4 \section*{Using Bacula to Encrypt Communications to Clients}
6 \index[general]{Clients!Using Bacula to Encrypt Communications to }
7 \index[general]{Using Bacula to Encrypt Communications to Clients }
8 \addcontentsline{toc}{section}{Using Bacula to Encrypt Communications to
11 At the current time, Bacula does not have built-in communications encryption.
12 However, without too much effort, it is possible to encrypt the communications
13 between any of the daemons. This chapter will show you how to use {\bf
14 stunnel} to encrypt communications to your client programs. We assume the
15 Director and the Storage daemon are running on one machine that will be called
16 {\bf server} and the Client or File daemon is running on a different machine
17 called {\bf client}. Although the details may be slightly different, the same
18 principles apply whether you are encrypting between Unix, Linux, or Win32
19 machines. This example was developed between two Linux machines running
20 stunnel version 4.04-4 on a Red Hat Enterprise 3.0 system.
22 \subsection*{Communications Ports Used}
23 \index[general]{Used!Communications Ports }
24 \index[general]{Communications Ports Used }
25 \addcontentsline{toc}{subsection}{Communications Ports Used}
27 First, you must know that with the standard Bacula configuration, the Director
28 will contact the File daemon on port 9102. The File daemon then contacts the
29 Storage daemon using the address and port parameters supplied by the Director.
30 The standard port used will be 9103. This in the typical server/client view of
31 the world, the File daemon is a server to the Director (i.e. listens for the
32 Director to contact it), and the Storage daemon is a server to the File
35 \subsection*{Encryption}
36 \index[general]{Encryption }
37 \addcontentsline{toc}{subsection}{Encryption}
39 The encryption is accomplished between the Director and the File daemon by
40 using an stunnel on the Director's machine (server) to encrypt the data and to
41 contact a stunnel on the File daemon's machine (client), which decrypts the
42 data and passes it to the client.
44 Between the File daemon and the Storage daemon, we use an stunnel on the File
45 daemon's machine to encrypt the data and another stunnel on the Storage
46 daemon's machine to decrypt the data.
48 As a consequence, there are actually four copies of stunnel running, two on
49 server and two on client. This may sound a bit complicated, but it really
50 isn't. To accomplish this, we will need to construct four separate conf files
51 for stunnel, and we will need to make some minor modifications to the
52 Director's conf file. None of the other conf files need to be changed.
54 \subsection*{A Picture}
55 \index[general]{Picture }
56 \addcontentsline{toc}{subsection}{Picture}
58 Since pictures usually help a lot, here is an overview of what we will be
59 doing. Don't worry about all the details of the port numbers and such for the
67 Port 29102 >----| Stunnel 1 |-----> Port 9102
71 Port 9103 >----| Stunnel 2 |-----> server:29103
76 Port 29102 >----| Stunnel 3 |-----> client:29102
80 Port 29103 >----| Stunnel 4 |-----> 9103
85 \subsection*{Certificates}
86 \index[general]{Certificates }
87 \addcontentsline{toc}{subsection}{Certificates}
89 In order for stunnel to function as a server, which it does in our diagram for
90 Stunnel 1 and Stunnel 4, you must have a certificate and the key. It is
91 possible to keep the two in separate files, but normally, you keep them in one
92 single .pem file. You may create this certificate yourself in which case, it
93 will be self-signed, or you may have it signed by a CA.
95 If you want your clients to verify that the server is in fact valid (Stunnel 2
96 and Stunnel 3), you will need to have the server certificates signed by a CA
97 (Certificate Authority), and you will need to have the CA's public certificate
98 (contains the CA's public key).
100 Having a CA signed certificate is {\bf highly} recommended if you are using
101 your client across the Internet, otherwise you are exposed to the man in the
102 middle attack and hence loss of your data.
104 See below for how to create a self-signed certificate.
106 \subsection*{Securing the Data Channel}
107 \index[general]{Channel!Securing the Data }
108 \index[general]{Securing the Data Channel }
109 \addcontentsline{toc}{subsection}{Securing the Data Channel}
111 To simplify things a bit, let's for the moment consider only the data channel.
112 That is the connection between the File daemon and the Storage daemon, which
113 takes place on port 9103. In fact, in a minimalist solution, this is the only
114 connection needs to be encrypted, because it is the one that transports your
115 data. The connection between the Director and the File daemon is simply a
116 control channel used to start the job and get the job status.
118 Normally the File daemon will contact the Storage daemon on port 9103
119 (supplied by the Director), so we need a stunnel that listens on port 9103 on
120 the File daemon's machine, encrypts the data and sends it to the Storage
121 daemon. This is depicted by Stunnel 2 above. Note that this stunnel is
122 listening on port 9103 and sending to server:29103. We use port 29103 on the
123 server because if we sent the data to port 9103, it would go directly to the
124 Storage daemon, which doesn't understand encrypted data. On the server
125 machine, we run Stunnel 4, which listens on port 29103, decrypts the data and
126 sends it to the Storage daemon, which is listening on port 9103.
128 \subsection*{Modification of bacula-dir.conf for the Data Channel}
129 \index[general]{Modification of bacula-dir.conf for the Data Channel }
130 \index[general]{Channel!Modification of bacula-dir.conf for the Data }
131 \addcontentsline{toc}{subsection}{Modification of bacula-dir.conf for the Data
134 The Storage resource of the bacula-dir.conf normally looks something like the
143 Password = storage_password
150 Notice that this is running on the server machine, and it points the File
151 daemon back to server:9103, which is where our Storage daemon is listening. We
160 Password = storage_password
167 This causes the File daemon to send the data to the stunnel running on
168 localhost (the client machine). We could have used client as the address as
171 \subsection*{config Files for stunnel to Encrypt the Data Channel}
172 \index[general]{Config Files for stunnel to Encrypt the Data Channel }
173 \index[general]{Channel!config Files for stunnel to Encrypt the Data }
174 \addcontentsline{toc}{subsection}{config Files for stunnel to Encrypt the Data
177 In the diagram above, we see above Stunnel 2 that we stunnel-fd2.conf on
178 client. A pretty much minimal config file would look like the following:
184 accept = localhost:9103
185 connect = server:29103
189 The above config file does encrypt the data but it does not require a
190 certificate, so it is subject to the man in the middle attack. The file I
191 actually used, stunnel-fd2.conf, looked like this:
196 # Stunnel conf for Bacula client -> SD
198 pid = /home/kern/bacula/bin/working/stunnel.pid
200 # A cert is not mandatory here. If verify=2, a
201 # cert signed by a CA must be specified, and
202 # either CAfile or CApath must point to the CA's
205 cert = /home/kern/stunnel/stunnel.pem
206 CAfile = /home/kern/ssl/cacert.pem
212 accept = localhost:9103
213 connect = server:29103
217 You will notice that I specified a pid file location because I ran stunnel
218 under my own userid so I could not use the default, which requires root
219 permission. I also specified a certificate that I have as well as verify level
220 2 so that the certificate is required and verified, and I must supply the
221 location of the CA (Certificate Authority) certificate so that the stunnel
222 certificate can be verified. Finally, you will see that there are two lines
223 commented out, which when enabled, produce a lot of nice debug info in the
226 If you do not have a signed certificate (stunnel.pem), you need to delete the
227 cert, CAfile, and verify lines.
229 Note that the stunnel.pem, is actually a private key and a certificate in a
230 single file. These two can be kept and specified individually, but keeping
231 them in one file is more convenient.
233 The config file, stunnel-sd.conf, needed for Stunnel 4 on the server machine
239 # Bacula stunnel conf for Storage daemon
241 pid = /home/kern/bacula/bin/working/stunnel.pid
243 # A cert is mandatory here, it may be self signed
244 # If it is self signed, the client may not use
247 cert = /home/kern/stunnel/stunnel.pem
257 \subsection*{Starting and Testing the Data Encryption}
258 \index[general]{Starting and Testing the Data Encryption }
259 \index[general]{Encryption!Starting and Testing the Data }
260 \addcontentsline{toc}{subsection}{Starting and Testing the Data Encryption}
262 It will most likely be the simplest to implement the Data Channel encryption
263 in the following order:
266 \item Setup and run Bacula backing up some data on your client machine
269 \item Modify the Storage resource in the Director's conf file.
271 \item Start stunnel on the server with:
275 stunnel stunnel-sd.conf
280 \item Start stunnel on the client with:
284 stunnel stunnel-fd2.conf
290 \item If it doesn't work, turn debug on in both stunnel conf files, restart
291 the stunnels, rerun the job, repeat until it works.
294 \subsection*{Encrypting the Control Channel}
295 \index[general]{Channel!Encrypting the Control }
296 \index[general]{Encrypting the Control Channel }
297 \addcontentsline{toc}{subsection}{Encrypting the Control Channel}
299 The Job control channel is between the Director and the File daemon, and as
300 mentioned above, it is not really necessary to encrypt, but it is good
301 practice to encrypt it as well. The two stunnels that are used in this case
302 will be Stunnel 1 and Stunnel 3 in the diagram above. Stunnel 3 on the server
303 might normally listen on port 9102, but if you have a local File daemon, this
304 will not work, so we make it listen on port 29102. It then sends the data to
305 client:29102. Again we use port 29102 so that the stunnel on the client
306 machine can decrypt the data before passing it on to port 9102 where the File
309 \subsection*{Modification of bacula-dir.conf for the Control Channel}
310 \index[general]{Channel!Modification of bacula-dir.conf for the Control }
311 \index[general]{Modification of bacula-dir.conf for the Control Channel }
312 \addcontentsline{toc}{subsection}{Modification of bacula-dir.conf for the
315 We need to modify the standard Client resource, which would normally look
344 This will cause the Director to send the control information to
345 localhost:29102 instead of directly to the client.
347 \subsection*{config Files for stunnel to Encrypt the Control Channel}
348 \index[general]{Config Files for stunnel to Encrypt the Control Channel }
349 \index[general]{Channel!config Files for stunnel to Encrypt the Control }
350 \addcontentsline{toc}{subsection}{config Files for stunnel to Encrypt the
353 The stunnel config file, stunnel-dir.conf, for the Director's machine would
354 look like the following:
359 # Bacula stunnel conf for the Directory to contact a client
361 pid = /home/kern/bacula/bin/working/stunnel.pid
363 # A cert is not mandatory here. If verify=2, a
364 # cert signed by a CA must be specified, and
365 # either CAfile or CApath must point to the CA's
368 cert = /home/kern/stunnel/stunnel.pem
369 CAfile = /home/kern/ssl/cacert.pem
375 accept = localhost:29102
376 connect = client:29102
380 and the config file, stunnel-fd1.conf, needed to run stunnel on the Client
386 # Bacula stunnel conf for the Directory to contact a client
388 pid = /home/kern/bacula/bin/working/stunnel.pid
390 # A cert is not mandatory here. If verify=2, a
391 # cert signed by a CA must be specified, and
392 # either CAfile or CApath must point to the CA's
395 cert = /home/kern/stunnel/stunnel.pem
396 CAfile = /home/kern/ssl/cacert.pem
402 accept = localhost:29102
403 connect = client:29102
407 \subsection*{Starting and Testing the Control Channel}
408 \index[general]{Starting and Testing the Control Channel }
409 \index[general]{Channel!Starting and Testing the Control }
410 \addcontentsline{toc}{subsection}{Starting and Testing the Control Channel}
412 It will most likely be the simplest to implement the Control Channel
413 encryption in the following order:
417 \item Modify the Client resource in the Director's conf file.
419 \item Start stunnel on the server with:
423 stunnel stunnel-dir.conf
428 \item Start stunnel on the client with:
432 stunnel stunnel-fd1.conf
438 \item If it doesn't work, turn debug on in both stunnel conf files, restart
439 the stunnels, rerun the job, repeat until it works.
442 \subsection*{Using stunnel to Encrypt to a Second Client}
443 \index[general]{Using stunnel to Encrypt to a Second Client }
444 \index[general]{Client!Using stunnel to Encrypt to a Second }
445 \addcontentsline{toc}{subsection}{Using stunnel to Encrypt to a Second Client}
447 On the client machine, you can just duplicate the setup that you have on the
448 first client file for file and it should work fine.
450 In the bacula-dir.conf file, you will want to create a second client pretty
451 much identical to how you did for the first one, but the port number must be
452 unique. We previously used:
466 so for the second client, we will, of course, have a different name, and we
467 will also need a different port. Remember that we used port 29103 for the
468 Storage daemon, so for the second client, we can use port 29104, and the
469 Client resource would look like:
483 Now, fortunately, we do not need a third stunnel to on the Director's machine,
484 we can just add the new port to the config file, stunnel-dir.conf, to make:
489 # Bacula stunnel conf for the Directory to contact a client
491 pid = /home/kern/bacula/bin/working/stunnel.pid
493 # A cert is not mandatory here. If verify=2, a
494 # cert signed by a CA must be specified, and
495 # either CAfile or CApath must point to the CA's
498 cert = /home/kern/stunnel/stunnel.pem
499 CAfile = /home/kern/ssl/cacert.pem
505 accept = localhost:29102
506 connect = client:29102
508 accept = localhost:29102
509 connect = client2:29102
513 There are no changes necessary to the Storage daemon or the other stunnel so
514 that this new client can talk to our Storage daemon.
516 \subsection*{Creating a Self-signed Certificate}
517 \index[general]{Creating a Self-signed Certificate }
518 \index[general]{Certificate!Creating a Self-signed }
519 \addcontentsline{toc}{subsection}{Creating a Self-signed Certificate}
521 You may create a self-signed certificate for use with stunnel that will permit
522 you to make it function, but will now allow certificate validation. The .pem
523 file containing both the certificate and the key can be made with the
524 following, which I put in a file named {\bf makepem}:
530 # Simple shell script to make a .pem file that can be used
531 # with stunnel and Bacula
535 PEM1=`/bin/mktemp openssl.XXXXXX`
536 PEM2=`/bin/mktemp openssl.XXXXXX`
537 ${OPENSSL} req -newkey rsa:1024 -keyout $PEM1 -nodes \
538 -x509 -days 365 -out $PEM2
539 cat $PEM1 > stunnel.pem
540 echo "" >>stunnel.pem
541 cat $PEM2 >>stunnel.pem
546 The above script will ask you a number of questions. You may simply answer
547 each of them by entering a return, or if you wish you may enter your own data.
550 \subsection*{Getting a CA Signed Certificate}
551 \index[general]{Certificate!Getting a CA Signed }
552 \index[general]{Getting a CA Signed Certificate }
553 \addcontentsline{toc}{subsection}{Getting a CA Signed Certificate}
555 The process of getting a certificate that is signed by a CA is quite a bit
556 more complicated. You can purchase one from quite a number of PKI vendors, but
557 that is not at all necessary for use with Bacula. To get a CA signed
558 certificate, you will either need to find a friend that has setup his own CA
559 or to become a CA yourself, and thus you can sign all your own certificates.
560 The book OpenSSL by John Viega, Matt Mesier \& Pravir Chandra from O'Reilly
561 explains how to do it, or you can read the documentation provided in the
562 Open-source PKI Book project at Source Forge:
564 http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}
565 {http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}.
566 Note, this link may change.
568 \subsection*{Using ssh to Secure the Communications}
569 \index[general]{Communications!Using ssh to Secure the }
570 \index[general]{Using ssh to Secure the Communications }
571 \addcontentsline{toc}{subsection}{Using ssh to Secure the Communications}
573 Please see the script {\bf ssh-tunnel.sh} in the {\bf examples} directory. It
574 was contributed by Stephan Holl.