Re: [Bacula-users] Restoring encrypted files to a different host
On Wed, Mar 24, 2021, at 3:37 PM, Shawn Rappaport wrote: > What do I need to do in order to be able to restore from one server to the > other? Do I need to copy the private key from portal02-px to portal01-px and > update bacula-fd.conf on them as well? Yes, but note, I have never tried this. > If so, what would I put in bacula-fd.conf? Basically, the same as what you had in the other client for PKI Keypair see https://www.bacula.org/11.0.x-manuals/en/main/Data_Encryption.html -- Dan Langille d...@langille.org ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Restoring encrypted files to a different host
I'm using TLS and encryption for some sensitive backup clients. I'm running Bacula 9.0.6 on the Director, Storage and Clients, all running CentOS 7.5. I just tried to restore some files from a server called portal02-px to a server called portal01-px but it failed due to a missing private key: 24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Start Restore Job RestoreFiles.2021-03-24_11.53.28_40 24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Using Device "FileChgr1-Dev1" to read. 24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Ready to read from volume "tempe2-weekly-127" on File device "FileChgr1-Dev1" (/data). 24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Forward spacing Volume "tempe2-weekly-127" to addr=2003871821 24-Mar 11:53 bacmedia02-px.internal.shutterfly.com-sd JobId 143929: Elapsed time=00:00:02, Transfer rate=4.821 K Bytes/second 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 portal01-px.internal.shutterfly.com-fd JobId 143929: Error: Missing private key required to decrypt encrypted backup data. 24-Mar 11:53 bacdirector01-lv.internal.shutterfly.com-dir JobId 143929: Error: Bacula bacdirector01-lv.internal.shutterfly.com-dir 9.0.6 (20Nov17): Build OS: x86_64-pc-linux-gnu redhat (Core) JobId: 143929 Job:RestoreFiles.2021-03-24_11.53.28_40 Restore Client: portal01-px-fd Start time: 24-Mar-2021 11:53:30 End time: 24-Mar-2021 11:53:33 Files Expected: 6 Files Restored: 6 Bytes Restored: 0 Rate: 0.0 KB/s FD Errors: 6 FD termination status: Error SD termination status: OK Termination:*** Restore Error *** So, it seems that the way I have things configured, I can only restore to the same host (I was able to do that successfully). Here are the File Daemon sections of those two servers: FileDaemon { # this is me Name = portal02-px.internal.shutterfly.com-fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 Plugin Directory = /usr/lib64 TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/portal02-px.crt TLS Key = /etc/bacula/portal02-px-daemon.key PKI Encryption = Yes # Enable Data Encryption PKI Signatures = Yes # Enable Data Signing PKI Keypair = /etc/bacula/portal02-px.pem# Public and Private Keys PKI Master Key = /etc/bacula/bacdirector01-lv.crt # ONLY the Public Key } FileDaemon { # this is me Name = portal01-px.internal.shutterfly.com-fd FDport = 9102 # where we listen for the director WorkingDirectory = /opt/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 20 Plugin Directory = /usr/lib64 TLS Enable = yes TLS Require = yes TLS CA Certificate File = /etc/bacula/cacert.pem TLS Certificate = /etc/bacula/portal01-px.crt TLS Key = /etc/bacula/portal01-px-daemon.key PKI Encryption = Yes # Enable Data Encryption PKI Signatures = Yes # Enable Data Signing PKI Keypair = /etc/bacula/portal01-px.pem# Public and Private Keys PKI Master Key = /etc/bacula/bacdirector01-lv.crt # ONLY the Public Key } What do I need to do in order to be able to restore from one server to the other? Do I need to copy the private key from portal02-px to portal01-px and update bacula-fd.conf on them as well? If so, what would I put in bacula-fd.conf? Thanks! --Shawn ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users