I have a Bacula installation on my corporate LAN for some time, and since this is LAN I did not bother with setting up TLS.
Now a need emerged to back up exactly one remote client (it's actually a VPS). For some reason Bacula appears to be a rather suitable thing to employ for this task, except for one thing: since this client is accessible via Internet, all communications have to be secure hence employing TLS appears to be a way to go. As far as I understand it, backing up a client goes like this: 1) The Director contacts the FD and tells it to upload such and such files to a specific SD. It tells the FD which SD and also passes it a special cookie to authenticate against that SD. 2) The FD contacts the SD and uploads its stuff. So I should have the Director->FD and FD->SD communications protected by TLS. This means that FD should have TLS enabled for both inbound and outgoing connections, and SD should listen on a port with TLS enabled. The problem is that I thought it will be possible to enable TLS only on that one remote FD and add a TLS-enabled "listener" to my local SD, and leave the LAN intact. So I imagined I would set up TLS on the remote FD, do the same in the appropriate Client resource in my Director, and set up the second Storage resource in my SD config, listening on a different port and having TLS enabled *only there.* Unfortunately, SD says there can be only one Storage resource in the SD configuration file. So it now appears that TLS in Bacula supposes an all or nothing approach. I also know about stunnel, but I'm hesitant to use it due to these reasons: 1) At least two stunnel instances will be required to be set up and maintained. 2) Using stunnel involves unnecessary copying of (lots of) data. Another thing I considered is running another SD with a separate configuration file. This is doable as well but has its own apparent downsides like the need to fork and maintain a separate init script, inability to do copy jobs to media attached to the "main" SD etc. So, before I settle on either full-on TLS setup or stunnel or something else I'd like to ask if anyone here knows if it's somehow possible to do what I need: to make just a single client use TLS and leave everything else as is? I'm running Director and SD on the same Debian server which has Bacula 5.2.6 installed. The remote FD will probably run Bacula 5.0.3. ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users