Thanks, Rob. As you rightly pointed out, after reading the Bacula manuals, I was finally able to configure AES256 encryption properly. Thank you very much for your help.
De: Rob Gerber <[email protected]> Enviado el: jueves, 4 de diciembre de 2025 16:10 Para: Enzo Renatto Serafini Samaniego <[email protected]> CC: bacula-users <[email protected]>; LD SystemAlerts <[email protected]> Asunto: Re: [Bacula-users] configure AES256 data encryption using PKI Enzo, Essentially, assuming your bacula is stock (unmodified, obtained from someone's repository), then your AI is hallucinating. It appears to be imagining options that do not exist in bacula. There is not very much information about bacula Enzo, Essentially, assuming your bacula is stock (unmodified, obtained from someone's repository), then your AI is hallucinating. It appears to be imagining options that do not exist in bacula. There is not very much information about bacula on the internet, so the various AI scrapers could not train their LLMs on bacula effectively. This means that an LLM is much worse at helping with bacula than with other linux related tasks. The Bacula information provided by chatgpt in particular is often very bad. AI can be useful for other tasks, as long as you carefully review the output and double check what it suggests. In the case of bacula, the AI cannot be very helpful because there is limited training data to help the AI learn about bacula. Your best chance to get bacula working is to read the manuals found at bacula.org<https://urldefense.com/v3/__http:/bacula.org__;!!HmtxUYG0RA!oTzNd3BmHYURrRjOC-eeGoajvAVkkJP0jG1Hy77rsObSeonU00pQ96mY2trFMu4ZiGfAK50bHRFZ8CYj$>, and to ask for help on this mailing list if you get stuck. Regarding encryption, what is your goal? Bacula 15.x supports two forms of encryption: 0. First, keep in kind that by default bacula encrypts all data in transit between different Bacula components (FD, SD, Dir). So data is never sent in plain text. The following options discuss what is done to protect data at rest. 1. File Daemon encryption. Keys and encryption are managed at the FD level. The SD never sees unencrypted data (metadata may be unencrypted). Data recovery requires interacting with FD keys. It is possible to create a "master" key that can also restore data, for use in case the FD keys are lost. The FD encryption feature is supported by previous versions of bacula, from around 9.x onward iirc. 2. Storage volume encryption. Keys are managed by the SD. The SD receives unencrypted data, and encrypts the volumes the data is stored inside. Each volume has its own automatically generated key. The storage volume encryption feature is supported from bacula 15.x (the latest version). Bacula 15.x (and earlier versions) are hosted at the community-maintained repository, available from bacula.org<https://urldefense.com/v3/__http:/bacula.org__;!!HmtxUYG0RA!oTzNd3BmHYURrRjOC-eeGoajvAVkkJP0jG1Hy77rsObSeonU00pQ96mY2trFMu4ZiGfAK50bHRFZ8CYj$>. Robert Gerber 402-237-8692 [email protected]<mailto:[email protected]> On Wed, Dec 3, 2025, 3:48 AM Enzo Renatto Serafini Samaniego <[email protected]<mailto:[email protected]>> wrote: Hello Community, I'm attempting to configure AES256 data encryption using PKI and simultaneously upgrade the data integrity signature from MD5 to SHA256. I am using Bacula Community version 11.0.6 on CentOS 7. My Bacula Catalog uses a PL/SQL-based (Oracle) database. I have completed the generation and exchange of OpenSSL certificates successfully, but the Bacula parser consistently throws a Keyword not permitted in this resource error on the PKI directives. This suggests a syntax breakdown that I cannot resolve. Below, I detail the configuration and the errors encountered: ________________________________ 1. ⚙️ Implemented Configuration Changes I have modified two key files on the Director and File Daemon. A. bacula-dir.conf (Director) I added the PKI directives within their respective resources. The error is reported on the line where I start using PkiDirectory in the Director resource. Fragmento de código Director { Name = bacula-dir DIRport = 9101 QueryFile = "[PATH]/query.sql" WorkingDirectory = "[PATH]/working" Password = "[DIR_PASSWORD]" Messages = Daemon PkiDirectory = /etc/bacula/ssl # <--- ERROR REPORTED HERE PkiMasterKey = /etc/bacula/ssl/master.keypair } Client { Name = [CLIENT]-fd Address = [CLIENT_IP] ... PkiDirectory = /etc/bacula/ssl PkiClient = /etc/bacula/ssl/client.pem } FileSet { Name = "MiFileSet" Include { Options { signature = SHA256 # Updated from MD5 to SHA256 for integrity check. compression = GZIP } } } B. bacula-fd.conf (File Daemon/Client) I added the activation directives and key paths within the FileDaemon resource. Code lines: FileDaemon { Name = bacula-fd FDport = 9102 WorkingDirectory = "[PATH]/working" Maximum Concurrent Jobs = 20 PkiEnable = yes # <--- ERROR REPORTED HERE PkiCipher = AES256 # Intent: AES256 Encryption PkiDigest = SHA256 PkiDirectory = /etc/bacula/ssl PkiCert = /etc/bacula/ssl/client.pem PkiKey = /etc/bacula/ssl/client.key PkiMasterKey = /etc/bacula/ssl/master.cert } ________________________________ 2. 🚨 Persistent Errors (Syntax Breakdown) Both daemons fail to validate the configuration files. The error line shifts when lines are added/removed, strongly indicating a parser breakdown of the preceding configuration block. Daemon Validation Command Error (Reported) Director bacula-dir -t -c bacula-dir.conf Config error: Keyword "PkiDirectory" not permitted in this resource. Perhaps you left the trailing brace off of the previous resource. : line 11, col 15 File Daemon bacula-fd -t -c bacula-fd.conf Config error: Keyword "PkiEnable" not permitted in this resource. Perhaps you left the trailing brace off of the previous resource. : line 21, col 12 Attempted Fixes: * Confirmed file encoding is UTF-8 Unicode text (not CRLF/DOS format). * Performed strict manual rewriting of the resources without comments or empty lines to eliminate hidden characters, but the errors persist on the PKI activation line. Has anyone in the community experienced this extreme parser sensitivity on version 11.0.6 with PKI directives, or do you see a subtle syntax error in the order of directives within the Director and FileDaemon blocks? Thank you very much in advance for any assistance. Before printing this e-mail or attachments, be sure it is necessary. It is in our hands to protect the environment. **********************DISCLAIMER***************** THIS MESSAGE IS PRIVATE AND CONFIDENTIAL AND IT IS INTENDED EXCLUSIVELY FOR THE ADDRESSEE. IF YOU RECEIVE THIS MESSAGE BY MISTAKE, YOU SHOULD NOT DISSEMINATE, DISTRIBUTE OR COPY THIS E-MAIL. PLEASE INFORM THE SENDER AND DELETE THE MESSAGE AND ATTACHMENTS FROM YOUR SYSTEM. NO CONFIDENTIALITY NOR ANY PRIVILEGE REGARDING THE INFORMATION IS WAIVED OR LOST BY ANY MISTRANSMISSION OR MALFUNCTION. ANY VIEWS OR OPINIONS CONTAINED IN THIS MESSAGE ARE SOLELY THOSE OF THE AUTHOR, AND DO NOT NECESSARILY REPRESENT THOSE OF ALLFUNDS, UNLESS OTHERWISE SPECIFICALLY STATED AND THE SENDER IS AUTHORIZED TO DO SO. E-MAIL TRANSMISSION CANNOT BE GUARANTEED TO BE SECURE, CONFIDENTIAL, OR ERROR-FREE, AS INFORMATION COULD BE INTERCEPTED, CORRUPTED, LOST, DESTROYED, ARRIVE LATE OR INCOMPLETE, OR CONTAIN VIRUSES. ALLFUNDS DOES NOT ACCEPT RESPONSIBILITY FOR ANY CHANGES, ERRORS OR OMISSIONS IN THE CONTENTS OF THIS MESSAGE AFTER IT HAS BEEN SENT. THIS MESSAGE IS PROVIDED FOR INFORMATIONAL PURPOSES AND SHOULD NOT BE CONSTRUED AS A SOLICITATION OR OFFER TO BUY OR SELL ANY SECURITIES OR RELATED FINANCIAL INSTRUMENTS. _______________________________________________ Bacula-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/bacula-users <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/bacula-users__;!!HmtxUYG0RA!oTzNd3BmHYURrRjOC-eeGoajvAVkkJP0jG1Hy77rsObSeonU00pQ96mY2trFMu4ZiGfAK50bHT6IM6XO$> Before printing this e-mail or attachments, be sure it is necessary. It is in our hands to protect the environment. **********************DISCLAIMER***************** THIS MESSAGE IS PRIVATE AND CONFIDENTIAL AND IT IS INTENDED EXCLUSIVELY FOR THE ADDRESSEE. IF YOU RECEIVE THIS MESSAGE BY MISTAKE, YOU SHOULD NOT DISSEMINATE, DISTRIBUTE OR COPY THIS E-MAIL. PLEASE INFORM THE SENDER AND DELETE THE MESSAGE AND ATTACHMENTS FROM YOUR SYSTEM. NO CONFIDENTIALITY NOR ANY PRIVILEGE REGARDING THE INFORMATION IS WAIVED OR LOST BY ANY MISTRANSMISSION OR MALFUNCTION. ANY VIEWS OR OPINIONS CONTAINED IN THIS MESSAGE ARE SOLELY THOSE OF THE AUTHOR, AND DO NOT NECESSARILY REPRESENT THOSE OF ALLFUNDS, UNLESS OTHERWISE SPECIFICALLY STATED AND THE SENDER IS AUTHORIZED TO DO SO. E-MAIL TRANSMISSION CANNOT BE GUARANTEED TO BE SECURE, CONFIDENTIAL, OR ERROR-FREE, AS INFORMATION COULD BE INTERCEPTED, CORRUPTED, LOST, DESTROYED, ARRIVE LATE OR INCOMPLETE, OR CONTAIN VIRUSES. ALLFUNDS DOES NOT ACCEPT RESPONSIBILITY FOR ANY CHANGES, ERRORS OR OMISSIONS IN THE CONTENTS OF THIS MESSAGE AFTER IT HAS BEEN SENT. THIS MESSAGE IS PROVIDED FOR INFORMATIONAL PURPOSES AND SHOULD NOT BE CONSTRUED AS A SOLICITATION OR OFFER TO BUY OR SELL ANY SECURITIES OR RELATED FINANCIAL INSTRUMENTS.
_______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
