does the Director or the Storage Daemon have access to unencrypted file
contents.
-
+\smallskip
It is very important to specify what this implementation does NOT
do:
\begin{bsysitemize}
not encrypted. However, Mac OS X resource forks are encrypted.
\end{bsysitemize}
+\smallskip
Encryption and signing are implemented using RSA private keys coupled with
self-signed x509 public certificates. This is also sometimes known as PKI
or Public Key Infrastructure.
+\smallskip
Each File Daemon should be given its own unique private/public key pair.
In addition to this key pair, any number of "Master Keys" may be specified
-- these are key pairs that may be used to decrypt any backups should the
be made available to the File Daemon. Under no circumstances should the
Master Private Key be shared or stored on the Client machine.
+\smallskip
The Master Keys should be backed up to a secure location, such as a CD
placed in a in a fire-proof safe or bank safety deposit box. The Master
Keys should never be kept on the same machine as the Storage Daemon or
Director if you are worried about an unauthorized party compromising either
machine and accessing your encrypted backups.
+\smallskip
While less critical than the Master Keys, File Daemon Keys are also a prime
candidate for off-site backups; burn the key pair to a CD and send the CD
home with the owner of the machine.
+\smallskip
NOTE!!! If you lose your encryption keys, backups will be unrecoverable.
{\bf ALWAYS} store a copy of your master keys in a secure, off-site location.
+\smallskip
The basic algorithm used for each backup session (Job) is:
\begin{enumerate}
\item The File daemon generates a session key.
\section{Building Bacula with Encryption Support}
\index[general]{Building Bacula with Encryption Support}
-The configuration option for enabling OpenSSL encryption support has not changed
-since Bacula 1.38. To build Bacula with encryption support, you will need
+To build Bacula with encryption support, you will need
the OpenSSL libraries and headers installed. When configuring Bacula, use:
\begin{lstlisting}
./configure --with-openssl ...
\end{lstlisting}
+\smallskip
+Please note, the Bacula Enterprise binaries are all built with
+encryption enabled.
+
\section{Encryption Technical Details}
\index[general]{Encryption Technical Details}
-
The implementation uses 128bit AES-CBC, with RSA encrypted symmetric
session keys. The RSA key is user supplied.
If you are running OpenSSL 0.9.8 or later, the signed file hash uses
SHA-256 -- otherwise, SHA-1 is used.
+\smallskip
End-user configuration settings for the algorithms are not currently
exposed -- only the algorithms listed above are used. However, the
data written to Volume supports arbitrary symmetric, asymmetric, and
- SHA512
\end{lstlisting}
+\smallskip
The various algorithms are exposed via an entirely re-usable,
OpenSSL-agnostic API (ie, it is possible to drop in a new encryption
backend). The Volume format is DER-encoded ASN.1, modeled after the
streaming DER decoder/encoder was not available.
-\section{Decrypting with a Master Key}
-\index[general]{Decrypting with a Master Key}
-It is preferable to retain a secure, non-encrypted copy of the
-client's own encryption keypair. However, should you lose the
-client's keypair, recovery with the master keypair is possible.
-
-You must:
-\begin{bsysitemize}
-\item Concatenate the master private and public key into a single
- keypair file, ie:
- cat master.key master.cert \gt master.keypair
-
-\item Set the PKI Keypair statement in your bacula configuration file:
+\section{Concepts}
+\index[general]{Encryption Implement Concepts}
+Data encription is configured in Bacula only in the File Daemon.
+The Job report that is produced at the end of each job has a
+line indicating whether or not encryption was enabled:
+\footnotesize
\begin{lstlisting}
- PKI Keypair = master.keypair
+ VSS: no
+ Encryption: no/yes <===
+ Accurate: no
+ ...
\end{lstlisting}
-
-\item Start the restore. The master keypair will be used to decrypt
- the file data.
-
-\end{bsysitemize}
+\normalsize
\section{Generating Private/Public Encryption Keys}
\index[general]{Generating Private/Public Encryption Keypairs}
-Generate a Master Key Pair with:
+Generate a Master Key Pair (once) with:
\footnotesize
\begin{lstlisting}
\end{lstlisting}
\normalsize
-Generate a File Daemon Key Pair for each FD:
+Save these files (master.key and master.cert) as you
+will need them to create File Daemon keys or in case
+you loose the File Daemon keys.
+\smallskip
+
+Generate a File Daemon Key Pair for each FD:
\footnotesize
\begin{lstlisting}
openssl genrsa -out fd-example.key 2048
\end{lstlisting}
\normalsize
+When configuring the File Daemon (next section), you will need
+the keys you just generated here, so you will need to transmit
+them to the machine where the FD is installed.
+
+\smallskip
Note, there seems to be a lot of confusion around the file extensions given
to these keys. For example, a .pem file can contain all the following:
private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates.
private. We use it in cases where there is both a public and a private
key.
+\smallskip
Typically, above we have used the .cert extension to refer to X509
certificate encoding that contains only a single public key.
\index[general]{Example!Data Encryption Configuration File}
\index[general]{Example Data Encryption Configuration}
+When configuring the FD, use the keys generated above in a
+FD configuration file that will look something like the
+following:
+
+\smallskip
{\bf bacula-fd.conf}
\footnotesize
\begin{lstlisting}
FileDaemon {
Name = example-fd
FDport = 9102 # where we listen for the director
- WorkingDirectory = /var/bacula/working
+ WorkingDirectory = /opt/bacula/working
+ Pid Directory = /var/run
+ Maximum Concurrent Jobs = 20
+
+ PKI Signatures = Yes # Enable Data Signing
+ PKI Encryption = Yes # Enable Data Encryption
+ PKI Keypair = "/opt/bacula/etc/fd-example.pem" # Public and Private Keys
+ PKI Master Key = "/opt/bacula/etc/master.cert" # ONLY the Public Key
+}
+\end{lstlisting}
+\normalsize
+
+You must restart your File Daemon after making this change
+to the bacula-fd.conf file.
+
+\smallskip
+Note: the PKIMasterKey directive is not manditory, but if used
+will allow you to decrypt the files if ever the FD PKIKeypair is lost.
+If you loose the FD's PKIKeypair, you will not be able to recover
+your data unless you have used a PKIMasterKey.
+
+\section{Decrypting with a Master Key}
+\index[general]{Decrypting with a Master Key}
+It is preferable to retain a secure, non-encrypted copy of the
+client's own encryption keypair. However, should you lose the
+client's keypair, recovery with the master keypair is possible.
+
+\smallskip
+First create a keypair with:
+
+\footnotesize
+\begin{lstlisting}
+cat master.key master.cert >master.pem
+\end{lstlisting}
+\normalsize
+
+\smallskip
+Then modify your File Daemons configuration file to use
+the master keypair:
+
+\footnotesize
+\begin{lstlisting}
+FileDaemon {
+ Name = example-fd
+ FDport = 9102 # where we listen for the director
+ WorkingDirectory = /opt/bacula/working
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
- PKI Keypair = "/etc/bacula/fd-example.pem" # Public and Private Keys
- PKI Master Key = "/etc/bacula/master.cert" # ONLY the Public Key
+ PKI Keypair = "/opt/bacula/etc/master.pem" # Master Public and Private Keys
}
\end{lstlisting}
\normalsize
+
+\smallskip
+Restart your File Daemon and you should be able to recover your
+lost files.
+
projects / bacula / docs / commitdiff