|
Re: [Bacula-users] Not working encryption
2015-07-03 11:23:06
Hello Jakubek,
Data encryption in Bacula takes place on FileDaemon side, not on
Storage Daemon side, and it is configured from FileDaemon side. Data
is sent to Storage Daemon already encrypted by FileDaemon during
backup, and during restore data is recieved from Storage Daemon to
FileDaemon in encrypted form. Then FileDaemon decrypts data.
It looks that probably you are from Poland. You can follow on below
links about Data encryption (articles in Polish):
http://www.bacula.pl/artykul/58/szyfrowanie-danych-na-wolumenach-w-bacula-cz-1/
http://www.bacula.pl/artykul/59/szyfrowanie-danych-na-wolumenach-w-bacula-cz-2/
Best regards.
Marcin Haba (gani)
2015-07-03 16:07 GMT+02:00 Jakubek Jakub <bacula AT 31337 DOT pl>:
> Hi,
> I'm trying to configure Bacula with FD encryption. I started with
> http://www.bacula.com.br/manual/Data_Encryption.html but it doesn't work.
>
> My environment:
> bacula-dir on FreeBSD Version: 7.0.4 (04 June 2014)
> bacula-fd on Debian Version: 5.2.6 (21 February 2012)
>
> Configuration FD, at this moment I configured only FD:
> ##
> Director {
> Name = back-dir
> Password = "xxx"
> }
>
> FileDaemon {
> Name = client-fd
> FDport = 9102
> WorkingDirectory = /var/lib/bacula
> Pid Directory = /var/run/bacula
> Maximum Concurrent Jobs = 20
> PKI Signatures = Yes
> PKI Encryption = Yes
> PKI Keypair = "/etc/bacula/cert.pem"
> PKI Master Key = "/etc/bacula/master.cert"
> }
>
> Messages {
> Name = Standard
> director = cwback-dir = all, !skipped, !restored
> }
> ###
>
> Certs on filesystem:
> root@gpgkeyserver:/etc/bacula# ls -ls master.cert cert.pem
> 4 -rw------- 1 root root 2977 Jul 3 13:41 cert.pem
> 4 -rw------- 1 root root 1285 Jul 3 13:41 master.cert
>
> cert.pem includes cert+key
> master.cert includes only master cert
>
> ###
>
> After executing job for client with enabled encryption I can find
> "Encryption: yes" in summary. It means that files should be
> encrypted.
>
> Funny thing is that I didn't five any PKI information to bacula-dir so
> after all it shouldn't be possible to restore any data. At this moment I
> can restore all data without master key so it indicates that encryption
> is not working. Any ideas why it's not working? Maybe I'm doing it wrong?
>
> Debug containing PKI related part from bacula-fd:
> /usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf -dt -d 1000 -f -m
>
> 03-Jul-2015 15:45:28 bacula-fd: lex.c:237-0 fget line=12 PKI
> Signatures = Yes
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:925-0 parse state=1 pass=2
> got token=T_IDENTIFIER
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:974-0 in T_IDENT got
> token=T_EQUALS
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:980-0 calling handler for
> pkisignatures
> 03-Jul-2015 15:45:28 bacula-fd: lex.c:237-0 fget line=13 PKI
> Encryption = Yes
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:925-0 parse state=1 pass=2
> got token=T_IDENTIFIER
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:974-0 in T_IDENT got
> token=T_EQUALS
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:980-0 calling handler for
> pkiencryption
> 03-Jul-2015 15:45:28 bacula-fd: lex.c:237-0 fget line=14 PKI Keypair =
> "/etc/bacula/cert.pem"
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:925-0 parse state=1 pass=2
> got token=T_IDENTIFIER
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:974-0 in T_IDENT got
> token=T_EQUALS
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:980-0 calling handler for
> pkikeypair
> 03-Jul-2015 15:45:28 bacula-fd: lex.c:237-0 fget line=15 PKI Master
> Key = "/etc/bacula/master.cert"
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:925-0 parse state=1 pass=2
> got token=T_IDENTIFIER
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:974-0 in T_IDENT got
> token=T_EQUALS
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:980-0 calling handler for
> pkimasterkey
> 03-Jul-2015 15:45:28 bacula-fd: parse_conf.c:565-0 Append
> /etc/bacula/master.cert to alist 1d900f8 size=0 pkimasterkey
>
> Kind regards,
>
> --
> jakub
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
--
"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|
