:9103 ssl=0
> >> sme-fd: bnet.c:792 Current host[ipv4:192.168.0.1:9103] All
> >> host[ipv4:192.168.0.1:9103]
> >> sme-fd: bnet.c:1154 who=Storage daemon host=192.168.0.1 port=9103
> >> sme-fd: job.c:1271 Connection OK to SD.
> >> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
> >> <877297817.1178897276 <at> nec-sd> ssl=0
> >> sme-fd: cram-md5.c:150 sending resp to challenge: Hj/7R/+Gu6/TOTVfP1
> >> +SfC
> >> sme-fd: cram-md5.c:78 send: auth cram-md5
> >> <1036016859.1178897276 <at> sme-fd>
> >> ssl=0
> >> sme-fd: cram-md5.c:97 Authenticate OK 62/xH8NSmS4n165Ilg+/SC
> >> sme-fd: job.c:1280 Authenticated with SD.
> >> sme-fd: job.c:232 <dird: bootstrap
> >> sme-fd: job.c:248 Executing bootstrap command.
> >> sme-fd: job.c:1106 filed<dird: bootstrap file Volume="Vol0098"
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file MediaType="File"
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file Device="FileStorage"
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file VolSessionId=27
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file
> >> VolSessionTime=1178874819
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file VolFile=0
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file VolBlock=185-45743481
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file FileIndex=1-2853
> >>
> >> sme-fd: job.c:1106 filed<dird: bootstrap file Count=2853
> >>
> >> sme-fd: job.c:232 <dird: restore replace=a prelinks=0
> >> where=/tmp/bacula-restoressme-fd: job.c:248 Executing restore command.
> >> sme-fd: job.c:1578 restore command
> >> sme-fd: job.c:1596 Got replace a, where=/tmp/bacula-restores
> >> sme-fd: job.c:1604 bfiled>dird: 2000 OK restore
> >> sme-fd: job.c:1669 VolSessId=28 VolsessT=1178874819 SF=0 EF=0
> >> sme-fd: job.c:1670 JobId=401 vol=DummyVolume
> >> sme-fd: job.c:1677 >stored: read open session = DummyVolume 28
> >> 1178874819 0 0 0 0
> >> sme-fd: job.c:1683 bfiled<stored: 3000 OK open ticket = 28
> >> sme-fd: job.c:1688 bfiled: got Ticket=28
> >> sme-fd: job.c:1745 3000 OK bootstrap
> >> sme-fd: job.c:1702 >stored: read data 28
> >> sme-fd: job.c:1745 3000 OK data
> >> sme-fd: restore.c:248 Got hdr: Files=0 FilInx=1 Stream=1, File
> >> attributes.
> >> sme-fd: restore.c:260 Got stream: File attributes len=96 extract=0
> >> sme-fd: restore.c:343 File /home/httpd/html/horde/index.php
> >> attrib=P0A FHYC IGk B A A A 59 BAA I BGRImB BEy5GP BGRD8F A A U
> >> attribsEx=
> >> sme-fd: restore.c:361
> >> Outfile=/tmp/bacula-restores/home/httpd/html/horde/index.php
> >> sme-fd: create_file.c:88 type=3 newmode=81a4
> >> file=/tmp/bacula-restores/home/httpd/html/horde/index.php
> >> sme-fd: create_file.c:186 Make
> >> path /tmp/bacula-restores/home/httpd/html/horde
> >> sme-fd: create_file.c:205 Create
> >> file /tmp/bacula-restores/home/httpd/html/horde/index.php
> >> sme-fd: create_file.c:210 Create
> >> file: /tmp/bacula-restores/home/httpd/html/horde/index.php
> >> (no debugging symbols found)
> >> sme-fd: attr.c:243 -rw-r--r-- 1 root root 3709
> >> 2007-05-11
> >> 12:01:41 /tmp/bacula-restores/home/httpd/html/horde/index.php
> >> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=22, 22.
> >> sme-fd: restore.c:260 Got stream: 22 len=640 extract=1
> >> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
> >> File data.
> >> sme-fd: restore.c:260 Got stream: Encrypted File data len=3712
> >> extract=1
> >> sme-fd: restore.c:975 decrypted len=3696 encrypted len=3712
> >> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
> >> File data.
> >> sme-fd: restore.c:260 Got stream: Encrypted File data len=16 extract=1
> >> sme-fd: restore.c:975 decrypted len=16 encrypted len=16
> >> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=19, Signed
> >> digest.
> >> sme-fd: restore.c:260 Got stream: Signed digest len=318 extract=1
> >> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=2 Stream=1, File
> >> attributes.
> >> sme-fd: restore.c:260 Got stream: File attributes len=108 extract=1
> >> sme-fd: restore.c:1059 Flush decrypt len=1 buf_len=3712
> >> sme-fd: restore.c:1072 Encryption writing full block, 3709 bytes,
> >> remaining 0 bytes in buffer
> >> sme-fd: restore.c:1096 Call store_data
> >> sme-fd: restore.c:1101 Flush write 3709 bytes, JobBytes=3709
> >> sme-fd: restore.c:839 Could not find a valid public key for signature
> >> on /tmp/bacula-restores/home/httpd/html/horde/index.php
> >>
> >> Program received signal SIGSEGV, Segmentation fault.
> >> [Switching to Thread -1211208784 (LWP 4619)]
> >> 0x001d748e in EVP_MD_CTX_cleanup () from /lib/libcrypto.so.4
> >> (gdb)
> >>
> >>
> >>
> >> Hope that can help...
> >> why does it say it could not find a valid public key ? The job I am
> >> trying to restore was backed up with this master key (maybe the master
> >> key was not taken ?)
> >>
> >>
> >>
> >>
> >> Le vendredi 11 mai 2007 à 15:59 +0200, massano jerome a écrit :
> >>> Last info about my problem : after a failed restore (with the master
> >>> keypair), the File Daemon is shut down.
> >>>
> >>> Le vendredi 11 mai 2007 à 15:34 +0200, massano jerome a écrit :
> >>>> Just more info that could help : Bacula 2.0.3 compiled form
> >>>> sources on a
> >>>> SMEserver (linux distribution based on CentOS) with Mysql.
> >>>>
> >>>> Le vendredi 11 mai 2007 à 15:26 +0200, massano jerome a écrit :
> >>>>> Hello. Thank you for your answer.
> >>>>>
> >>>>> Ok. I did what you told me, but it doesn't work : here is the
> >>>>> output :
> >>>>> The message of the console are in french, I have made a
> >>>>> translation of
> >>>>> them (between brackets).
> >>>>>
> >>>>> ----
> >>>>> *messages
> >>>>> 11-mai 15:09 nec-dir: Start Restore Job RestoreFiles.
> >>>>> 2007-05-11_15.09.00
> >>>>> *messages
> >>>>> 11-mai 15:09 nec-sd: Ready to read from volume "Vol0093" on device
> >>>>> "FileStorage" (/tmp).
> >>>>> 11-mai 15:09 nec-sd: Forward spacing Volume "Vol0093" to file:block
> >>>>> 0:185.
> >>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal error:
> >>>>> Network error with FD during Restore: ERR=Aucune donnée
> >>>>> disponible (No
> >>>>> data available)
> >>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Fatal error:
> >>>>> read.c:139 Error sending to File daemon. ERR=Connexion ré-
> >>>>> initialisée
> >>>>> par le correspondant (Connection reset by peer)
> >>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Error:
> >>>>> bnet.c:439
> >>>>> Write error sending 14384 bytes to client:192.168.0.4:36643:
> >>>>> ERR=Connexion ré-initialisée par le correspondant (Connection
> >>>>> reset by
> >>>>> peer)
> >>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal
> >>>>> error: No
> >>>>> Job status returned from FD.
> >>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Error:
> >>>>> Bacula
> >>>>> 2.0.3 (06Mar07): 11-mai-2007 15:09:03
> >>>>> JobId: 388
> >>>>> Job: RestoreFiles.2007-05-11_15.09.00
> >>>>> Client: sme-fd
> >>>>> Start time: 11-mai-2007 15:09:02
> >>>>> End time: 11-mai-2007 15:09:03
> >>>>> Files Expected: 50,388
> >>>>> Files Restored: 0
> >>>>> Bytes Restored: 0
> >>>>> Rate: 0.0 KB/s
> >>>>> FD Errors: 0
> >>>>> FD termination status: Error
> >>>>> SD termination status: Error
> >>>>> Termination: *** Restore Error ***
> >>>>>
> >>>>> 11-mai 15:09 nec-dir: Begin pruning Jobs.
> >>>>> 11-mai 15:09 nec-dir: No Jobs found to prune.
> >>>>> 11-mai 15:09 nec-dir: Begin pruning Files.
> >>>>> 11-mai 15:09 nec-dir: No Files found to prune.
> >>>>> 11-mai 15:09 nec-dir: End auto prune.
> >>>>>
> >>>>> ----
> >>>>>
> >>>>> It works perfectly when I use the original keypair.
> >>>>> Can anyone see where the problem comes from ?
> >>>>>
> >>>>>
> >>>>>
> >>>>> Le jeudi 10 mai 2007 à 21:34 -0700, Landon Fuller a écrit :
> >>>>>> On May 10, 2007, at 4:51 AM, massano jerome wrote:
> >>>>>>
> >>>>>>> Le jeudi 10 mai 2007 à 12:01 +0200, Kern Sibbald a écrit :
> >>>>>>>> On Thursday 10 May 2007 11:14, massano jerome wrote:
> >>>>>>>>> Hello.
> >>>>>>>>> I know this kind of mail is supposed to be sent on the user
> >>>>>>>>> list,
> >>>>>>>>> but
> >>>>>>>>> i've asked for it 3 times, and nobody could answer me. Maybe
> >>>>>>>>> somebody in
> >>>>>>>>> the dev list can help me ?
> >>>>>>>> Maybe you didn't get an answer because it is rather obvious. If
> >>>>>>>> you encrypt
> >>>>>>>> something with an encryption key, you must make a secure non-
> >>>>>>>> encrypted copy
> >>>>>>>> of the encryption key, or use the master key, which is to the
> >>>>>>>> best
> >>>>>>>> of my
> >>>>>>>> knowledge documented (at least a number of users are using it).
> >>>>>>>>
> >>>>>>>> When you figure out how to do it, please let us know.
> >>>>>>>>
> >>>>>>> This is what I understood. I have made a copy of my master
> >>>>>>> key, but in
> >>>>>>> the documentation it is not said how I can use the master key to
> >>>>>>> recover
> >>>>>>> my files. It is only documented how I can create it and use it to
> >>>>>>> encrypt, but not how to restore encrypted data. This is why I
> >>>>>>> sent
> >>>>>>> it to
> >>>>>>> the list (I read the documentation BEFORE sending ^^). So if
> >>>>>>> somebody
> >>>>>>> can tell me how to use my Master Key to restore previously
> >>>>>>> encrypted
> >>>>>>> backups...
> >>>>>> It is preferable to retain a secure, non-encrypted copy of the
> >>>>>> client's own encryption keypair. However, should you lose the
> >>>>>> client's keypair, recovery with the master keypair is possible.
> >>>>>>
> >>>>>> You must:
> >>>>>> 1) Concatenate the master private and public key into a single
> >>>>>> keypair file, ie:
> >>>>>> cat master.key master.cert >master.keypair
> >>>>>>
> >>>>>> 2) Set the PKI Keypair statement in your bacula configuration
> >>>>>> file:
> >>>>>> PKI Keypair = master.keypair
> >>>>>>
> >>>>>> 3) Start the restore. The master keypair will be used to
> >>>>>> decrypt the
> >>>>>> file data.
> >>>>>>
> >>>>>> -landonf
> >>>>>
> >>>>> -------------------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > Don't miss this year's exciting event. There's still time to save $100.
> > Use priority code J8TL2D2.
> >
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > _______________________________________________
> > Bacula-users mailing list
> > Bacula-users AT lists.sourceforge DOT net
> > https://lists.sourceforge.net/lists/listinfo/bacula-users
> >
>
> --
> Arno Lehmann
> IT-Service Lehmann
> www.its-lehmann.de
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
