Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] restoring encrypted file - missing private key error

2013-10-25 13:08:28
Subject: Re: [Bacula-users] restoring encrypted file - missing private key error
From: Jared Kelley <jkelley AT popcap DOT com>
To: Jared Kelley <jkelley AT popcap DOT com>, "bacula-users AT lists.sourceforge DOT net" <bacula-users AT lists.sourceforge DOT net>
Date: Fri, 25 Oct 2013 10:05:10 -0700 
This was solved by removing the password from the master.key file

openssl rsa -in master.key -out master.nopass.key




On 10/22/13 10:25 AM, "Jared Kelley" <jkelley AT popcap DOT com> wrote:

>I'm running bacula Version: 5.0.2 (28 April 2010) on my backup server.
>
>I am trying to restore a file that is encrypted during backup from host A
>to host B and I get the following error on the failed restore:
> 
>
>22-Oct 16:28 backup1-dir JobId 40417: Start Restore Job
>RestoreFiles.2013-10-22_16.28.35_19
>22-Oct 16:28 backup1-dir JobId 40417: Using Device "FileStorage"
>22-Oct 16:28 backup1-sd JobId 40417: Ready to read from volume
>"filestorage0091" on device "FileStorage" (/backups/Bacula-FileStorage/).
>22-Oct 16:28 backup1-sd JobId 40417: Forward spacing Volume
>"filestorage0091" to file:block 1:817723792.
>22-Oct 16:28 backup1-sd JobId 40417: End of Volume at file 1 on device
>"FileStorage" (/backups/Bacula-FileStorage/), Volume "filestorage0091"
>22-Oct 16:28 backup1-sd JobId 40417: End of all volumes.
>22-Oct 16:28 utility2-fd JobId 40417: Error: Missing private key required
>to decrypt encrypted backup data.
>22-Oct 16:28 backup1-dir JobId 40417: Error: Bacula backup1-dir 5.0.2
>(28Apr10): 22-Oct-2013 16:28:37
>  Build OS:               i486-pc-linux-gnu debian 6.0.3
>  JobId:                  40417
>  Job:                    RestoreFiles.2013-10-22_16.28.35_19
>  Restore Client:         HOST B
>  Start time:             22-Oct-2013 16:28:37
>  End time:               22-Oct-2013 16:28:37
>  Files Expected:         1
>  Files Restored:         1
>  Bytes Restored:         0
>  Rate:                   0.0 KB/s
>  FD Errors:              1
>  FD termination status:  Error
>  SD termination status:  OK
>  Termination:            *** Restore Error ***
>
>So I've tried the restore with the host A key pair file copied to host B.
>Modified the key pair file name to match the bacula-fd.conf on host b,
>restarted bacula-fd on host b.
>I've also copied the master cert over from the backup server and modified
>bacula-fd.conf on host B to use that key pair with a restart of bacula-fd
>on host b.
>Both result in the error above on restore.
>I've also modified the bacula-fd.conf to use the master.pem and
>master.cert files.  Same error.
>Running md5sum on the key pairs I have verified they are the same on both
>host A and host B as well as the master cert and .pem on backup server,
>host A and host B.
>Below are my bacula-fd.conf files on host A and host B.
>
>I'm stumped why this restore of encrypted file fails with missing key
>error when the key pair is present and identical on both hosts as well as
>restoring with the master.cert and .pem when it is the same on all hosts.
> For what its worth, I can successfully restore the encrypted file on the
>host it was backed up on, Host A, with no issue.
>
>I've exhausted my resources, any help with this would be greatly
>appreciated.
>
>HOST A bacula-fd.conf
>
>
>
>#
># List Directors who are permitted to contact this File daemon
>#
>Director {
>  Name = backup1-dir
>  Password = "+C6cLMGyZ5pAF1ldsdZvU8ZrhVM2HY4BkplBVL+61l8v"
>}
>
>#
># Restricted Director, used by tray-monitor to get the
>#   status of the file daemon
>#
>Director {
>  Name = HOSTA-mon
>  Password = "E4LSasq00M0PosQJl6cy5O32WIKtRIp3Qw9Ay"
>  Monitor = yes
>}
>
>#
># "Global" File daemon configuration specifications
>#
>FileDaemon {                          # this is me
>  Name = HOSTA-fd
>  FDport = 9102                  # where we listen for the director
>  WorkingDirectory = /var/lib/bacula
>  Pid Directory = /var/run/
>  Maximum Concurrent Jobs = 20
>
>### BEGIN ENCRYPTION
>  PKI Signatures = Yes             # Enable Data Signing
>  PKI Encryption = Yes            # Enable Data Encryption
>  PKI Keypair = "/etc/bacula/manage2.pem"    # Public and Private Keys
>  PKI Master Key = "/etc/bacula/master.cert"    # ONLY the Public Key
>### END ENCRYPTION
>}
>
># Send all messages except skipped files back to Director
>Messages {
>  Name = Standard
>  director = backup1-dir = all, !skipped, !restored
>}
>
>
>
>
>######################################
>######################################
>
>######################################
>
>
>HOST B bacula-fd.conf
>
>#
># PopCap Bacula client configuration file
># This file is distributed by cfengine
># Edit on server-lifecycle-1
>#
>
>#
># List Directors who are permitted to contact this File daemon
>#
>Director {
>  Name = backup1-dir
>  Password = "+C6cLMGyZ5pAF1ldsdZvU8ZrhVM2HY4BkplBVL+61l8v"
>}
>
>#
># Restricted Director, used by tray-monitor to get the
>#   status of the file daemon
>#
>Director {
>  Name = HOSTB-mon
>  Password = "E4LSasq00M0PosQJl6cy5O32WIKtRIp3Qw9Ay"
>  Monitor = yes
>}
>
>#
># "Global" File daemon configuration specifications
>#
>FileDaemon {                          # this is me
>  Name = HOSTB-fd
>  FDport = 9102                  # where we listen for the director
>  WorkingDirectory = /var/lib/bacula
>  Pid Directory = /var/run/
>  Maximum Concurrent Jobs = 20
>
>### BEGIN ENCRYPTION
>  PKI Signatures = Yes            # Enable Data Signing
>  PKI Encryption = Yes            # Enable Data Encryption
>  PKI Keypair = "/etc/bacula/utility2.pem"    # Public and Private Keys
>  PKI Master Key = "/etc/bacula/master.cert"    # ONLY the Public Key
>### END ENCRYPTION
>}
>
># Send all messages except skipped files back to Director
>Messages {
>  Name = Standard
>  director = backup1-dir = all, !skipped, !restored
>}
>
>
>################
>
>################
>################
>
>output from successful backup job showing encryption:   Yes
>
>
>22-Oct 17:21 backup1-dir JobId 40421: Start Backup JobId 40421,
>Job=HOSTA:default.2013-10-22_17.21.01_08
>22-Oct 17:21 backup1-dir JobId 40421: Using Device "FileStorage"
>22-Oct 17:21 backup1-sd JobId 40421: Volume "filestorage0544" previously
>written, moving to end of data.
>22-Oct 17:21 backup1-sd JobId 40421: Ready to append to end of Volume
>"filestorage0544" size=3330847211
>22-Oct 17:21 backup1-sd JobId 40421: Job write elapsed time = 00:00:01,
>Transfer rate = 2.017 K Bytes/second
>22-Oct 17:21 backup1-dir JobId 40421: Bacula backup1-dir 5.0.2 (28Apr10):
>22-Oct-2013 17:21:03
>  Build OS:               i486-pc-linux-gnu debian 6.0.3
>  JobId:                  40421
>  Job:                    HOSTA:default.2013-10-22_17.21.01_08
>  Backup Level:           Differential, since=2013-10-22 01:52:23
>  Client:                 "HOSTA" 5.0.2 (28Apr10)
>x86_64-pc-linux-gnu,debian,6.0.6
>  FileSet:                "HOSTA" 2013-10-16 17:44:53
>  Pool:                   "Disk" (From Job resource)
>  Catalog:                "MyCatalog" (From Client resource)
>  Storage:                "File" (From Pool resource)
>  Scheduled time:         22-Oct-2013 17:21:00
>  Start time:             22-Oct-2013 17:21:03
>  End time:               22-Oct-2013 17:21:03
>  Elapsed time:           0 secs
>  Priority:               10
>  FD Files Written:       2
>  SD Files Written:       2
>  FD Bytes Written:       1,504 (1.504 KB)
>  SD Bytes Written:       2,017 (2.017 KB)
>  Rate:                   0.0 KB/s
>  Software Compression:   None
>  VSS:                    no
>  Encryption:             yes
>  Accurate:               no
>  Volume name(s):         filestorage0544
>  Volume Session Id:      4
>  Volume Session Time:    1382459539
>  Last Volume Bytes:      3,330,849,714 (3.330 GB)
>  Non-fatal FD errors:    0
>  SD Errors:              0
>  FD termination status:  OK
>  SD termination status:  OK
>  Termination:            Backup OK
>
>22-Oct 17:21 backup1-dir JobId 40421: Begin pruning Jobs older than 7
>years .
>22-Oct 17:21 backup1-dir JobId 40421: No Jobs found to prune.
>22-Oct 17:21 backup1-dir JobId 40421: Begin pruning Jobs.
>22-Oct 17:21 backup1-dir JobId 40421: No Files found to prune.
>22-Oct 17:21 backup1-dir JobId 40421: End auto prune.
>
>
>
>
>
>--------------------------------------------------------------------------
>----
>October Webinars: Code for Performance
>Free Intel webinars can help you accelerate application performance.
>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>from 
>the latest Intel processors and coprocessors. See abstracts and register >
>http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktr
>k
>_______________________________________________
>Bacula-users mailing list
>Bacula-users AT lists.sourceforge DOT net
>https://lists.sourceforge.net/lists/listinfo/bacula-users
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] PKI decryption problem: missing private key, Jared Kelley
Next by Date:  Re: [Bacula-users] No Full backup before ${date} found (SOLVED), Kern Sibbald
Previous by Thread:  [Bacula-users] restoring encrypted file - missing private key error, Jared Kelley
Next by Thread:  [Bacula-users] bacula Writing less than it's capacity on LTO-4 tapes(around 200 GB on tapes with 800GB capacity), Deepak
Indexes:  [Date] [Thread] [Top] [All Lists]