Personally I would not use data encryption at the client if not required. Use the newer versions of Bareos where it uses PSK (pre shared keys) using the password to set up an encrypted tunnel over which the data rides. Thus it lands on your SD unencrypted but the data is encrypted over the wire.
If you need encrypt the data at rest use LVM or Fuse encryption for disk volumes, and LTO encryption for tape. This will encrypt the data at rest, but avoid managing keys for clients. Also makes restores not dependent on those SSL certs only for the disk volume and tape which is all managed on the server and can be easily replicated by the admin team. (I keep all my tape secret in 1password encrypted note and GPG encrypted file, and only needed if I lose my catalog dump/backup, which is treated differently than my client backups). The only reason I see today to use File Damon Encryption as documented in that page is if you need to promise the client you cannot access their data. That is _only_ true if only the client has the private key, AND to double what MK said there is huge risk that the client will lose that key and not have it recoverable when you need to do a restore. If you rely on encryption using PSK which should be automatic if any recent bareos version it’s much less error prone. Eg Look for: Connected Client: mlds at mlds:9102, encryption: PSK-AES256-CBC-SHA In your job logs. I do this all without managing certificates on the FD. Brock Palen [email protected] www.mlds-networks.com Websites, Linux, Hosting, Joomla, Consulting > On Dec 21, 2020, at 8:21 AM, Spadajspadaj <[email protected]> wrote: > > bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos > filedaemon is the program running on the client which you are backing up. > > As per the documentation (which you already found), all data is encrypted on > client prior to being sent to server (or to Storage Daemon, to be precise). > > But please, read the documentation again (and again if need be) so you > understand how it's working so you don't accidentaly lose your keys (and > hence any possibility of decrypting the backed up data!). > > > > Best regards, > > MK > > On 21/12/2020 14:14, Gonçalo Sousa wrote: >> Can someone help me please >> >> On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote: >> >> I am trying to implement data encryption on bareOS following this >> documentation: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html >> >> I have already created/generated the .cert, .pem and .key files on the >> BareOS server. >> >> My question is where do I configure them, on the example only mentions >> bareos-fd.conf >> Is this file located on /etc/bareos/bareos-dir.d/client/ ? >> >> All the keys, pem and cert files must be located on the BareOS server right? >> All the configuration is only made on the BareOS right? >> -- >> You received this message because you are subscribed to the Google Groups >> "bareos-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups > "bareos-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e78304258c%40gmail.com. -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/9361B57E-FBAB-4034-BB54-B6D41E965F60%40mlds-networks.com.
