Sophie

Sophie

distrib > Fedora > 16 > i386 > by-pkgid > df754e4e6f7f5fc8ab9d6ed8559f3e3d > files > 154

bacula-docs-5.0.3-19.fc16.noarch.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2008 (1.71)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>Data Encryption</TITLE>
<META NAME="description" CONTENT="Data Encryption">
<META NAME="keywords" CONTENT="main">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META NAME="Generator" CONTENT="LaTeX2HTML v2008">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="main.css">

<LINK REL="next" HREF="Using_Bacula_Improve_Comput.html">
<LINK REL="previous" HREF="Bacula_TLS_Communications.html">
<LINK REL="up" HREF="Bacula_Main_Reference.html">
<LINK REL="next" HREF="Using_Bacula_Improve_Comput.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html1909"
  HREF="Using_Bacula_Improve_Comput.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html1903"
  HREF="Bacula_Main_Reference.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html1897"
  HREF="Bacula_TLS_Communications.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html1905"
  HREF="Contents.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A> 
<A NAME="tex2html1907"
  HREF="Thanks.html">
<IMG WIDTH="43" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="index" SRC="index.png"></A> 
<BR>
<B> Next:</B> <A NAME="tex2html1910"
  HREF="Using_Bacula_Improve_Comput.html">Using Bacula to Improve</A>
<B> Up:</B> <A NAME="tex2html1904"
  HREF="Bacula_Main_Reference.html">Bacula Main Reference</A>
<B> Previous:</B> <A NAME="tex2html1898"
  HREF="Bacula_TLS_Communications.html">Bacula TLS - Communications</A>
 &nbsp; <B>  <A NAME="tex2html1906"
  HREF="Contents.html">Contents</A></B> 
 &nbsp; <B>  <A NAME="tex2html1908"
  HREF="Thanks.html">Index</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>

<UL>
<LI><A NAME="tex2html1911"
  HREF="Data_Encryption.html#SECTION004010000000000000000">Building Bacula with Encryption Support</A>
<LI><A NAME="tex2html1912"
  HREF="Data_Encryption.html#SECTION004020000000000000000">Encryption Technical Details</A>
<LI><A NAME="tex2html1913"
  HREF="Data_Encryption.html#SECTION004030000000000000000">Decrypting with a Master Key</A>
<LI><A NAME="tex2html1914"
  HREF="Data_Encryption.html#SECTION004040000000000000000">Generating Private/Public Encryption Keys</A>
<LI><A NAME="tex2html1915"
  HREF="Data_Encryption.html#SECTION004050000000000000000">Example Data Encryption Configuration</A>
</UL>
<!--End of Table of Child-Links-->
<HR>

<H1><A NAME="SECTION004000000000000000000"></A>
<A NAME="DataEncryption"></A>
<BR>
Data Encryption
</H1>
<A NAME="19981"></A>
<A NAME="19982"></A>
<A NAME="19983"></A>

<P>
Bacula permits file data encryption and signing within the File Daemon (or
Client) prior to sending data to the Storage Daemon.  Upon restoration,
file signatures are validated and any mismatches are reported.  At no time
does the Director or the Storage Daemon have access to unencrypted file
contents.

<P>
It is very important to specify what this implementation does NOT
do:

<UL>
<LI>There is one important restore problem to be aware of, namely, it's
  possible for the director to restore new keys or a Bacula configuration
  file to the client, and thus force later backups to be made with a
  compromised key and/or with no encryption at all.  You can avoid this by
  not changing the location of the keys in your Bacula File daemon
  configuration file, and not changing your File daemon keys.  If you do
  change either one, you must ensure that no restore is done that restores
  the old configuration or the old keys.  In general, the worst effect of
  this will be that you can no longer connect the File daemon.

<P>
</LI>
<LI>The implementation does not encrypt file metadata such as file path
  names, permissions, and ownership. Extended attributes are also currently
  not encrypted. However, Mac OS X resource forks are encrypted.
</LI>
</UL>

<P>
Encryption and signing are implemented using RSA private keys coupled with
self-signed x509 public certificates. This is also sometimes known as PKI
or Public Key Infrastructure. 

<P>
Each File Daemon should be given its own unique private/public key pair.
In addition to this key pair, any number of "Master Keys" may be specified
- these are key pairs that may be used to decrypt any backups should the
File Daemon key be lost.  Only the Master Key's public certificate should
be made available to the File Daemon.  Under no circumstances should the
Master Private Key be shared or stored on the Client machine.

<P>
The Master Keys should be backed up to a secure location, such as a CD
placed in a in a fire-proof safe or bank safety deposit box. The Master
Keys should never be kept on the same machine as the Storage Daemon or
Director if you are worried about an unauthorized party compromising either
machine and accessing your encrypted backups.

<P>
While less critical than the Master Keys, File Daemon Keys are also a prime
candidate for off-site backups; burn the key pair to a CD and send the CD
home with the owner of the machine.

<P>
NOTE!!! If you lose your encryption keys, backups will be unrecoverable.
<B>ALWAYS</B> store a copy of your master keys in a secure, off-site location.

<P>
The basic algorithm used for each backup session (Job) is:

<OL>
<LI>The File daemon generates a session key.
</LI>
<LI>The FD encrypts that session key via PKE for all recipients (the file  
daemon, any master keys).
</LI>
<LI>The FD uses that session key to perform symmetric encryption on the data.
</LI>
</OL>

<P>

<H1><A NAME="SECTION004010000000000000000">
Building Bacula with Encryption Support</A>
</H1>
<A NAME="19990"></A>

<P>
The configuration option for enabling OpenSSL encryption support has not changed
since Bacula 1.38. To build Bacula with encryption support, you will need
the OpenSSL libraries and headers installed.  When configuring Bacula, use:

<P>
<PRE>
   ./configure --with-openssl ...
</PRE>

<P>

<H1><A NAME="SECTION004020000000000000000">
Encryption Technical Details</A>
</H1>
<A NAME="19994"></A>

<P>
The implementation uses 128bit AES-CBC, with RSA encrypted symmetric
session keys. The RSA key is user supplied.
If you are running OpenSSL 0.9.8 or later, the signed file hash uses
SHA-256 - otherwise, SHA-1 is used.

<P>
End-user configuration settings for the algorithms are not currently
exposed - only the algorithms listed above are used. However, the
data written to Volume supports arbitrary symmetric, asymmetric, and
digest algorithms for future extensibility, and the back-end
implementation currently supports:

<P>
<PRE>
Symmetric Encryption:
    - 128, 192, and 256-bit AES-CBC
    - Blowfish-CBC

Asymmetric Encryption (used to encrypt symmetric session keys):
    - RSA

Digest Algorithms:
    - MD5
    - SHA1
    - SHA256
    - SHA512
</PRE>

<P>
The various algorithms are exposed via an entirely re-usable,
OpenSSL-agnostic API (ie, it is possible to drop in a new encryption
backend). The Volume format is DER-encoded ASN.1, modeled after the
Cryptographic Message Syntax from RFC 3852. Unfortunately, using CMS
directly was not possible, as at the time of coding a free software
streaming DER decoder/encoder was not available.

<P>

<H1><A NAME="SECTION004030000000000000000">
Decrypting with a Master Key</A>
</H1>
<A NAME="19998"></A>

<P>
It is preferable to retain a secure, non-encrypted copy of the  
client's own encryption keypair. However, should you lose the  
client's keypair, recovery with the master keypair is possible.

<P>
You must:

<UL>
<LI>Concatenate the master private and public key into a single  
   keypair file, ie:
   cat master.key master.cert master.keypair

<P>
</LI>
<LI>Set the PKI Keypair statement in your bacula configuration file:

<P>
<PRE>
   PKI Keypair = master.keypair
</PRE>

<P>
</LI>
<LI>Start the restore. The master keypair will be used to decrypt
     the file data.

<P>
</LI>
</UL>

<P>

<H1><A NAME="SECTION004040000000000000000">
Generating Private/Public Encryption Keys</A>
</H1>
<A NAME="20004"></A>

<P>
Generate a Master Key Pair with:

<P>
<PRE>
  openssl genrsa -out master.key 2048
  openssl req -new -key master.key -x509 -out master.cert
</PRE>
<P>
Generate  a File Daemon Key Pair for each FD:

<P>
<PRE>
  openssl genrsa -out fd-example.key 2048
  openssl req -new -key fd-example.key -x509 -out fd-example.cert
  cat fd-example.key fd-example.cert &gt;fd-example.pem
</PRE>
<P>
Note, there seems to be a lot of confusion around the file extensions given
to these keys.  For example, a .pem file can contain all the following:
private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. 
It is the default format for OpenSSL. It stores data Base64 encoded DER format,
surrounded by ASCII headers, so is suitable for text mode transfers between
systems. A .pem file may contain any number of keys either public or
private. We use it in cases where there is both a public and a private
key.

<P>
Typically, above we have used the .cert extension to refer to X509
certificate encoding that contains only a single public key.

<P>

<H1><A NAME="SECTION004050000000000000000">
Example Data Encryption Configuration</A>
</H1>
<A NAME="20010"></A>
<A NAME="20011"></A>
<A NAME="20012"></A>

<P>
<B>bacula-fd.conf</B>
<PRE>
FileDaemon {
   Name = example-fd
   FDport = 9102                  # where we listen for the director
   WorkingDirectory = /var/bacula/working
   Pid Directory = /var/run
   Maximum Concurrent Jobs = 20
 
   PKI Signatures = Yes            # Enable Data Signing
   PKI Encryption = Yes            # Enable Data Encryption
   PKI Keypair = "/etc/bacula/fd-example.pem"    # Public and Private Keys
   PKI Master Key = "/etc/bacula/master.cert"    # ONLY the Public Key
}
</PRE>
<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html1909"
  HREF="Using_Bacula_Improve_Comput.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html1903"
  HREF="Bacula_Main_Reference.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html1897"
  HREF="Bacula_TLS_Communications.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html1905"
  HREF="Contents.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A> 
<A NAME="tex2html1907"
  HREF="Thanks.html">
<IMG WIDTH="43" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="index" SRC="index.png"></A> 
<BR>
<B> Next:</B> <A NAME="tex2html1910"
  HREF="Using_Bacula_Improve_Comput.html">Using Bacula to Improve</A>
<B> Up:</B> <A NAME="tex2html1904"
  HREF="Bacula_Main_Reference.html">Bacula Main Reference</A>
<B> Previous:</B> <A NAME="tex2html1898"
  HREF="Bacula_TLS_Communications.html">Bacula TLS - Communications</A>
 &nbsp; <B>  <A NAME="tex2html1906"
  HREF="Contents.html">Contents</A></B> 
 &nbsp; <B>  <A NAME="tex2html1908"
  HREF="Thanks.html">Index</A></B> 
<!--End of Navigation Panel-->
<ADDRESS>

2012-01-24
</ADDRESS>
</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional