Bacula Logo Bacula is an open-source, enterprise-level computer backup system for heterogeneous networks. Bacula is by far the most popular Open Source backup program. It is designed to automate backup tasks that had often required intervention from a systems administrator or computer operator. Bacula supports Linux, UNIX, Windows, and macOS backup clients, and a range of professional backup devices including tape libraries.

Continuing from my last post on Securing the connection to PostgreQSL from Bacula via SSL, this post will focus on Transport Layer Security in Bacula.

This post assumes that you have a working installation of Bacula. If you have not already set up you can find a very detailed series of posts on the Blog Index covering all aspects of installing Bacula. This post also assumes you have access to a Certificate Authority. I have also made a post on installing and configuring a Certificate Authority which can be found here.

NOTE: I am running Bacula on OmniOS and the client on Fedora, however the following information should be suitable for all systems with minor variations.

Create Certificates on CA

To allow Transport Layer Security amongst the various components of Bacula we need to create a Server Certificate for the Bacula Director and the daemons that reside on the same host as the Director Daemon. As I run the Director, Storage & File Daemon on the same host I only need to create one certificate for these components. I will also be backing up a host that functions as my webserver. I will not need to create a Certificate for this host, as I am already using SSL on the webserver, and can re-use this certificate for the Bacula File Daemon on this host.

To create the server certificate I will use the Certificate Authority I documented in an earlier post.

Issue bacula.pbdigital.org.pem Server Certificate

First step is create the certificate signing request and forward this to the Certificate Authority:

# mkdir /etc/opt/ooce/bacula/tls
# cd /etc/opt/ooce/bacula/tls
# openssl genrsa -out bacula.pbdigital.org.key 2048
# openssl req -new -key bacula.pbdigital.org.key -out bacula.pbdigital.org.csr
# scp  bacula.pbdigital.org.csr root@ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/csr/
  • The Common Name in the CSR is the FQDN of the host, bacula.pbdigital.org. Make sure you have Reverse DNS entries set for this.

On the Certificate Authority I issue the Certificate:

# openssl ca -config root-ca.cnf -in csr/bacula.pbdigital.org.csr -out certs/bacula.pbdigital.org.pem -extensions server_ext

Back on the Bacula server I import the server and root authority ceritficate, into the /etc/opt/ooce/bacula/tls directory:

# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/root-ca.crt .
# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/certs/bacula.pbdigital.org.pem .

Once the appropriate permissions have been set on the certificates and keys, this is all that is needed to meet the certificate requirements.

Setting up TLS for Bacula

It is important to first verify that TLS is functioning correctly with the most simple components of Bacula, which I feel is the console program, bconsole. Once we have verified this is working I will move onto the other components of Bacula.

Setup TLS for Bconsole

We need to edit two files to enable encryption for bconsole to connect to the director using Transport Layer Security.

First we edit bacula-dir.conf to allow TLS connections, this is added to the Director section:

TLS Enable =               yes
TLS Require =              yes
TLS Verify Peer =          yes
TLS Allowed CN =           "bacula.pbdigital.org"
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

Secondly, we edit bconsle.conf to instruct bconsole to use the SSL Certificate when connecting to the Director. In this case, the certificate is the exact same certificate we used for the Director, as bconsole is on the same host as the Director.

If you connect to the Director from another host, you will need to create a SSL Server Certificate for that host to connect with.

For now, we need to add the following to the Director Section in the bconsole.conf file, as such:

TLS Enable =               yes
TLS Require =              yes
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

We should now be able to connect via bconsole to the Director. If we get a successful connection, we can be sure it is encrypted, as we have set the directive, TLS Require = yes.

Troubleshooting

The following points should help if you have not been able to connect.

  • Under the Director Section in bconsle.conf, the address directive should be set with the Fully Qualified Domain Name of the Director, i.e. address = bacula.bcn.pbdigital.org.

  • The Common Name in the certificate must match your DNS reverse lookup.

TLS from the Director Daemon to the Storage Daemon

Next on the list is to allow connection from the Director to the Storage Daemon. In the Storage Section of the bacula-dir.conf file, we provide the certificate to connect with the Storage Daemon. This certificate acts as a client connecting to the Storage Daemon, therefore we do not need the Verify Peer & TLS Allowed CN directives.

# This is a certificate, used by the director to connect to the storage daemon
TLS Enable =               yes
TLS Require =              yes
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

In the Director Section of the bacula-sd.conf file we provide the same Server Certificate.

# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Enable =               yes
TLS Require =              yes
TLS Verify Peer =          yes
TLS Allowed CN =           "bacula.pbdigital.org"
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

If you like you can now restart the Bacula Director & Storage Daemon and verify connectivity in bconsole by issuing the status storage command.

TLS between the File Daemon and the Storage Daemon

Moving onto the next component, we allow connection between the File & Storage Daemon. We do not need the Verify Peer & TLS Allowed CN directives, as Bacula has it’s own way of dealing with this. From the Bacula manual, it informs us that: “Peer certificate is not required/requested – peer validity is verified by the storage connection cookie provided to the File Daemon by the director”.

In the File Daemon Section of the bacula-fd.conf file.

# you need these TLS entries so the SD and FD can
# communicate
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

In the Storage Section of the bacula-sd.conf file.

TLS Enable = yes
TLS Require = yes
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.pbdigital.org.key

TLS from the Director Daemon to the File Daemon

Here is where I will set up the remote client to be backed up. We need to edit the bacula-fd.conf file on the remote host, in this case, www.pbdigital.org.

Director Section of bacula-fd.conf on the remote host.

TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "bacula.pbdigital.org"
TLS CA Certificate File =  /etc/bacula/tls/root-ca.crt
TLS Certificate =          /etc/bacula/tls/www.pbdigital.org.pem
TLS Key =                  /etc/bacula/tls/key/www.pbdigital.org.key

The next file I edit relates to the client that we will be backing up, in my case, www.pbdigital.org. This is in the Client Section of bacula-dir.conf that resides on the Bacula server.

TLS Enable =               yes
TLS Require =              yes
TLS CA Certificate File =  /etc/opt/ooce/bacula/tls/root-ca.crt
TLS Certificate =          /etc/opt/ooce/bacula/tls/bacula.bcn.pbdigital.org.pem
TLS Key =                  /etc/opt/ooce/bacula/tls/key/bacula.bcn.pbdigital.org.key

TLS between the Client and the Storage Daemon

The client needs to connect to the Storage Daemon so this is allowed here in the File Daemon Section of the bacula-fd.conf file that resides on remote host.

TLS Enable =               yes
TLS Require =              yes
TLS CA Certificate File =  /etc/bacula/tls/root-ca.crt
TLS Certificate =          /etc/bacula/tls/www.pbdigital.org.pem
TLS Key =                  /etc/bacula/tls/key/www.pbdigital.org.key

Wrapping Up

With this information you can now add all your backup hosts to Bacula using Transport Layer Security.

Documentation that I found helpful whilst configuring TLS is listed below:

I especially found the R.I.Pienaar Bacula TLS Wiki most helpful.

The next post I will look at adding data encryption and signing within the File Daemon (or Client) prior to sending data to the Storage Daemon.