Bacula Data Encryption
This is by far the most simple to configure of the three posts on securing Bacula, however, it is one of the most important. First, it concerns data storage that may not be in your hands. Leaving backups unencrypted with a third party creates a risk of having them taken, if not sufficiently guarded. This is tantamount to giving someone access to your entire systems. Secondly, importance lies with the possibility that if you lose your PKI Keypair that backs up your data, in effect you lose all your backups.
NOTE: I am running Bacula on OmniOS and the client on Fedora, however the following information should be suitable for all systems with minor variations.
Like with my previous posts, I start with issuing a certificate for the Bacula server. It is possible that you could use the certificate & key that is already in place (for Transport Layer Security) but this makes the PKI Keypair vulnerable as these stay on the system. This Bacula Certificate/PKI Keypair is to only be used in event that a client loses their PKI Keypair (Client PKI Keypair), that they have used to encrypt their data. Therefore the Master PKI Keypair has no place staying on a live system. This should be stored offline in a secure location. With that noted, the procedure to create the PKI Keypair is as always, via the Certificate Authority, that I have noted in this previous post.
Issue data-enc.bacula.pbdigital.org.pem Certificate
First step is create the certificate signing request and forward this to the Certificate Authority:
# mkdir /etc/opt/ooce/bacula/data-enc # cd /etc/opt/ooce/bacula/data-enc # openssl genrsa -out key/data-enc.bacula.pbdigital.org.key 2048 # openssl req -new -key key/data-enc.bacula.pbdigital.org.key -out data-enc.bacula.pbdigital.org.csr # scp data-enc.bacula.pbdigital.org.csr email@example.com:/etc/ssl/ca.pbdigital.org/csr/
- The Common Name does not need to be the host name and I have used
On the Certificate Authority I issue the Certificate:
# openssl ca -config root-ca.cnf -in csr/data-enc.bacula.pbdigital.org.csr -out certs/data-enc.bacula.pbdigital.org.pem -extensions server_ext
Back on the Bacula server I import the server certificate, into the
# scp ca.pbdigital.org:/etc/ssl/ca.pbdigital.org/certs/data-enc.bacula.pbdigital.org.pem .
One final step is that we need to create the PKI Keypair. This is done by concatenating the Key and Certificate into one file for Bacula to use. This Master PKI Keypair will not be used immediatley, but will be stored with the key, as stated earlier, in a secure offline location.
# cat data-enc.bacula.pbdigital.org.key data-enc.bacula.pbdigital.org.pem > keypair-data-enc.bacula.pbdigital.org.pem
The order of the files DO matter.
Now, remove the keypair and key from the server and store in a secure offline location. The cert can remain on the server as we will want to distribute this to clients.
Issue data-enc.client.pbdigital.org.pem Certificate
You will want to repeat the steps above to issue the certificates, key and keypair for the client. These are needed to be stored on the client, to allow the client to encrypt the data before it is set off to the Storage Daemon.
NOTE: If you lose the master and client encryption keys, backups will be unrecoverable. Always store a copy of your master keys in a secure, off-site location.
Client configuration for encrypted backups
File Daemon section of the
bacula-fd.conf file on the client you need to append the following lines:
PKI Signatures = Yes PKI Encryption = Yes PKI Keypair = "/etc/bacula/data-enc/keypair-data-enc-client.pem" PKI Master Key = "/etc/bacula/data-enc/data-enc.bacula.pbdigital.org.pem"
You also need to distribute the
data-enc.bacula.pbdigital.org.pem certificate to the client as it is used in the final line that we have appended.
NOTE: Do not copy the Master PKI Keypair to the client, as only the standard certificate is needed.
This is optional, however if you do not do this, the client will only be able to decrypt the data with it's own PKI Keypair.
That is all the configuration necessary, a restart enables data encryption:
# service bacula-fd restart
Running Encrypted Data Backups
Nothing needs to be done on the Director to enable encryption, from now on the client will encrypt data before it is sent to the Storage Daemon.
I added a single file to test encryption and once the job has run you will be informed that encryption has been set as in the following output.
Build OS: x86_64-pc-solaris2.11 solaris 5.11 JobId: 83 Job: client.pbdigital.org.2020-05-13_13.55.45_15 Backup Level: Incremental, since=2020-05-13 13:43:34 Client: "client.pbdigital.org-fd" 9.4.4 (28May19) x86_64-redhat-linux-gnu,redhat, FileSet: "client.pbdigital.org-fs" 2020-05-10 14:51:36 Pool: "DAILY" (From User input) Catalog: "MyCatalog" (From Client resource) Storage: "bacula.pbdigital.org-sd-usb" (From Job resource) Scheduled time: 13-May-2020 13:55:11 Start time: 13-May-2020 13:55:48 End time: 13-May-2020 13:55:50 Elapsed time: 2 secs Priority: 10 FD Files Written: 2 SD Files Written: 2 FD Bytes Written: 11,760 (11.76 KB) SD Bytes Written: 12,560 (12.56 KB) Rate: 5.9 KB/s Software Compression: None Comm Line Compression: None Snapshot/VSS: no Encryption: yes Accurate: yes Volume name(s): DAILY-0012 Volume Session Id: 7 Volume Session Time: 1590832041 Last Volume Bytes: 14,224,216 (14.22 MB) Non-fatal FD errors: 0 SD Errors: 0 FD termination status: OK SD termination status: OK Termination: Backup OK
Note the line:
Restoring Encrypted Data Backups
Again, nothing on the Director needs to be set, decryption is all taken care of on the client. Running a restore, the output that is generated should indicate everything went OK.
Build OS: x86_64-pc-solaris2.11 solaris 5.11 JobId: 86 Job: RestoreFiles.2020-05-13_17.15.21_20 Restore Client: client.pbdigital.org-fd Where: /tmp/bacula-restores Replace: Always Start time: 13-May-2020 17:15:23 End time: 13-May-2020 17:15:24 Elapsed time: 1 sec Files Expected: 2 Files Restored: 2 Bytes Restored: 10,600 (10.60 KB) Rate: 10.6 KB/s FD Errors: 0 FD termination status: OK SD termination status: OK Termination: Restore OK
You can also verify the file is as expected in the restore location.
In Case of Lost Client keys
Should you happen to lose the Client PKI Keypair, you will need to import the Master PKI Keypair and have the clients
bacula-fd.conf file point at this new PKI Keypair to decrypt your data.
Edit the file as appropriate:
PKI Keypair = "/etc/bacula/data-enc/keypair-data-enc.bacula.pbdigital.org.pem"
Once you have restarted the client, restoration can take place as normal.
NOTE: Restoration from the master PKI Keypair will only be available if it was initially encrypted with the
PKI Master Keydirective set.
Once the restore has taken place, repeat from the top of this post to create a new Client PKI Keypair, to re-enable Data Encryption.
Ba-dee, a dee, that’s all, folks!
With this information you can now sleep easy knowing your data is protected.
Documentation that I found helpful whilst configuring Bacula Data Encryption is listed below:
The LAB EIGHTY FOUR article is actually a two page article. Be sure not to miss the link to the second page as it is worth reading in full.
... and remember, guard those keys!