On Feb 16, 2009, at 11:15 AM, Steve Polyack wrote:
Feature Request Form
Item n: Storage Daemon based encryption
Origin: Steve Polyack korvus at comcast dot net
Date: 16 February 2009
Status: new
What: The ability to encrypt and decrypt data that moves between
the storage
On Feb 18, 2009, at 3:26 AM, Martin Simmons wrote:
On Tue, 17 Feb 2009 20:24:02 -0800, Landon Fuller said:
The private key is needed during backup if you use PKI Signatures.
Right. Currently, enabling PKI encryption also enables signing, but
the encryption implementation does not require
On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote:
That sounds backwards to me. Shouldn't the encrypter (backup) use
the public
key to keep the data safe? Then only the decrypter (restore) can
read the
data, using the private key.
Right. A symmetric session key is used for each backup
On Jan 8, 2008, at 23:26, Dan Langille wrote:
[snip]
Then I thought, if you want to do that, why not just encrypt at the
SD instead of the FD. If you're a big company and you want to
encrypt, why not do it all in one place? Why bother distributing
the same key everywhere? Or multiple
On Jan 3, 2008, at 07:49, Sven Carstens wrote:
03-Jan 16:12 epistaxis-dir: ERROR in openssl.c:74 Connect failure:
ERR=error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
03-Jan 16:12 epistaxis-dir: *Console*.2008-01-03_16.12.28 Fatal
error: TLS negotiation failed
On Jan 3, 2008, at 05:19, Carles Pina i Estany wrote:
Hello,
I have a short question. I only wonder if someone is using it or not
(so, if Bacula supports it or doesn't support). We made some tests and
we couldn't do but we will re-test.
Question is: is it possible to cypher the data in
On Dec 14, 2007, at 07:08, Jorge Cabello wrote:
Reading this I have a new doubt:
Is it posible to restore the encrypted files as they are
(encrypted) and
to use later another tool to unencrypt them?
The short answer is with work - yes. You would need to find a way
to extract the
On Dec 12, 2007, at 02:58, Dimitrios wrote:
When a job ends, it sends me a report via email and in that report
it contains:
Encryption: no
I'm using TLS encryption in all places (DIR, FD, SD, etc), but the
above suggests that nothing is encrypted.
Or am i wrong, and my
On Nov 1, 2007, at 7:52 AM, Vladimir Doisan wrote:
Currently I have signatures set in the FileSet as signature = MD5
and
PKI Signature = yes in client-fd (I assume SHA256 is default)
Is it necessary to have them set in both places? Can I safely get
rid of
signature = MD5 from FileSet
On Oct 4, 2007, at 5:01 PM, Dave wrote:
Hello,
Is anyone using tls with the latest bacula? I've installed the
latest
server on both FreeBSD via ports, and a CentOS 5 box, and i'm
getting the
same tls error, unable to load certification information on both.
I just upgraded our
On Sep 25, 2007, at 17:35, Dave wrote:
Hello,
I upgraded my bacula from 2.03 to 2.2.4 and now i am getting an
error
msg: can not initialize tls context for Storage device catalog in my
bacula-dir.conf file. Other than the upgrade i haven't changed any
options
in the configs. I've used
On Jun 15, 2007, at 5:18 AM, Kern Sibbald wrote:
Hello,
I am now working on bug #807, where decrypting files gets signature
digest
errors on each file restored. As far as I can tell, these are
*false* error
messages, most likely due to the fact that Microsoft BackupWrite()
does not
15:09 nec-dir: End auto prune.
It works perfectly when I use the original keypair.
Can anyone see where the problem comes from ?
Le jeudi 10 mai 2007 à 21:34 -0700, Landon Fuller a écrit :
On May 10, 2007, at 4:51 AM, massano jerome wrote:
Le jeudi 10 mai 2007 à 12:01 +0200, Kern
Sorry for the late arrival. An opendarwin.org e-mail hiccup ate my
subscription.
Kern Sibbald wrote:
Well, I care, and I don't trust DNS at all. From what I read here,
IMO the current implementation is nothing like I imagined -- it is
not the state of the art in security. With ssh, I
On Mar 14, 2007, at 13:41, Jorj Bauer wrote:
Let's take the DNS security issue off the table for the moment.
As I mentioned at some point, that's mostly paranoia. As you say,
you'd
have to compromise both DNS and one of the root CAs to exploit it. I
only mentioned it for those that are
On Dec 3, 2006, at 7:26 AM, Kern Sibbald wrote:
I'm still targeting it before the end of the year, but it looks
like one major
new feature will not be enabled, and that is data encryption. The
code just
is not stable (it doesn't pass a simple regression test), and it
affects the
Volume
On Dec 3, 2006, at 7:26 AM, Kern Sibbald wrote:
Volume data format, and it has known bugs (digest problems), which
means that
if any fixes involve changing the data format (as one does that I
found this
morning)
If you're referring to digesting/signing sparse blocks (the change
you
On Dec 3, 2006, at 11:41 AM, Kern Sibbald wrote:
On Sunday 03 December 2006 19:46, Landon Fuller wrote:
It would be negligent of me if this feature isn't ready for release;
what are the remaining blockers that you are concerned about?
Well, for example, the digest/signature routines were
On Dec 3, 2006, at 12:06 PM, Kern Sibbald wrote:
On Sunday 03 December 2006 20:57, Landon Fuller wrote:
On Dec 3, 2006, at 11:41 AM, Kern Sibbald wrote:
On Sunday 03 December 2006 19:46, Landon Fuller wrote:
Signature validation is done on what is actually written to disk
(upon restore
On Dec 3, 2006, at 12:06 PM, Kern Sibbald wrote:
These two issues appear to be due to some bugs in Robert Nelson's new
blocking encryption restore code. I'm going to spend today fixing
remaining issues there.
OK, thanks.
I've committed rewrite of the block-preserving encryption
(new thread for a new topic, and resending to the list since I sent
from the wrong From address. Whoops.)
On Nov 28, 2006, at 08:44, Benjamin Chambers wrote:
I'm doing some more testing for a client of ours, but this looks to
be the fault
of me running through tests too quickly and possibly
I'm going to wander off on a completely off-topic license discussion.
I apologize in advance.
On Nov 13, 2006, at 02:21, Alan Brown wrote:
On Fri, 10 Nov 2006, Les Mikesell wrote:
Is a non-free version a big issue for you? I've always been a big
fan
of perl's dual-license approach which
On Nov 8, 2006, at 06:54, Kern Sibbald wrote:If you have any problems with this procedure, now is the time to speak up. I'd just like to reiterate that if this is going to hose you, let us know -- I can implement backwards compatibility if necessary.-landonf
PGP.sig
Description: This is a
On Nov 7, 2006, at 16:09, Kern Sibbald wrote:
Howdy Kern,
2. In their copyright transfer agreement, they explicitly give you
the same rights that I gave you (as best I can see from a quick
reading of it -- please verify this and let me know if you have any
issues). This is explained in the
On Nov 7, 2006, at 16:41, Kern Sibbald wrote:
Hello Landon,
Hopefully this one will come through intact ...
Super! That assuages my concerns completely.
Thanks!
Landon
PGP.sig
Description: This is a digitally signed message part
On Nov 2, 2006, at 08:30, Robert Nelson wrote:
Landon,
I've changed the code so that the encryption code prefixes the data
block
with a block length prior to encryption.
The decryption code accumulates data until a full data block is
decrypted
before passing it along to the
On Nov 2, 2006, at 13:22, Robert Nelson wrote:
The problem is that currently there are three filters defined:
compression,
encryption, and sparse file handling. The current implementation of
compression and sparse file handling both require block boundary
preservation. Even if zlib
the compressed data size
with each
compressed block.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Landon
Fuller
The encryption does not include compression -- It made more sense
to piggyback on the existing compression code. Also, thanks for
catching
On Nov 2, 2006, at 16:29, Robert Nelson wrote:
In that case, would you like me to commit the code I have?
That'd be super. Thanks for fixing it.
I agree about reworking the stream implementation. The existing
code could
be written as a number of filters: gzip, openssl, sparse, block/
On Nov 1, 2006, at 2:20 PM, Michael Brennen wrote:
On Wednesday 01 November 2006 15:33, Arno Lehmann wrote:
This sounds like compression should be automatically disabled when
encrypton is enabled. Should be useless anyway as encrypted data
should
no longer be compressible.
Not if
On Oct 5, 2006, at 11:21 AM, Deric Abel wrote:
Hello all, Two questions -:
1. Is the tape encryption all or nothing, or is it possible to
pick and
choose what files/directories are or are not? If so, how?
The file daemon encryption is all-or-nothing.
2. If a disaster occurred and
On Oct 2, 2006, at 11:16 PM, Michael Brennen wrote:
I have not been able to run with the PKI Master Key directive; the
error is something about not being able to load the private key.
Your error is different, which makes me wonder if you are really
running the cvs version, but you might try
On Sep 4, 2006, at 11:35, Lech Karol Pawłaszek wrote:
Hello bacula users!
I wonder if any of you have tried to encrypt your data (on a client-
side)
using a symmetric algorithm (like AES). I know that -beta can
perform signing
and encrypting data using asymmetric RSA keys, but AFAIK it's
Howdy --
Sorry for missing the TLS e-mails, I've been out in the Yosemite back
country.
Can you get a backtrace with symbols out of this crash?
-landonf
On Sep 5, 2006, at 5:21 PM, Dan Langille wrote:
I'm trying to setup TLS with one client. I have two other clients
working with TLS.
On Aug 23, 2006, at 2:48 PM, Michael Brennen wrote:
Landon's web site on encryption indicates that the on-disk (should
that be on-medium, to include tape and other?) format may change
during the beta testing. Can anyone give insight on how stable the
encryption format is? Thanks...
Howdy
On Aug 11, 2006, at 13:24, Mike wrote:
I have a possible situation at work where one user (I'll not
go into the details) needs to have all files from that
workstation encrypted before they get on the network and on
tape. Has there been a discussion, plan, or option I've overlooked
such that
On Aug 2, 2006, at 07:58, Skylar Thompson wrote:
Skylar Thompson wrote:
I just installed Bacula 1.38 in FreeBSD, using a Postgres backend.
bacula-dir starts up fine, but when I start up bconsole to go to
label a
tape I get a segfault. I've tried running at debug 1024. This is
what I
get
On Jul 19, 2006, at 12:31, R.I. Pienaar wrote:
hello,
I am in the process of deploying Bacula for my own use and that of
some people I contract to, I had a need for TLS between the various
connections and found the documentation were very misleading and
incomplete so after much list searching
Francisco Reyes wrote:
Michel Meyers writes:
Correct: There's encryption of the communication between the File Daemon
and the Storage Daemon but no encryption of the data as it is written to
tape/HDD/CD/DVD. That's still on the todo list.
Ok. Thanks for explanation. Perhaps the doc could
Bill Moran wrote:
On Sat, 8 Apr 2006 21:22:26 -0500
Erich Prinz [EMAIL PROTECTED] wrote:
Let me know if you want the pre compiled FD.
Would you mind putting this up on ftp or something for me to grab.
So far I've been unable to build from source or Darwin Ports.
Thanks.
What version
[EMAIL PROTECTED] wrote:
Hi,
I would like to know more about the actual status of the encryptions with
Bacula.
- Can we encrypt datas on tape ? I see in the FileSet options that there is
possible encryption option, but it's not documented. Is it hard to
implement ?
There is code in
On Mar 6, 2006, at 12:28, Dean Waldow wrote:
I may be remembering incorrectly, but, I don't think you need a
license. I believe it is part of the OSX license itself. Can
anyone else comment on this? I think this is especially the case
for the server license because the server is often
On Mar 9, 2006, at 3:52 AM, Andreas Aronsson wrote:
I really think I got it working now!
When I am comparing with the instructions given here:
http://www.bacula.org/rel-manual/Bacula_TLS.html
The difference in my conf is:
bacula-fd.conf; add
# Global File daemon configuration
On Mar 8, 2006, at 06:30, Andreas Aronsson wrote:# I have also tried with selfsigned certs, one for each daemon according to these instructions: # http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encryption.20060305184424.26351.sandbox.html Just to clarify, these instructions are for
On Mar 6, 2006, at 10:15, Arno Lehmann wrote:
Hi,
On 3/6/2006 2:59 PM, Dwayne Hottinger wrote:
... that he needs 1.38 for MacOS X
Thanks,
I know thats the problem. But I dont see a dist for 1.38 dist for
os x 10.3.x. Is there a build for the -fd on osx 10.3? Or how do
I build for the
On Mar 6, 2006, at 12:09, Dwayne Hottinger wrote:
Heres my big problem. I dont have Xcode on any of my production
10.3.9 OSX
servers so I cant build my bacula-fd's on them for the new 1.38
release. I
upgraded my main backup server (linux) to 1.38 and not my clients
so now I get
some
Erich Prinz wrote:
Super. That actually helps a ton. Thought I was losing my mind.
I have VS Express and presume that will be sufficient for compiling
sake. Looks like there are other pieces to the puzzle that need to
happen and will check back in through the process.
For VC++
On Mar 1, 2006, at 2:15 AM, Chris Crowther wrote:
Landon Fuller wrote:
Who is generally handles the Win32 Bacula builds?
Whoever it is has a lot of patience or luck, having tried to do it
myself :)
Does anyone know if it's actually possible to build it with TLS
support
Arno Lehmann wrote:
Hello,
On 2/27/2006 3:13 PM, kernel[consulting] info wrote:
I have a problem restoring files from the wx-console running on WinXP.
I was told to use bacula version 1.38.5, but i am unable to find the
binary win32 release of 1.38.5. Can anyone please be so kind to point me
On Feb 14, 2006, at 13:50, Dan Langille wrote:
On 5 Feb 2006 at 18:33, Landon Fuller wrote:
In the spirit of status reports -- Bacula's File Daemon now has
complete
support for signing and encryption data prior to sending it to the
Storage Daemon, and decrypting said data upon receipt from
Dan Langille wrote:
On 5 Feb 2006 at 18:33, Landon Fuller wrote:
In the spirit of status reports -- Bacula's File Daemon now has complete
support for signing and encryption data prior to sending it to the
Storage Daemon, and decrypting said data upon receipt from the Storage
Daemon.
Now
Landon Fuller wrote:
One other issue worth raising -- The director can currently overwrite
any file on the FD, including the encryption keys or the FD
configuration file, thus exposing private data to the director.
Something else I forgot to mention; the file daemon also ensures data
Bacula's File Daemon now has complete support for signing and encryption
data prior to sending it to the Storage Daemon, and decrypting said data
upon receipt from the Storage Daemon.
There is a small memory leak I need to track down, and some remaining
bits and pieces to implement, but I
On Jan 17, 2006, at 10:15 AM, Landon Fuller wrote:
DarwinPorts (http://darwinports.opendarwin.org) includes a port for
1.38.2.
If I get some time, I'll update that to 1.38.4.
I've updated the DarwinPort to 1.38.4. It should be available from
the rsync server shortly.
-landonf
PGP.sig
On Jan 16, 2006, at 8:12 AM, Andras Horvai wrote:
Hi Jari,
Thanks for your answer, but the firewall was the problem.
Your next problem will be that 1.36 and 1.38 are not compatible. =)
-landonf
PGP.sig
Description: This is a digitally signed message part
Aleksandar Milivojevic wrote:
If client certificate for bconsole is passhprase protected, there is a prompt
displayed to enter the passphrase. Then bconsole hangs. Ctrl-C doesn't
work.
The only way to get out is to kill it from another terminal.
# bconsole
Connecting to Director
Aleksandar Milivojevic wrote:
I've just started experimenting with new TLS feature. One thing that almost
immediattely popped out.
It would be good to have TLS Allowed DN and TLS Allowed Peer Certificate
options (or something shorter for the second one).
The first option (TLS Allowed DN)
Kern Sibbald wrote:
On Friday 09 December 2005 09:00, Davide Bolcioni wrote:
Kern Sibbald wrote:
The current production release is Bacula version 1.38.2. Between the
time it was released (22 November 2005) and now, there are a number of
bugs that have been fixed, which some users might want
Phil Stracchino wrote:
Frank Sweetser wrote:
On Mon, Dec 05, 2005 at 11:07:14PM +0100, Kern Sibbald wrote:
Yes, as I mentioned in a previous email. You are using encrypted comm. The
current way it is programmed, this is exactly what will happen because it
runs in non-blocking read mode.
Kern Sibbald wrote:
On Sunday 20 November 2005 22:35, Landon Fuller wrote:
Additionally, the GUI consoles/tray monitor do not support transport
encryption. This is just a matter of copying the relevant code from
bconsole. This would be an excellent small project for an aspiring
developer
Kern Sibbald wrote:
On Sunday 20 November 2005 22:35, Landon Fuller wrote:
Win32 support for transport encryption requires a small amount of code
to implement entropy gathering using Microsoft's Crypto API. I'm the
blocking factor there -- building the win32 file daemon is complicated
Arno Lehmann wrote:
Hmm. A good manual section about VPN setup could solve these problems :-)
Seriously, using a VPN to backup data would be one good option as long
as transport encryption is not fully implemented. Once transport
encryption is stable, things look different... One possible
Ray Burr wrote:
Landon Fuller wrote:
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new
TLS data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
[...]
I just set mine up
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new TLS data
encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
bacula-dir.conf:
Director {# define myself
Felix Schwarz wrote:
Hi all,
I'm experiencing some configurations issues enabling TLS on 1.37.38.
bacula-dir.conf
Director {# define myself
Name = maindirector
TLS Enable = yes
TLS Require = yes
TLS Certificate = /etc/bacula/certs/server1.schwarz.local.crt
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mike wrote:
| Hello,
|
| I'm going to be setting up a new backup system for my work in the next
| couple of days,
| and I'm interested in using a new (1.37.38) version of Bacula (as I'm
| interested in the
| database changes, and the SSL support)-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kern Sibbald wrote:
| I had to modify the Bacula GPL license to be acceptable to Debian (I'm
not in
| the least complaining as I respect their position). This was because
| OpenSSL, which for some reason is not OpenSource or at least was not
at the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kern Sibbald wrote:
| 1. Please help encourage Landon Fuller implement data encryption by
| contributing to EFF. If you haven't seen the announcement about this,
please
| visit: http://www.bacula.org/?page=news For those of you who have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| Disks are very convenient but a bit expensive for archival storage. A
72 GB DAT tape is about $20. A hard drive is a bit more.
|
| You have to think about the the threats that you are protecting against.
These are real problems -- I'll address how
Langille$100
Tom Plancon $65
Total: $1,165
Thank you for your donation! The EFF has taken notice:
In addition, huge thanks to Landon Fuller and the Bacula Project for
helping to raise money for EFF...
Grassroots
70 matches
Mail list logo