I'm curious about encryption; specifically, encrypting the data on the client-side before the storage daemon lays it down to tape.
I've read http://www.bacula.org/en/dev-manual/Data_Encryption.html, and it seems to suggest that the client *requires* both the client's private key and the client's public key. Certainly, when I give the client a "PKI Keypair =" file which contains only the public key, I get an "Error: openssl.c:86 Unable to read private key from file ERR=error:0906D06C:PEM routines:PEM_read_bio:no start line". But what I'm trying to do here is make a machine, and its backup tapes, safe from physical seizure. The root FS of the machine is unencrypted (and so, therefore, is the /etc/bacula directory); the file system I'm worried about is normally encrypted. I've tried giving the FD a .pem file which includes an encrypted private key, in the hope that it would ask for a passphrase at start time (in the manner of apache), but instead I get "openssl.c:86 Unable to read private key from file: ERR=error:0906A068:PEM routines:PEM_do_header:bad password read", so that's not working. The above manual page on data encryption says that the encryption involves three steps: 1. The File daemon generates a session key. 2. The FD encrypts that session key via PKE for all recipients (the file daemon, any master keys). 3. The FD uses that session key to perform symmetric encryption on the data. None of that seems to me to require the client's private key; only the public one. Only restoration, or some other act requiring the decryption of the filestream, seems to me to require the client's private key. Or is there some other signing phase going on, that I'm not catching on to? Am I missing something, or is the only way to make this work to put the bacula FD's keys in plaintext, inside the encrypted filesystem? Tom Yates Cambridge, UK. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
