Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] client-side data encryption without routine access to private key

2009-02-17 08:09:22
Subject: [Bacula-users] client-side data encryption without routine access to private key
From: Tom Yates <madlists AT teaparty DOT net>
To: bacula-users <bacula-users AT lists.sourceforge DOT net>
Date: Tue, 17 Feb 2009 12:39:37 +0000 (GMT) 
I'm curious about encryption; specifically, encrypting the data on the 
client-side before the storage daemon lays it down to tape.

I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it 
seems to suggest that the client *requires* both the client's private key 
and the client's public key.  Certainly, when I give the client a "PKI 
Keypair =" file which contains only the public key, I get an "Error: 
openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM 
routines:PEM_read_bio:no start line".

But what I'm trying to do here is make a machine, and its backup tapes, 
safe from physical seizure.  The root FS of the machine is unencrypted 
(and so, therefore, is the /etc/bacula directory); the file system I'm 
worried about is normally encrypted.

I've tried giving the FD a .pem file which includes an encrypted private 
key, in the hope that it would ask for a passphrase at start time (in the 
manner of apache), but instead I get "openssl.c:86 Unable to read private 
key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password 
read", so that's not working.

The above manual page on data encryption says that the encryption involves 
three steps:

    1. The File daemon generates a session key.
    2. The FD encrypts that session key via PKE for all recipients (the file 
daemon, any master keys).
    3. The FD uses that session key to perform symmetric encryption on the data.

None of that seems to me to require the client's private key; only the 
public one.  Only restoration, or some other act requiring the decryption 
of the filestream, seems to me to require the client's private key.  Or is 
there some other signing phase going on, that I'm not catching on to?

Am I missing something, or is the only way to make this work to put the 
bacula FD's keys in plaintext, inside the encrypted filesystem?


   Tom Yates
   Cambridge, UK.

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Bacula-users] verify job with differences doesn't finish and blocks storage, Ralf Gross
Next by Date:  Re: [Bacula-users] Finding performance issues, Daniel Holtkamp
Previous by Thread:  [Bacula-users] verify job with differences doesn't finish and blocks storage, Ralf Gross
Next by Thread:  Re: [Bacula-users] client-side data encryption without routine access to private key, Kevin Keane
Indexes:  [Date] [Thread] [Top] [All Lists]