Re: [bareos-users] Backup encryption help
Not sure when it was added 17 is before I used bareos. In your job emails do you see PSK anywhere? By default it logs and tries to encrypt unless disabled. This is over the wire from client to sd not at rest. Sent from my iPhone Brock Palen > On Dec 30, 2020, at 11:05 AM, Gonçalo Sousa wrote: > > My bareOS is 17.2 does it encrypt my default? > >> On Monday, December 21, 2020 at 4:34:02 PM UTC bro...@mlds-networks.com >> wrote: >> Personally I would not use data encryption at the client if not required. >> Use the newer versions of Bareos where it uses PSK (pre shared keys) using >> the password to set up an encrypted tunnel over which the data rides. Thus >> it lands on your SD unencrypted but the data is encrypted over the wire. >> >> If you need encrypt the data at rest use LVM or Fuse encryption for disk >> volumes, and LTO encryption for tape. This will encrypt the data at rest, >> but avoid managing keys for clients. Also makes restores not dependent on >> those SSL certs only for the disk volume and tape which is all managed on >> the server and can be easily replicated by the admin team. (I keep all my >> tape secret in 1password encrypted note and GPG encrypted file, and only >> needed if I lose my catalog dump/backup, which is treated differently than >> my client backups). >> >> >> The only reason I see today to use File Damon Encryption as documented in >> that page is if you need to promise the client you cannot access their data. >> That is _only_ true if only the client has the private key, AND to double >> what MK said there is huge risk that the client will lose that key and not >> have it recoverable when you need to do a restore. >> >> >> If you rely on encryption using PSK which should be automatic if any recent >> bareos version it’s much less error prone. >> Eg Look for: Connected Client: mlds at mlds:9102, encryption: >> PSK-AES256-CBC-SHA >> >> In your job logs. I do this all without managing certificates on the FD. >> >> >> Brock Palen >> bro...@mlds-networks.com >> www.mlds-networks.com >> Websites, Linux, Hosting, Joomla, Consulting >> >> >> >> > On Dec 21, 2020, at 8:21 AM, Spadajspadaj wrote: >> > >> > bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos >> > filedaemon is the program running on the client which you are backing up. >> > >> > As per the documentation (which you already found), all data is encrypted >> > on client prior to being sent to server (or to Storage Daemon, to be >> > precise). >> > >> > But please, read the documentation again (and again if need be) so you >> > understand how it's working so you don't accidentaly lose your keys (and >> > hence any possibility of decrypting the backed up data!). >> > >> > >> > >> > Best regards, >> > >> > MK >> > >> > On 21/12/2020 14:14, Gonçalo Sousa wrote: >> >> Can someone help me please >> >> >> >> On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote: >> >> >> >> I am trying to implement data encryption on bareOS following this >> >> documentation: >> >> https://docs.bareos.org/TasksAndConcepts/DataEncryption.html >> >> >> >> I have already created/generated the .cert, .pem and .key files on the >> >> BareOS server. >> >> >> >> My question is where do I configure them, on the example only mentions >> >> bareos-fd.conf >> >> Is this file located on /etc/bareos/bareos-dir.d/client/ ? >> >> >> >> All the keys, pem and cert files must be located on the BareOS server >> >> right? >> >> All the configuration is only made on the BareOS right? >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> >> "bareos-users" group. >> >> To unsubscribe from this group and stop receiving emails from it, send an >> >> email to bareos-users...@googlegroups.com. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com. >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "bareos-users" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to bareos-users...@googlegroups.com. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e78304258c%40gmail.com. >> > >> > > -- > You received this message because you are subscribed to the Google Groups > "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bareos-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/d352fd1d-b75e-4089-acda-c9a8bc411effn%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, se
Re: [bareos-users] Backup encryption help
My bareOS is 17.2 does it encrypt my default? On Monday, December 21, 2020 at 4:34:02 PM UTC bro...@mlds-networks.com wrote: > Personally I would not use data encryption at the client if not required. > Use the newer versions of Bareos where it uses PSK (pre shared keys) using > the password to set up an encrypted tunnel over which the data rides. Thus > it lands on your SD unencrypted but the data is encrypted over the wire. > > If you need encrypt the data at rest use LVM or Fuse encryption for disk > volumes, and LTO encryption for tape. This will encrypt the data at rest, > but avoid managing keys for clients. Also makes restores not dependent on > those SSL certs only for the disk volume and tape which is all managed on > the server and can be easily replicated by the admin team. (I keep all my > tape secret in 1password encrypted note and GPG encrypted file, and only > needed if I lose my catalog dump/backup, which is treated differently than > my client backups). > > > The only reason I see today to use File Damon Encryption as documented in > that page is if you need to promise the client you cannot access their > data. That is _only_ true if only the client has the private key, AND to > double what MK said there is huge risk that the client will lose that key > and not have it recoverable when you need to do a restore. > > > If you rely on encryption using PSK which should be automatic if any > recent bareos version it’s much less error prone. > Eg Look for: Connected Client: mlds at mlds:9102, encryption: > PSK-AES256-CBC-SHA > > In your job logs. I do this all without managing certificates on the FD. > > > Brock Palen > bro...@mlds-networks.com > www.mlds-networks.com > Websites, Linux, Hosting, Joomla, Consulting > > > > > On Dec 21, 2020, at 8:21 AM, Spadajspadaj wrote: > > > > bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos > filedaemon is the program running on the client which you are backing up. > > > > As per the documentation (which you already found), all data is > encrypted on client prior to being sent to server (or to Storage Daemon, to > be precise). > > > > But please, read the documentation again (and again if need be) so you > understand how it's working so you don't accidentaly lose your keys (and > hence any possibility of decrypting the backed up data!). > > > > > > > > Best regards, > > > > MK > > > > On 21/12/2020 14:14, Gonçalo Sousa wrote: > >> Can someone help me please > >> > >> On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote: > >> > >> I am trying to implement data encryption on bareOS following this > documentation: > https://docs.bareos.org/TasksAndConcepts/DataEncryption.html > >> > >> I have already created/generated the .cert, .pem and .key files on the > BareOS server. > >> > >> My question is where do I configure them, on the example only mentions > bareos-fd.conf > >> Is this file located on /etc/bareos/bareos-dir.d/client/ ? > >> > >> All the keys, pem and cert files must be located on the BareOS server > right? > >> All the configuration is only made on the BareOS right? > >> -- > >> You received this message because you are subscribed to the Google > Groups "bareos-users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to bareos-users...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com > . > > > > -- > > You received this message because you are subscribed to the Google > Groups "bareos-users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to bareos-users...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e78304258c%40gmail.com > . > > -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/d352fd1d-b75e-4089-acda-c9a8bc411effn%40googlegroups.com.
Re: [bareos-users] Backup encryption help
There are many different situations and various needs. Especially if you have a need for off-site backups, and even more so if you're processing any kind of sensitive data, you have to (and might be obliged by law to do so - enter GDPR or HIPAA, for example). Encrypting storage units (tapes/lvm volumes and so on) is a bit different and addresses different needs than client-side encryption. As you pointed out, bareos-fd encryption lets you encrypt all data and makes the backup possible without the backing up party being able to access raw data (there's always the issue with metadata which is not encrypted but that's a different subject). There is also another angle to this - with media encryption you have just that - media encryption. And anyone compromising the cryptographic material used to encrypt said media gains access to all the data contained on said media. In case of client-side backup it's possible (and advised) to encrypt each client with own key so that each client can be managed independently of another. To sum it up - there are different needs, so there are different solutions :-) I'm only wondering (I admit, probably because I didn't read the docs enough times ;->) if the connection is still encrypted if we use client-side encryption on bareos-fd? That would make the data in transit double-encrypted which is a bit pointless. Best regards, MK On 21/12/2020 17:33, Brock Palen wrote: Personally I would not use data encryption at the client if not required. Use the newer versions of Bareos where it uses PSK (pre shared keys) using the password to set up an encrypted tunnel over which the data rides. Thus it lands on your SD unencrypted but the data is encrypted over the wire. If you need encrypt the data at rest use LVM or Fuse encryption for disk volumes, and LTO encryption for tape. This will encrypt the data at rest, but avoid managing keys for clients. Also makes restores not dependent on those SSL certs only for the disk volume and tape which is all managed on the server and can be easily replicated by the admin team. (I keep all my tape secret in 1password encrypted note and GPG encrypted file, and only needed if I lose my catalog dump/backup, which is treated differently than my client backups). The only reason I see today to use File Damon Encryption as documented in that page is if you need to promise the client you cannot access their data. That is _only_ true if only the client has the private key, AND to double what MK said there is huge risk that the client will lose that key and not have it recoverable when you need to do a restore. If you rely on encryption using PSK which should be automatic if any recent bareos version it’s much less error prone. Eg Look for: Connected Client: mlds at mlds:9102, encryption: PSK-AES256-CBC-SHA In your job logs. I do this all without managing certificates on the FD. Brock Palen bro...@mlds-networks.com www.mlds-networks.com Websites, Linux, Hosting, Joomla, Consulting On Dec 21, 2020, at 8:21 AM, Spadajspadaj wrote: bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos filedaemon is the program running on the client which you are backing up. As per the documentation (which you already found), all data is encrypted on client prior to being sent to server (or to Storage Daemon, to be precise). But please, read the documentation again (and again if need be) so you understand how it's working so you don't accidentaly lose your keys (and hence any possibility of decrypting the backed up data!). Best regards, MK On 21/12/2020 14:14, Gonçalo Sousa wrote: Can someone help me please On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote: I am trying to implement data encryption on bareOS following this documentation: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html I have already created/generated the .cert, .pem and .key files on the BareOS server. My question is where do I configure them, on the example only mentions bareos-fd.conf Is this file located on /etc/bareos/bareos-dir.d/client/ ? All the keys, pem and cert files must be located on the BareOS server right? All the configuration is only made on the BareOS right? -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e7
Re: [bareos-users] Backup encryption help
Never really thought about that, At first glance this looks like what I would do, this is similar to encryption on LVM disk volume taking out of Bareos client hands. https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html Note FD to SD should still be PSK encrypted over the wire, and the SD to S3 should be SSL encrypted over HTTPS, then this just encrypts it when it lands at AWS. Though I always questioned cloud systems where you give them the key to encrypt data that you assume you do to make sure they can’t access it (melitious employee, etc) YMMV. IN that case yeah you may want to encrypt before uploading and this may be the best path. But key management is KEY to make sure you can actually access your data. Brock Palen bro...@mlds-networks.com www.mlds-networks.com Websites, Linux, Hosting, Joomla, Consulting > On Dec 21, 2020, at 11:43 AM, 'Chad William Seys' via bareos-users > wrote: > > I agree, it is worrisome to encrypt backup data. > > But, if the client loses the key, there is still the master key. > https://docs.bareos.org/TasksAndConcepts/DataEncryption.html#decrypting-with-a-master-key > > If storing in "the cloud" is there an easier and less failure prone way to > encrypt? > > Chad. > > -- > You received this message because you are subscribed to the Google Groups > "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bareos-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/fd47f1b1-6240-f674-ab40-6685e520%40physics.wisc.edu. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/9B985D80-0854-4E01-A018-06BE04E9%40mlds-networks.com.
Re: [bareos-users] Backup encryption help
I agree, it is worrisome to encrypt backup data. But, if the client loses the key, there is still the master key. https://docs.bareos.org/TasksAndConcepts/DataEncryption.html#decrypting-with-a-master-key If storing in "the cloud" is there an easier and less failure prone way to encrypt? Chad. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/fd47f1b1-6240-f674-ab40-6685e520%40physics.wisc.edu.
Re: [bareos-users] Backup encryption help
Personally I would not use data encryption at the client if not required. Use the newer versions of Bareos where it uses PSK (pre shared keys) using the password to set up an encrypted tunnel over which the data rides. Thus it lands on your SD unencrypted but the data is encrypted over the wire. If you need encrypt the data at rest use LVM or Fuse encryption for disk volumes, and LTO encryption for tape. This will encrypt the data at rest, but avoid managing keys for clients. Also makes restores not dependent on those SSL certs only for the disk volume and tape which is all managed on the server and can be easily replicated by the admin team. (I keep all my tape secret in 1password encrypted note and GPG encrypted file, and only needed if I lose my catalog dump/backup, which is treated differently than my client backups). The only reason I see today to use File Damon Encryption as documented in that page is if you need to promise the client you cannot access their data. That is _only_ true if only the client has the private key, AND to double what MK said there is huge risk that the client will lose that key and not have it recoverable when you need to do a restore. If you rely on encryption using PSK which should be automatic if any recent bareos version it’s much less error prone. Eg Look for: Connected Client: mlds at mlds:9102, encryption: PSK-AES256-CBC-SHA In your job logs. I do this all without managing certificates on the FD. Brock Palen bro...@mlds-networks.com www.mlds-networks.com Websites, Linux, Hosting, Joomla, Consulting > On Dec 21, 2020, at 8:21 AM, Spadajspadaj wrote: > > bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos > filedaemon is the program running on the client which you are backing up. > > As per the documentation (which you already found), all data is encrypted on > client prior to being sent to server (or to Storage Daemon, to be precise). > > But please, read the documentation again (and again if need be) so you > understand how it's working so you don't accidentaly lose your keys (and > hence any possibility of decrypting the backed up data!). > > > > Best regards, > > MK > > On 21/12/2020 14:14, Gonçalo Sousa wrote: >> Can someone help me please >> >> On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote: >> >> I am trying to implement data encryption on bareOS following this >> documentation: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html >> >> I have already created/generated the .cert, .pem and .key files on the >> BareOS server. >> >> My question is where do I configure them, on the example only mentions >> bareos-fd.conf >> Is this file located on /etc/bareos/bareos-dir.d/client/ ? >> >> All the keys, pem and cert files must be located on the BareOS server right? >> All the configuration is only made on the BareOS right? >> -- >> You received this message because you are subscribed to the Google Groups >> "bareos-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to bareos-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups > "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bareos-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e78304258c%40gmail.com. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/9361B57E-FBAB-4034-BB54-B6D41E965F60%40mlds-networks.com.
[bareos-users] Backup encryption help
I am trying to implement data encryption on bareOS following this documentation: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html I have already created/generated the .cert, .pem and .key files on the BareOS server. My question is where do I configure them, on the example only mentions bareos-fd.conf Is this file located on /etc/bareos/bareos-dir.d/client/ ? All the keys, pem and cert files must be located on the BareOS server right? All the configuration is only made on the BareOS right? -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/a669a356-bba4-465e-99dc-1bdc2a8e74fdn%40googlegroups.com.