Bacula Logo Today’s post covers Bacula Data Encryption. This is the third and final post on Bacula with OpenSSL, the other two posts are, PostgreSQL SSL Connection with Bacula & Bacula TLS Encryption.

This is by far the most simple to configure of the three posts on securing Bacula, however, it is one of the most important. First, it concerns data storage that may not be in your hands. Leaving backups unencrypted with a third party creates a risk of having them taken, if not sufficiently guarded. This is tantamount to giving someone access to your entire systems. Secondly, importance lies with the possibility that if you lose your PKI Keypair that backs up your data, in effect you lose all your backups.

NOTE: I am running Bacula on OmniOS and the client on Fedora, however the following information should be suitable for all systems with minor variations.

Like with my previous posts, I start with issuing a certificate for the Bacula server. It is possible that you could use the certificate & key that is already in place (for Transport Layer Security) but this makes the PKI Keypair vulnerable as these stay on the system. This Bacula Certificate/PKI Keypair is to only be used in event that a client loses their PKI Keypair (Client PKI Keypair), that they have used to encrypt their data. Therefore the Master PKI Keypair has no place staying on a live system. This should be stored offline in a secure location. With that noted, the procedure to create the PKI Keypair is as always, via the Certificate Authority, that I have noted in this previous post.

Issue data-enc.bacula.pbdigital.org.pem Certificate

First step is create the certificate signing request and forward this to the Certificate Authority:

# mkdir /etc/opt/ooce/bacula/data-enc
# cd /etc/opt/ooce/bacula/data-enc
# openssl genrsa -out key/data-enc.bacula.pbdigital.org.key 2048
# openssl req -new -key key/data-enc.bacula.pbdigital.org.key -out data-enc.bacula.pbdigital.org.csr
# scp  data-enc.bacula.pbdigital.org.csr root@ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/csr/
  • The Common Name does not need to be the host name and I have used data-enc.bacula.pbdigital.org.

On the Certificate Authority I issue the Certificate:

# openssl ca -config root-ca.cnf -in csr/data-enc.bacula.pbdigital.org.csr -out certs/data-enc.bacula.pbdigital.org.pem -extensions server_ext

Back on the Bacula server I import the server certificate, into the /etc/opt/ooce/bacula/data-enc directory:

# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/certs/data-enc.bacula.pbdigital.org.pem .

One final step is that we need to create the PKI Keypair. This is done by concatenating the Key and Certificate into one file for Bacula to use. This Master PKI Keypair will not be used immediatley, but will be stored with the key, as stated earlier, in a secure offline location.

# cat data-enc.bacula.pbdigital.org.key data-enc.bacula.pbdigital.org.pem > keypair-data-enc.bacula.pbdigital.org.pem

The order of the files DO matter.

Now, remove the keypair and key from the server and store in a secure offline location. The cert can remain on the server as we will want to distribute this to clients.

Issue data-enc.client.pbdigital.org.pem Certificate

You will want to repeat the steps above to issue the certificates, key and keypair for the client. These are needed to be stored on the client, to allow the client to encrypt the data before it is set off to the Storage Daemon.

NOTE: If you lose the master and client encryption keys, backups will be unrecoverable. Always store a copy of your master keys in a secure, off-site location.

Client configuration for encrypted backups

In the File Daemon section of the bacula-fd.conf file on the client you need to append the following lines:

PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "/etc/bacula/data-enc/keypair-data-enc-client.pem"
PKI Master Key = "/etc/bacula/data-enc/data-enc.bacula.pbdigital.org.pem"

You also need to distribute the data-enc.bacula.pbdigital.org.pem certificate to the client as it is used in the final line that we have appended.

NOTE: Do not copy the Master PKI Keypair to the client, as only the standard certificate is needed.

This is optional, however if you do not do this, the client will only be able to decrypt the data with it’s own PKI Keypair.

That is all the configuration necessary, a restart enables data encryption:

# service bacula-fd restart

Running Encrypted Data Backups

Nothing needs to be done on the Director to enable encryption, from now on the client will encrypt data before it is sent to the Storage Daemon.

I added a single file to test encryption and once the job has run you will be informed that encryption has been set as in the following output.

Build OS:               x86_64-pc-solaris2.11 solaris 5.11
JobId:                  83
Job:                    client.pbdigital.org.2020-05-13_13.55.45_15
Backup Level:           Incremental, since=2020-05-13 13:43:34
Client:                 "client.pbdigital.org-fd" 9.4.4 (28May19) x86_64-redhat-linux-gnu,redhat,
FileSet:                "client.pbdigital.org-fs" 2020-05-10 14:51:36
Pool:                   "DAILY" (From User input)
Catalog:                "MyCatalog" (From Client resource)
Storage:                "bacula.pbdigital.org-sd-usb" (From Job resource)
Scheduled time:         13-May-2020 13:55:11
Start time:             13-May-2020 13:55:48
End time:               13-May-2020 13:55:50
Elapsed time:           2 secs
Priority:               10
FD Files Written:       2
SD Files Written:       2
FD Bytes Written:       11,760 (11.76 KB)
SD Bytes Written:       12,560 (12.56 KB)
Rate:                   5.9 KB/s
Software Compression:   None
Comm Line Compression:  None
Snapshot/VSS:           no
Encryption:             yes
Accurate:               yes
Volume name(s):         DAILY-0012
Volume Session Id:      7
Volume Session Time:    1590832041
Last Volume Bytes:      14,224,216 (14.22 MB)
Non-fatal FD errors:    0
SD Errors:              0
FD termination status:  OK
SD termination status:  OK
Termination:            Backup OK

Note the line: Encryption: yes.

Restoring Encrypted Data Backups

Again, nothing on the Director needs to be set, decryption is all taken care of on the client. Running a restore, the output that is generated should indicate everything went OK.

Build OS:               x86_64-pc-solaris2.11 solaris 5.11
JobId:                  86
Job:                    RestoreFiles.2020-05-13_17.15.21_20
Restore Client:         client.pbdigital.org-fd
Where:                  /tmp/bacula-restores
Replace:                Always
Start time:             13-May-2020 17:15:23
End time:               13-May-2020 17:15:24
Elapsed time:           1 sec
Files Expected:         2
Files Restored:         2
Bytes Restored:         10,600 (10.60 KB)
Rate:                   10.6 KB/s
FD Errors:              0
FD termination status:  OK
SD termination status:  OK
Termination:            Restore OK

You can also verify the file is as expected in the restore location.

In Case of Lost Client keys

Should you happen to lose the Client PKI Keypair, you will need to import the Master PKI Keypair and have the clients bacula-fd.conf file point at this new PKI Keypair to decrypt your data.

Edit the file as appropriate:

PKI Keypair = "/etc/bacula/data-enc/keypair-data-enc.bacula.pbdigital.org.pem"

Once you have restarted the client, restoration can take place as normal.

NOTE: Restoration from the master PKI Keypair will only be available if it was initially encrypted with the PKI Master Key directive set.

Once the restore has taken place, repeat from the top of this post to create a new Client PKI Keypair, to re-enable Data Encryption.

Wrapping Up

Ba-dee, a dee, that’s all, folks!

With this information you can now sleep easy knowing your data is protected.

Documentation that I found helpful whilst configuring Bacula Data Encryption is listed below:

The LAB EIGHTY FOUR article is actually a two page article. Be sure not to miss the link to the second page as it is worth reading in full.

… and remember, guard those keys!

John McAfee guarding his keys, like a boss!
John McAfee guarding his keys, like a boss!