Adam, I don't know for sure how to check if the default binaries supplied by Debian support encryption out of the box. I would suspect that the packages support SSL since that is a secure default.
I do advise that you consider adding the bacula community repository and using a newer version of bacula. The current production version is 15.0.2. Udo is right - if you want to encrypt tape volumes, LTO drive-based encryption is probably the best way. Just remember to backup the encryption key. If your drive is replaced or repaired, the new or repaired drive won't be able to restore any of your tapes until the key is applied to the drive again. Bacula 9.x *probably* *does* *support* *FD level encryption*. This means that the FD must be configured with a key, and backups sent to the SD will contain data already encrypted. Bacula will be unable to decrypt this data unless a suitable decryption key is provided (either the key used by the FD or a 'master' key that signed the original FD key). The interesting feature here is that it is possible to use bacula to back up data, but not trust the bacula SD with access to the decrypted data. So for example, the accounting dept could have their data safely encrypted without concern that the backup team could have access to privileged information like account numbers. The caveat is that the encryption keys themselves must be safely backed up. Obviously, without them the backup data can never be decrypted. See manual for more details. Bacula 9.x *does NOT support* *volume encryption*. Volume encryption support was added to bacula community edition in bacula 15.x. SD volume encryption can encrypt volumes in a manner similar to that done by an LTO drive, but bacula manages the encryption instead. Obviously there is a CPU penalty. Any bacula volume, including hard drive volumes, can be encrypted in this way. As mentioned above, this is only supported in bacula community edition from 15.x onward. Additionally, any encryption keys generated by bacula must be backed up separately or the volume data will be unrecoverable. See the bacula community edition manual for version 15.x if you are interested. Bacula 9.6 almost certainly supported encrypting communications between FD and Dir / SD. Some references to encryption will be in regard to that feature. I would expect that to be enabled by default. To see if encryption is being used in your FD to Dir/SD communications, look at the job logs for a line similar to the following. Look for the word 'TLS'. 16-Feb 12:56 td-bacula-dir JobId 34: Connected to Storage "Synology-Local" at td-bacula:9103 with TLS *No matter which option you select, you MUST back up your encryption key(s) separately from the encrypted backups. Without the keys, there is no way to recover your files* Robert Gerber 402-237-8692 r...@craeon.net On Mon, Feb 17, 2025 at 10:28 AM Udo Kaune <bac...@inet-hamburg.de> wrote: > Am 17.02.25 um 14:14 schrieb Adam Weremczuk: > > Does Bacula 9.6.7 (from Debian 11 repository) likely support backups > encryption out of the box? > > Or do I need to compile it with ./configure --with-openssl ? > > How do I check if encryption is currently available? > > I'm using it with LTO-8 ULTRIUM-HH8 external tape drive. > > --- > Adam > > > You should opt for encryption by the drive. This is much less cumbersome, > very reliable and also cheap (CPU-wise). > > https://github.com/scsitape/stenc > > Regards > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users >
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
