Re: [Bacula-users] TLS issues

[Shawn Rappaport]

Hey Dan,

Thanks for the quick response! Based on what you wrote below, it sounds like 
the "Encryption" line listed in the backup log refers to data encryption at 
rest, not TLS encryption in transit. So, now it makes sense why I saw that 
Encryption said no. I was planning on tackling the data encryption after I got 
TLS working, which I think I have done. :-)

Thanks again!

--Shawn


From: Dan Langille 
Sent: Monday, August 3, 2020 9:40 AM
To: Shawn Rappaport ; Dimitri Maziuk via 
Bacula-users 
Subject: Re: [Bacula-users] TLS issues

On Mon, Aug 3, 2020, at 12:30 PM, Shawn Rappaport wrote:

Any idea why it would not be encrypted even though I am requiring TLS?

TLS is just transit.  Transport Layer Security.

https://www.bacula.org/9.6.x-manuals/en/main/Bacula_TLS_Communications_E.html

You want Data Encryption:

https://www.bacula.org/9.6.x-manuals/en/main/Data_Encryption.html


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS issues

[Dan Langille]

On Mon, Aug 3, 2020, at 12:30 PM, Shawn Rappaport wrote:
> 
> Any idea why it would not be encrypted even though I am requiring TLS?

TLS is just transit.  Transport Layer Security.

https://www.bacula.org/9.6.x-manuals/en/main/Bacula_TLS_Communications_E.html

You want Data Encryption:

https://www.bacula.org/9.6.x-manuals/en/main/Data_Encryption.html

___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] TLS issues

[Shawn Rappaport]

Hi Dan,

Thanks for the response, pointing out ssl-admin and your blog post! I sent a 
follow-up email early Friday evening before I called it quits for the weekend. 
However, I got an automated response saying it was waiting on moderator 
approval due to the size of the message being 49KB (apparently 40KB is the 
limit). I trimmed down my original message blow in hopes that it is now small 
enough to be accepted.

I started over configuring TLS, this time using the instructions here:
https://blog.earth-works.com/2015/08/22/configuring-bacula-to-use-tls-to-encrypt-connections-updated-version-2/

Things look a lot better now. I can connect to bconsole and I confirmed that I 
can connect to the test client using TLS:

Connecting to Client memsql01-px-fd at memsql01-px.internal.shutterfly.com:9102

memsql01-px.internal.shutterfly.com-fd Version: 9.0.6 (20 November 2017) 
x86_64-pc-linux-gnu redhat (Core)
Daemon started 31-Jul-20 17:26. Jobs: run=1 running=0.
 Heap: heap=135,168 smbytes=183,132 max_bytes=1,259,687 bufs=103 max_bufs=4,386
 Sizes: boffset_t=8 size_t=8 debug=0 trace=0 mode=0,0 bwlimit=0kB/s
 Plugin: bpipe-fd.so

Running Jobs:
Director connected using TLS at: 31-Jul-20 17:44
No Jobs running.


Terminated Jobs:
 JobId  Level  FilesBytes   Status   FinishedName
===
   205  Full  68,4161.061 G  OK   08-Jul-20 16:25 memsql01-px
   268  Full  69,5081.073 G  OK   31-Jul-20 17:42 memsql01-px



However, it doesn't look like my test backup used encryption:

31-Jul 17:47 xbacdirector01-lv.internal.shutterfly.com-sd JobId 268: Elapsed 
time=00:02:47, Transfer rate=6.492 M Bytes/second
31-Jul 17:47 xbacdirector01-lv.internal.shutterfly.com-sd JobId 268: Sending 
spooled attrs to the Director. Despooling 17,433,053 bytes ...
31-Jul 17:48 xbacdirector01-lv.internal.shutterfly.com-dir JobId 268: Bacula 
xbacdirector01-lv.internal.shutterfly.com-dir 9.0.6 (20Nov17):
  Build OS:   x86_64-pc-linux-gnu redhat (Core)
  JobId:  268
  Job:memsql01-px.2020-07-31_17.45.10_03
  Backup Level:   Full
  Client: "memsql01-px-fd" 9.0.6 (20Nov17) 
x86_64-pc-linux-gnu,redhat,(Core)
  FileSet:"linux-full" 2018-02-23 23:05:00
  Pool:   "Daily" (From Job resource)
  Catalog:"MyCatalog" (From Client resource)
  Storage:"File1" (From Pool resource)
  Scheduled time: 31-Jul-2020 17:45:02
  Start time: 31-Jul-2020 17:45:12
  End time:   31-Jul-2020 17:48:03
  Elapsed time:   2 mins 51 secs
  Priority:   10
  FD Files Written:   69,508
  SD Files Written:   69,508
  FD Bytes Written:   1,073,884,163 (1.073 GB)
  SD Bytes Written:   1,084,178,560 (1.084 GB)
  Rate:   6280.0 KB/s
  Software Compression:   64.0% 2.8:1
  Comm Line Compression:  1.1% 1.0:1
  Snapshot/VSS:   no
  Encryption: no
  Accurate:   no
  Volume name(s): daily-1
  Volume Session Id:  1
  Volume Session Time:1596242323
  Last Volume Bytes:  1,087,379,990 (1.087 GB)
  Non-fatal FD errors:0
  SD Errors:  0
  FD termination status:  OK
  SD termination status:  OK
  Termination:Backup OK

This is what I have in bacula-fd.conf on the test client (memsql01-px):

Director {
  Name = xbacdirector01-lv.internal.shutterfly.com-dir
  Password = "password"
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/ssl/cacert.pem
  TLS Certificate = /etc/ssl/memsql01-px.crt
  TLS Key = /etc/ssl/memsql01-px-daemon.key
}

FileDaemon {  # this is me
  Name = memsql01-px.internal.shutterfly.com-fd
  FDport = 9102  # where we listen for the director
  WorkingDirectory = /opt/bacula/working
  Pid Directory = /var/run
  Maximum Concurrent Jobs = 20
  Plugin Directory = /usr/lib64
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/ssl/cacert.pem
  TLS Certificate = /etc/ssl/memsql01-px.crt
  TLS Key = /etc/ssl/memsql01-px-daemon.key
}

Here are the relevant portions of the bacula-dir.conf file on the Director:

Director {# define myself
  Name = xbacdirector01-lv.internal.shutterfly.com-dir
  DIRport = 9101# where we listen for UA connections
  QueryFile = "/etc/bacula/query.sql"
  WorkingDirectory = "/var/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 20
  Password = "password" # Console password
  Messages = Daemon
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/ssl/cacert.pem
  TLS Certificate = /etc/ssl/xbacdirector01-lv.crt
  TLS Key = /etc/ssl/xbacdirector01-lv-daemon.key
  TLS Verify Peer = yes
#  TLS Allowed CN = “xbacdirector01-lv.internal.shutterfly.com”
}

Storage { # definition of