I'm curious about encryption; specifically, encrypting the data on the
client-side before the storage daemon lays it down to tape.
I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it
seems to suggest that the client *requires* both the client's private key
and the client's public key. Certainly, when I give the client a "PKI
Keypair =" file which contains only the public key, I get an "Error:
openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM
routines:PEM_read_bio:no start line".
But what I'm trying to do here is make a machine, and its backup tapes,
safe from physical seizure. The root FS of the machine is unencrypted
(and so, therefore, is the /etc/bacula directory); the file system I'm
worried about is normally encrypted.
I've tried giving the FD a .pem file which includes an encrypted private
key, in the hope that it would ask for a passphrase at start time (in the
manner of apache), but instead I get "openssl.c:86 Unable to read private
key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password
read", so that's not working.
The above manual page on data encryption says that the encryption involves
three steps:
1. The File daemon generates a session key.
2. The FD encrypts that session key via PKE for all recipients (the file
daemon, any master keys).
3. The FD uses that session key to perform symmetric encryption on the data.
None of that seems to me to require the client's private key; only the
public one. Only restoration, or some other act requiring the decryption
of the filestream, seems to me to require the client's private key. Or is
there some other signing phase going on, that I'm not catching on to?
Am I missing something, or is the only way to make this work to put the
bacula FD's keys in plaintext, inside the encrypted filesystem?
Tom Yates
Cambridge, UK.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|