BaculaBacula supports encryption of backup volumes in order to protect the tapes or disks it writes to from prying eyes. Data encryption in Bacula works as adverstised; after creating a master key pair and a key pair for each file daemon, the configuration files on each fd that is to be protected (and I would recommend all of them) must be adjusted to use the newly created keys. The documentation doesn’t point out though, that certificates created as shown are only valid for thirty (30) days! In order to create certificates with a longer validity, the –days option must be used. Here I create a certificate valid for 10 years:

openssl genrsa -out master.key 2048
openssl req -new -key master.key -x509 -out master.cert -days 3650

which should be similarly applied to the certificate pairs created for each file daemon. In order to prove that encryption is actually being used in my environment, I’m going to backup a single file; the file’s content is a nursery rhyme which I can later easily recognize). I first perform a backup without encryption using bconsole. When that has completed, I see

  FD Bytes Written:       467 (467 B)
  SD Bytes Written:       556 (556 B)
  Rate:                   0.1 KB/s
  Software Compression:   None
  VSS:                    no
  Encryption:             no
  Volume name(s):         Vol001

in the messages, indicating that no encryption was used; correct. Performing a hex dump on the volume file shows the clear text of the nursery rhyme: Bacula w/o encryption After enabling data encryption on the file daemon by adding my keys and certificates to the bacula-fd.conf file

FileDaemon {
   Name = dad-fd
   FDport = 9102
   WorkingDirectory = /var/bacula/working
   Pid Directory = /var/run
   Maximum Concurrent Jobs = 4
   PKI Signatures = Yes            # Enable Data Signing
   PKI Encryption = Yes            # Enable Data Encryption
   PKI Keypair = "/etc/bacula/dad-fd.pem"    # Public and Private Keys
   PKI Master Key = "/etc/bacula/master.cert"    # ONLY the Public Key

I reset the whole system and start anew. A backup of the same file differs:

  FD Bytes Written:       1,120 (1.120 KB)
  SD Bytes Written:       1,527 (1.527 KB)
  Rate:                   0.1 KB/s
  Software Compression:   None
  VSS:                    no
  Encryption:             yes
  Volume name(s):         Vol001

Note how a larger amount of data has been written compared to the original size above, which is natural: data encryption causes overhead. And note how the file daemon informs us that encryption was performed. Looking at a hex dump of the output file Vol001 clearly indicates that the plain text is no longer visible: Bacula encrypted What remains visible though is the file’s meta data (i.e the path names); Bacula doesn’t encrypt them but this is clearly documented. I’m sure the little bit of overhead in configuration and stored data will make many a systems administrator sleep more soundly. I certainly know that I will. ;-)

Linux, Security, Database, MacOSX, CLI, and Backup :: 17 May 2007 :: e-mail