On Wed, 18 Feb 2009, Martin Simmons wrote:
> Does the private key have to be the one associated with the public key?
> It looks like the code loads them separately, so perhaps another
> solution is to use two key pairs and make a pem file containing the
> public key of one and the private key of the other (assuming openssl
> allows that)?
Elegant, and it works. I made two keypairs (risby-sign and risby-encrypt)
and put risby-sign.key and risby-encrypt.cert) into the PEM file specified
in "PKI Keypair =".
The fd process restarted fine, did a test backup fine. When I tried a
test restore, it fails (as it should) with "restore.c:488 Failed to
initialize decryption context for
/tmp/bacula-restores/big/home/madhatta/TESTFILE".
When I replace the PEM file with one containing both halves of the
encryption key (risby-encrypt.key and risby-encrypt.cert) and restart the
FD, the restore still errors on validating the signature ("restore.c:839
Signature validation failed for file
/tmp/bacula-restores/big/home/madhatta/TESTFILE: ERR=Signature is
invalid") (which is expected, because now it has *neither* part of the
signing keypair), but the file restores correctly:
4bed0f14512d1290931529b1bc233a0bfe362614 /big/home/madhatta/TESTFILE
4bed0f14512d1290931529b1bc233a0bfe362614
/tmp/bacula-restores/big/home/madhatta/TESTFILE
As I say: elegant - and thank you!
--
Tom Yates - http://www.teaparty.net
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|