Re: [bareos-users] Bareos data encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Valentin, I have a working setup with encryption over here. On Wed, 29 Apr 2020, Valentin Dzhorov wrote: Ok, so I am trying to turn on data encryption feature described here: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html. I have issued RSA public and private key and I have consolidated them into one PEM file. My configuration on the client itself looks like the following: Client { Name = client1 Maximum Concurrent Jobs = 10 Maximum Bandwidth Per Job = 90 m/s # remove comment from "Plugin Directory" to load plugins from specified directory. # if "Plugin Names" is defined, only the specified plugins will be loaded, # otherwise all storage plugins (*-fd.so) from the "Plugin Directory". # Plugin Directory = /usr/lib64/bareos/plugins # Plugin Names = "" # if compatible is set to yes, we are compatible with bacula # if set to no, new bareos features are enabled which is the default # compatible = yes PKI Signatures = yes PKI Encryption = yes PKI Keypair = "/etc/bareos/bareos-fd.d/certificate/assembled/consolidated.pem" PKI Master Key = "/etc/bareos/bareos-fd.d/certificate/master.pem" PKI Cipher = aes128 } My config looks similar, except, that I do not provide the "master.pem", but solely the "master.cert" - what's the content of your "master.pem": does it contain the private key, too? That is not necessary and may break things - additionally, this is wrong from a security point of view: you do *not* want to distribute the private master key across all your clients. However when I am doing backups nothing seems to happen. I get the following message when doing backups: Encryption: None Can anyone let me know what am I doing wrong here? Thank you all in advance! Additionally to my point above: have you checked file permissions? Can bareos read the private keys? regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6pby4ACgkQCu7JB1Xa e1qo5g/+ORdkI51kmJYzt//L91cBxETOhns0BYH2xA4Q5CXO2mMLyYhCSR+osr7g dAkhDcLWvXOUpSOsrNm2ZUo7ejwLlJ4ovSpfX5dOgJq1U5njG3VBPMSwGO2IXaPN RfDMt5D3VeplfQJKtnJon1wPltEwnfY6hUqp3stRDVHbfHyV0UpNyGN4kMwPUR6H RlkxoUWmCOkT2c/YFDkf6d/vTThXKtXt10NjhX38kJoW7GEjikiBZMz/3U1eN7ay pbwgtAm5Gg+xY3R39sQHRbhDtXUuykA8JPvnCztk2vyq7y+MOxIprAnsMUQr83UM 8egi1TwH1nUhsr1Mg7IDnOxJxWIFx8m77N28o1SaCnS4DibPY+vLhwvasOxl7XxM XWEO4RqieofH93TrPYxOhIcJRRb3e9kVERav/gViYf+vGzb1HM48QCLJDY/iSINk WN01cJKzGrkU6bKqsI6DP1ISgYg2e8src8kwPd58fh0wTQhrpYDh7i8joYY8Pweo r9V02YqiCXH+fkgFZCYkZPCORSI0hF1XKV/BPHo0NfOE8vtt54/Rn/CmBmzvWc8c jbjWjYXARn/mcEptjbCOMYO9SAIqKu0mZbGEMEU0DySxphgDpdu21oPUCkYC8yfQ qi684/NvI0u3Bd9KbKJRPqjbHfdY8FF6ETzXiLd3z2rkalVwG7w= =1SiK -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/alpine.LNX.2.22.419.2004291410040.10703%40desk.ddns.eckner.net.
Re: [bareos-users] Bareos data encryption
On 29.04.2020 14:09, Andreas Rogge wrote: Am 29.04.20 um 13:22 schrieb Valentin Dzhorov: Can anyone let me know what am I doing wrong here? Thank you all in advance! That really depends on where you see the "Encryption: None" message. In Bareos' context encryption can mean three different things: - the PKI-based encryption of the backed up data (which is what you're trying) - the transport encryption (SSL) between dir, fd and sd - hardware-assisted tape-encryption I think you're seeing the message because the director cannot establish a secure connection to the FD. However, PKI-based content-encryption may still take place. To test content-encryption you can try a restore of the data to another client that has no access to the required key material. It's also useful to check the job status. The Encryption field of the job status should contain info whether the job's been encrypted or not. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/50ff9529-35ba-0d83-e0a1-7bd8f4d043e6%40gmail.com.
Re: [bareos-users] Bareos data encryption
Am 29.04.20 um 13:22 schrieb Valentin Dzhorov: > > Can anyone let me know what am I doing wrong here? Thank you all in advance! That really depends on where you see the "Encryption: None" message. In Bareos' context encryption can mean three different things: - the PKI-based encryption of the backed up data (which is what you're trying) - the transport encryption (SSL) between dir, fd and sd - hardware-assisted tape-encryption I think you're seeing the message because the director cannot establish a secure connection to the FD. However, PKI-based content-encryption may still take place. To test content-encryption you can try a restore of the data to another client that has no access to the required key material. Best Regards, Andreas -- Andreas Rogge andreas.ro...@bareos.com Bareos GmbH & Co. KG Phone: +49 221-630693-86 http://www.bareos.com Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 Komplementär: Bareos Verwaltungs-GmbH Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, Philipp Storz -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/1d96c04b-7b06-8c68-3620-f7a63c10d8c8%40bareos.com. signature.asc Description: OpenPGP digital signature
[bareos-users] Bareos data encryption
Ok, so I am trying to turn on data encryption feature described here: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html. I have issued RSA public and private key and I have consolidated them into one PEM file. My configuration on the client itself looks like the following: Client { Name = client1 Maximum Concurrent Jobs = 10 Maximum Bandwidth Per Job = 90 m/s # remove comment from "Plugin Directory" to load plugins from specified directory. # if "Plugin Names" is defined, only the specified plugins will be loaded, # otherwise all storage plugins (*-fd.so) from the "Plugin Directory". # Plugin Directory = /usr/lib64/bareos/plugins # Plugin Names = "" # if compatible is set to yes, we are compatible with bacula # if set to no, new bareos features are enabled which is the default # compatible = yes PKI Signatures = yes PKI Encryption = yes PKI Keypair= "/etc/bareos/bareos-fd.d/certificate/assembled/consolidated.pem" PKI Master Key = "/etc/bareos/bareos-fd.d/certificate/master.pem" PKI Cipher = aes128 } However when I am doing backups nothing seems to happen. I get the following message when doing backups: Encryption: None Can anyone let me know what am I doing wrong here? Thank you all in advance! -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/44ea185b-9f76-4cb7-adaa-13f83671b10d%40googlegroups.com.