Re: [Bacula-users] Enrypting all data in transit and at rest

[Lauri Kiiski]

> On 14 Aug 2019, at 22.37, Josh Fisher  wrote:
> 
> 
> On 8/14/2019 12:51 PM, Martin Simmons wrote:
 I think, though, that Lauri is referring to encrypt the metadata that is
 stored unencrypted in a disk volume by somehow encrypting the whole disk.
 
>>> This is a main point! When he encrypt the whole filesystem then it is
>>> useless (and time consuming) to double encrypt backup data with Bacula.
>> Doesn't that depend on the relative secrecy of the data v.s. the metadata?  
>> If
>> the data is much more secret then it might be worthwhile to encrypt it (on 
>> the
>> client) in case the SD's filesystem can be read while the disk is mounted
>> (i.e. when it is not protected by the encrypted filesystem).
> 
> If the SD stores on an encrypted FS and Bacula data encryption is not used, 
> then that data is secure unless the SD is compromised. If the SD is 
> compromised such that the encrypted FS is mounted and accessible, then the 
> attacker gains access to the data for all FDs. In the case where Bacula data 
> encryption is used and the SD stores on unencrypted disk, then it is better 
> protected from a SD compromise, since the attacker still would not have the 
> FD keys. 
> Since the SD FS being used for volume storage is likely to be mounted in the 
> event of a SD compromise, I see little value in using both, the exception 
> being perhaps when removable disks are used and stored offline. Bacula data 
> encryption seems the better choice except when the performance hit on the 
> clients is too great, such as when clients have very weak hardware. 
> 
Great discussion! You were able to describe many of my points to encrypt the 
data. I will setup disk encryption on each component.

I want to encrypt all the data and metadata to protect against a physical not 
so sophisicated theft where someone would just unplug the devices and take 
them. Full disk encryption on each component helps against that. Also, I have 
those clients with weak performance. In addition to that, I want to have the 
backup data encrypted even when the SD encrypted disk is mounted. As said, data 
encryption on volumes protects for example against SD compromise but 
unfortunately not for the metadata. At the end, all the backups shouldn’t be at 
the same physical location and the FDs as well might be in several locations or 
mobile.

Regarding the performance of having several layers of encryption. I believe the 
full disk encryption on SD or any other component shoudn’t be the bottle neck. 
The bottle neck must be the volume data encryption or network depending on the 
clients. 

Just wonderful, I have typo on the subject :)___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Identify corrupted volume files

[José Queiroz]

Thanks for the response, Pedro and Heitor.

Some of these volumes were recent, but most of them were historical, and
were purged/pruned from the catalogs.
Is there a way to verify them without using the catalogs? In fact, I only
need to know if the volumes are consistent/readable.

Em seg, 12 de ago de 2019 às 17:20, Pedro Oliveira 
escreveu:

> Hi Jose,
>
> you can create a new verify job and check the catalog against the disk or
> create a script and use the bscan and  bls volume utility tools, please
> check the following urls:
>
> *Verify*Run a verify Job. In general, *verify* jobs permit you to compare
> the contents of the catalog to the file system, or to what was backed up.
> In addition, to verifying that a tape that was written can be read, you can
> also use *verify* as a sort of tripwire intrusion detection.
>
> For a *Verify* Job, the Level may be one of the following:
>
> *DiskToCatalog*This level causes Bacula to read the files as they
> currently are on disk, and to compare the current file attributes with the
> attributes saved in the catalog from the last backup for the job specified
> on the *VerifyJob* directive. This level differs from the
> *VolumeToCatalog* level described above by the fact that it doesn't
> compare against a previous Verify job but against a previous backup. When
> you run this level, you must supply the verify options on your Include
> statements. Those options determine what attribute fields are compared.
>
> This command can be very useful if you have disk problems because it will
> compare the current state of your disk against the last successful backup,
> which may be several jobs.
>
>
> https://www.bacula.org/9.4.x-manuals/en/main/New_Features_in_7_4_0.html#SECTION00621000
>
>
> https://www.bacula.org/9.4.x-manuals/en/utility/Volume_Utility_Tools.html#SECTION00271000
>
> Best
> Pedro
>
> José Queiroz  escreveu no dia segunda, 12/08/2019 à(s)
> 19:22:
>
>> Hi,
>>
>> I had a massive disk fault that corrupted some of my backup volumes.
>> As I'm very short on disk space, I want to find which of the volumes were
>> affected by the disk fault, to discard them.
>> Is there any tool I can use to do that?
>>
>> Thanks in advance.
>> ___
>> Bacula-users mailing list
>> Bacula-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
>
> --
> --
> Cumprimentos,
>
> Pedro Oliveira
>
> Rua Antonio Botto | Nº 23 | 1º A | 2950-565 Quinta do Anjo
>
> tel +351 218 440 100 | mobile +351 916 111 464
>
> website   |
>   
> 
>
>
> *Aviso de Confidencialidade:* Esta mensagem é exclusivamente destinada ao
> seu destinatário, podendo conter informação CONFIDENCIAL, cuja divulgação
> está expressamente vedada nos termos da lei. Caso tenha recepcionado
> indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo
> facto por esta via ou para o telefone +351 916111464  devendo apagar o seu
> conteúdo de imediato.
>
> This message is intended exclusively for its addressee. It may contain
> CONFIDENTIAL information protected by law. If this message has been
> received by error, please notify us via e-mail or by telephone
> +351916111464 and delete it immediately.
>
>
>
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Josh Fisher]

On 8/14/2019 12:51 PM, Martin Simmons wrote:

I think, though, that Lauri is referring to encrypt the metadata that is
stored unencrypted in a disk volume by somehow encrypting the whole disk.


This is a main point! When he encrypt the whole filesystem then it is
useless (and time consuming) to double encrypt backup data with Bacula.

Doesn't that depend on the relative secrecy of the data v.s. the metadata?  If
the data is much more secret then it might be worthwhile to encrypt it (on the
client) in case the SD's filesystem can be read while the disk is mounted
(i.e. when it is not protected by the encrypted filesystem).



If the SD stores on an encrypted FS and Bacula data encryption is not 
used, then that data is secure unless the SD is compromised. If the SD 
is compromised such that the encrypted FS is mounted and accessible, 
then the attacker gains access to the data for all FDs. In the case 
where Bacula data encryption is used and the SD stores on unencrypted 
disk, then it is better protected from a SD compromise, since the 
attacker still would not have the FD keys.


Since the SD FS being used for volume storage is likely to be mounted in 
the event of a SD compromise, I see little value in using both, the 
exception being perhaps when removable disks are used and stored 
offline. Bacula data encryption seems the better choice except when the 
performance hit on the clients is too great, such as when clients have 
very weak hardware.



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Heitor Faria]

> Hello Heitor,

Hello Kern, 
> I recommend that you check the details of the BEE automatic encryption 
> feature.
> If I am not mistaken you are referring to the new PSK (private shared key) 
> that
> BEE uses for authentication. This means that Bacula will be much more secure
> against man-in-the-middle attacks and such. However, I don't think it helps
> with data encryption.

If it is that the case the manual is very misleading: 

"Automatic TLS Encryption 

Starting with Bacula Enterprise 12.0, all daemons and consoles are now using 
TLS automatically for all network communications. It is no longer required to 
setup TLS keys in advance. It is possible to turn off automatic TLS PSK 
encryption using the TLS PSK Enable directive. " 

Ref.: New Features in Bacula Enterprise 12.0 

> I am currently trying to get it into the next community version. I believe 
> that
> the person who implement the BEE PSK is or will be working on creating a
> community patch for it ...

> Best regards,

Regards, 
> Kern

> On 8/14/19 3:50 PM, Heitor Faria wrote:

> Hello Lauri (forgot to copy the group),
>> >Also, this information needs to then travel the network connections in
>> >the picture where it says File Attributes? I suppose I can then use
>> >Bacula TLS
>>>( [
>>>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
>>>|
>>>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
>> >] )
>> >to protect all that unencyrpted data between the File Daemon, Storage
>> >Daemon and Director. Securing Director - Catalog DBMS connection is
>> >then out of scope of Bacula. Encrypting those will ensure my data is
>> >protected while in transit?

>> >In order to encrypt all data in transit and at rest I need to
>> >- Enable Data Encryption for the Volumes
>> >- Configure Bacula TLS

> I guess if you use data encryption you dont need to use TLS, because data is
> already encrypted.
> If you just to encrypt transferred data you only need TLS.
> Anyway, BEE has a very exciting new feature which is automatic TLS, much 
> easier
> to set up. Not sure if it will be available in Community Bacula next V. 11
> release.

> Regards,
> --

> MSc Heitor Faria
> CEO Bacula LATAM
> mobile1: + 1 909 655-8971
> mobile2: + 55 61 98268-4220
> [ https://www.linkedin.com/in/msc-heitor-faria-5ba51b3 ]
>   [ http://www.bacula.com.br/ ]

> América Latina
> [ http://bacula.lat/ | bacula.lat ] | [ http://www.bacula.com.br/ |
> bacula.com.br ]

> ___
> Bacula-users mailing list [ mailto:Bacula-users@lists.sourceforge.net |
> Bacula-users@lists.sourceforge.net ] [
> https://lists.sourceforge.net/lists/listinfo/bacula-users |
> https://lists.sourceforge.net/lists/listinfo/bacula-users ]

-- 

MSc Heitor Faria 
CEO Bacula LATAM 
mobile1: + 1 909 655-8971 
mobile2: + 55 61 98268-4220 
[ https://www.linkedin.com/in/msc-heitor-faria-5ba51b3 ] 
[ http://www.bacula.com.br/ ] 

América Latina 
[ http://bacula.lat/ | bacula.lat ] | [ http://www.bacula.com.br/ | 
bacula.com.br ] 
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Kern Sibbald]

  
  
Hello Heitor,

I recommend that you check the details of the BEE automatic
encryption feature.  If I am not mistaken you are referring to the
new PSK (private shared key) that BEE uses for authentication.  This
means that Bacula will be much more secure against man-in-the-middle
attacks and such.  However, I don't think it helps with data
encryption.

I am currently trying to get it into the next community version.  I
believe that the person who implement the BEE PSK is or will be
working on creating a community patch for it ...

Best regards,
Kern

On 8/14/19 3:50 PM, Heitor Faria wrote:


  
  

  
  Hello Lauri (forgot to copy the group),
  
>Also, this information needs to then
  travel the network connections in

>the picture where it says File
  Attributes? I suppose I can then use

>Bacula TLS

>(https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html)

>to protect all that unencyrpted data
  between the File Daemon, Storage

>Daemon and Director. Securing Director -
  Catalog DBMS connection is

>then out of scope of Bacula. Encrypting
  those will ensure my data is

>protected while in transit?

>

>In order to encrypt all data in transit
  and at rest I need to

>- Enable Data Encryption for the Volumes

>- Configure Bacula TLS
  
  I guess if you use data encryption you dont
need to use TLS, because data is already encrypted.
  
  If you just to encrypt transferred data you
only need TLS.
  
  Anyway, BEE has a very exciting new feature
which is automatic TLS, much easier to set up. Not sure if
it will be available in Community Bacula next V. 11 release.



Regards,

-- 


  
  
  

  

  

  
MSc
Heitor Faria
   CEO
Bacula LATAM
  
  
mobile1:
+ 1 909 655-8971
   mobile2:
+ 55 61 98268-4220
  
  


  

  


  

  


  
  
América
Latina
  
  
bacula.lat
  | bacula.com.br

  

  

  

  
  
  

  
  
  
  
  
  ___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users



  


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Martin Simmons]

> On Wed, 14 Aug 2019 15:40:29 +0200, Radosław Korzeniewski said:
> 
> 
> Hello,
> 
> śr., 14 sie 2019 o 13:41 Josh Fisher  napisał(a):
> 
> >
> > On 8/14/2019 6:22 AM, Radosław Korzeniewski wrote:
> >
> > Hello,
> >
> > niedz., 11 sie 2019 o 14:35 Lauri Kiiski  napisał(a):
> >
> >
> >>
> >> - Encrypt disks on the machines having these components: File Daemon,
> >> Director, Catalog, Storage Daemon, Physical Media
> >>
> >
> > E, I do not understand. What do you want to keep secret?
> >
> > Did you know that a double encryption does not increase the security level?
> >
> >
> >
> > That is a bit inaccurate. It is equivalent to increasing the key size by
> > one bit. It has been used before, as in the case of 3DES (triple DES). DES
> > used a 56-bit key and eventually could be broken by brute force on a simple
> > PC, so as a stop-gap they applied the same 56-bit key algorithm tree times,
> > so increased the effective key size from 2^56 to 2^58. So it generally
> > isn't worth it, but it does increase security a little bit.
> >
> OK, it increases security a little bit. :)
> It is a very small amount, so it could be safely ignored. :)
> 
> > I think, though, that Lauri is referring to encrypt the metadata that is
> > stored unencrypted in a disk volume by somehow encrypting the whole disk.
> >
> This is a main point! When he encrypt the whole filesystem then it is
> useless (and time consuming) to double encrypt backup data with Bacula.

Doesn't that depend on the relative secrecy of the data v.s. the metadata?  If
the data is much more secret then it might be worthwhile to encrypt it (on the
client) in case the SD's filesystem can be read while the disk is mounted
(i.e. when it is not protected by the encrypted filesystem).

__Martin


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Martin Simmons]

> On Wed, 14 Aug 2019 10:50:27 -0300 (BRT), Heitor Faria said:
> 
> > >Also, this information needs to then travel the network connections in
> > >the picture where it says File Attributes? I suppose I can then use
> > >Bacula TLS
> >>( [
> >>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
> >>|
> >>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
> > >] )
> > >to protect all that unencyrpted data between the File Daemon, Storage
> > >Daemon and Director. Securing Director - Catalog DBMS connection is
> > >then out of scope of Bacula. Encrypting those will ensure my data is
> > >protected while in transit?
> 
> > >In order to encrypt all data in transit and at rest I need to
> > >- Enable Data Encryption for the Volumes
> > >- Configure Bacula TLS
> 
> I guess if you use data encryption you dont need to use TLS, because data is 
> already encrypted. 

True, but metadata is not encrypted even if you use data encryption, hence the
need for TLS to protect metadata in transit.

__Martin


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Heitor Faria]

Hello Lauri (forgot to copy the group), 
> >Also, this information needs to then travel the network connections in
> >the picture where it says File Attributes? I suppose I can then use
> >Bacula TLS
>>( [
>>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
>>|
>>https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html
> >] )
> >to protect all that unencyrpted data between the File Daemon, Storage
> >Daemon and Director. Securing Director - Catalog DBMS connection is
> >then out of scope of Bacula. Encrypting those will ensure my data is
> >protected while in transit?

> >In order to encrypt all data in transit and at rest I need to
> >- Enable Data Encryption for the Volumes
> >- Configure Bacula TLS

I guess if you use data encryption you dont need to use TLS, because data is 
already encrypted. 
If you just to encrypt transferred data you only need TLS. 
Anyway, BEE has a very exciting new feature which is automatic TLS, much easier 
to set up. Not sure if it will be available in Community Bacula next V. 11 
release. 

Regards, 
-- 

MSc Heitor Faria 
CEO Bacula LATAM 
mobile1: + 1 909 655-8971 
mobile2: + 55 61 98268-4220 
[ https://www.linkedin.com/in/msc-heitor-faria-5ba51b3 ] 
[ http://www.bacula.com.br/ ] 

América Latina 
[ http://bacula.lat/ | bacula.lat ] | [ http://www.bacula.com.br/ | 
bacula.com.br ] 
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Radosław Korzeniewski]

Hello,

śr., 14 sie 2019 o 13:41 Josh Fisher  napisał(a):

>
> On 8/14/2019 6:22 AM, Radosław Korzeniewski wrote:
>
> Hello,
>
> niedz., 11 sie 2019 o 14:35 Lauri Kiiski  napisał(a):
>
>
>>
>> - Encrypt disks on the machines having these components: File Daemon,
>> Director, Catalog, Storage Daemon, Physical Media
>>
>
> E, I do not understand. What do you want to keep secret?
>
> Did you know that a double encryption does not increase the security level?
>
>
>
> That is a bit inaccurate. It is equivalent to increasing the key size by
> one bit. It has been used before, as in the case of 3DES (triple DES). DES
> used a 56-bit key and eventually could be broken by brute force on a simple
> PC, so as a stop-gap they applied the same 56-bit key algorithm tree times,
> so increased the effective key size from 2^56 to 2^58. So it generally
> isn't worth it, but it does increase security a little bit.
>
OK, it increases security a little bit. :)
It is a very small amount, so it could be safely ignored. :)

> I think, though, that Lauri is referring to encrypt the metadata that is
> stored unencrypted in a disk volume by somehow encrypting the whole disk.
>
This is a main point! When he encrypt the whole filesystem then it is
useless (and time consuming) to double encrypt backup data with Bacula.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Martin Simmons]

> On Sun, 11 Aug 2019 15:33:11 +0300, Lauri Kiiski said:
> 
> I would like to encrypt all my data while in transit and at rest. Where 
> unencrypted file metadata is stored? Data Encryption documentation 
> (https://www.bacula.org/5.2.x-manuals/en/main/main/Data_Encryption.html) 
> explains the following.
> 
> "The implementation does not encrypt file metadata such as file path names, 
> permissions, and ownership. Extended attributes are also currently not 
> encrypted. However, Mac OS X resource forks are encrypted.”
> 
> Where is this file metadata stored and handled? Is this metadata the File 
> Attributes described at end of this page 
> https://www.bacula.org/5.2.x-manuals/en/main/main/What_is_Bacula.html ? Is 
> this file metadata then stored unencrypted at the following locations?
> - Volumes
> - Catalog
> Is this unencrypted data then exposed to the following components?
> - Storage Daemon
> - Director
> - File Daemon, quite naturally
> 
> Also, this information needs to then travel the network connections in the 
> picture where it says File Attributes? I suppose I can then use Bacula TLS 
> (https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html)
>  to protect all that unencyrpted data between the File Daemon, Storage Daemon 
> and Director. Securing Director - Catalog DBMS connection is then out of 
> scope of Bacula. Encrypting those will ensure my data is protected while in 
> transit?
> 
> In order to encrypt all data in transit and at rest I need to
> - Enable Data Encryption for the Volumes
> - Configure Bacula TLS
> - Encrypt database connectivity to Catalog DBMS or host it at Director
> - Encrypt disks on the machines having these components: File Daemon, 
> Director, Catalog, Storage Daemon, Physical Media
> 
>  Did I got it right?

You might also consider possible leakage via the Director's message system
(https://www.bacula.org/9.4.x-manuals/en/main/Messages_Resource.html).
E.g. filenames might be written there in certain cases such as errors.

__Martin


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Martin Simmons]

> On Wed, 14 Aug 2019 12:22:55 +0200, Radosław Korzeniewski said:
> 
> > Is this metadata the File Attributes described at end of this page
> > https://www.bacula.org/5.2.x-manuals/en/main/main/What_is_Bacula.html ?
> > Is this file metadata then stored unencrypted at the following locations?
> > - Volumes
> > - Catalog
> > Is this unencrypted data then exposed to the following components?
> > - Storage Daemon
> > - Director
> > - File Daemon, quite naturally
> >
> 
> I do not understand the question. The stored metadata (volumes or catalog)
> is never exposed to file daemon. So "quite naturally" is a strange
> assumption here. :)

The restore command sends the unencrypted attributes to a (possibly different)
file daemon though.

__Martin


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Josh Fisher]

On 8/14/2019 6:22 AM, Radosław Korzeniewski wrote:

Hello,

niedz., 11 sie 2019 o 14:35 Lauri Kiiski > napisał(a):


- Encrypt disks on the machines having these components: File
Daemon, Director, Catalog, Storage Daemon, Physical Media


E, I do not understand. What do you want to keep secret?

Did you know that a double encryption does not increase the security 
level?



That is a bit inaccurate. It is equivalent to increasing the key size by 
one bit. It has been used before, as in the case of 3DES (triple DES). 
DES used a 56-bit key and eventually could be broken by brute force on a 
simple PC, so as a stop-gap they applied the same 56-bit key algorithm 
tree times, so increased the effective key size from 2^56 to 2^58. So it 
generally isn't worth it, but it does increase security a little bit.


I think, though, that Lauri is referring to encrypt the metadata that is 
stored unencrypted in a disk volume by somehow encrypting the whole disk.



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Enrypting all data in transit and at rest

[Radosław Korzeniewski]

Hello,

niedz., 11 sie 2019 o 14:35 Lauri Kiiski  napisał(a):

> I would like to encrypt all my data while in transit and at rest. Where
> unencrypted file metadata is stored? Data Encryption documentation (
> https://www.bacula.org/5.2.x-manuals/en/main/main/Data_Encryption.html)
> explains the following.
>
> "The implementation does not encrypt file metadata such as file path
> names, permissions, and ownership. Extended attributes are also currently
> not encrypted. However, Mac OS X resource forks are encrypted.”
>
> Where is this file metadata stored and handled?


All metadata mentioned above are stored on volumes. Some of them are stored
in database too. Both stored information is not encrypted.


> Is this metadata the File Attributes described at end of this page
> https://www.bacula.org/5.2.x-manuals/en/main/main/What_is_Bacula.html ?
> Is this file metadata then stored unencrypted at the following locations?
> - Volumes
> - Catalog
> Is this unencrypted data then exposed to the following components?
> - Storage Daemon
> - Director
> - File Daemon, quite naturally
>

I do not understand the question. The stored metadata (volumes or catalog)
is never exposed to file daemon. So "quite naturally" is a strange
assumption here. :)
Director has no access to volumes and storage daemon has no access to
catalog, naturally. :)


> Also, this information needs to then travel the network connections in the
> picture where it says File Attributes? I suppose I can then use Bacula TLS (
> https://www.bacula.org/5.2.x-manuals/en/main/main/Bacula_TLS_Communications.html)
> to protect all that unencyrpted data between the File Daemon, Storage
> Daemon and Director. Securing Director - Catalog DBMS connection is then
> out of scope of Bacula. Encrypting those will ensure my data is protected
> while in transit?
>

Yes, if you want to secure all your transmission over the network then you
should use Bacula TLS.


> In order to encrypt all data in transit and at rest I need to
> - Enable Data Encryption for the Volumes
>

There is no such functionality.


> - Configure Bacula TLS
>

Yes.


> - Encrypt database connectivity to Catalog DBMS or host it at Director
>

Yes.


> - Encrypt disks on the machines having these components: File Daemon,
> Director, Catalog, Storage Daemon, Physical Media
>

E, I do not understand. What do you want to keep secret?

Did you know that a double encryption does not increase the security level?

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users