Bacula encrypt backups
Contents
Generation of master key pair
Each client owns his own pair of keys. But the master key allows us to decrypt the backup if client keys are not available.
openssl genrsa -out master.key 4096 Generating RSA private key, 4096 bit long modulus ......................................................................................................................................++ .........................................................................................++ e is 65537 (0x10001) openssl req -new -key master.key -x509 -out master.crt -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Florida Locality Name (eg, city) []:Miami Organization Name (eg, company) [Internet Widgits Pty Ltd]:oamis Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:director.oamis.net Email Address []:servers@oamis.net
Generation of client key pair
openssl genrsa -out client.key 4096 Generating RSA private key, 4096 bit long modulus .....................................................................................................++ ........................................................................................................++ e is 65537 (0x10001) openssl req -new -key client.key -x509 -out client.crt -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Florida Locality Name (eg, city) []:Miami Organization Name (eg, company) [Internet Widgits Pty Ltd]:oamis Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:client.oamis.net Email Address []:servers@oamis.net cat client.key client.crt > client.pem
Add certificates to fd client
Stop fd client
systemctl stop bacula-fd
Add these lines to /etc/bacula/bacula-fd.conf
PKI Signatures = Yes # Enable Data Signing PKI Encryption = Yes # Enable Data Encryption PKI Keypair = "/etc/bacula/certs/client.pem" # Public and Private Keys PKI Master Key = "/etc/bacula/certs/master.crt" # ONLY the Public Key PkiCipher = AES256
Start fd client
systemctl start bacula-fd
systemctl status bacula-fd
● bacula-fd.service - Bacula File Daemon service
Loaded: loaded (/lib/systemd/system/bacula-fd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-08-11 18:18:51 EDT; 3s ago
Docs: man:bacula-fd(8)
Process: 13959 ExecStartPre=/usr/sbin/bacula-fd -t -c $CONFIG (code=exited, status=0/SUCCESS)
Main PID: 13960 (bacula-fd)
Tasks: 2 (limit: 2310)
CGroup: /system.slice/bacula-fd.service
└─13960 /usr/sbin/bacula-fd -fP -c /etc/bacula/bacula-fd.conf
Aug 11 18:18:51 client systemd[1]: Starting Bacula File Daemon service...
Aug 11 18:18:51 client systemd[1]: Started Bacula File Daemon service.
References
Daniel Simao 17:06, 11 August 2019 (EDT)
