-
-
Notifications
You must be signed in to change notification settings - Fork 32
PKI Setup
In order to enable data encryption, the pki_*
parameters must be set on the client.
Note: The pki_
prefix used in Bacula is quite a poor choice because backup encryption does not rely on a Public-Key Infrastructure. We decided to keep the names used in the Bacula documentation for consistency, but if you are used to PKIs and new to Bacula, keep in mind that these pki_*
parameters are not used to configure a PKI; and that the Bacula documentation wording is somewhat inaccurate.
$bacula_ssldir = "/usr/local/etc/bacula/certs"
$pki_keypair = "${bacula_ssldir}/${facts['networking']['fqdn']}-pki-crt+key.pem"
# Manage $pki_keypair and $pki_master_key files here.
# See notes bellow.
class { 'bacula::client':
# ...
pki_encryption => true,
pki_signatures => true,
pki_keypair => $pki_keypair,
#pki_master_key =>
}
Note: this configuration encrypts the backup data only, and does not encrypt communication between the Bacula components. If you are interested in the latest, see TLS Setup.
For Bacula, a Key Pair is the concatenation of a private key and a self-signed certificate. At the time of writing, the self-signed certificate MUST be usable as a Certificate Authority, which makes it a poor choice for using it somewhere else.
Depending on your usage, you want to:
- Build these key pairs on the nodes that use them;
- Build all your nodes key pairs in a single place and deploy them with Puppet.
I prefer that each node builds it's own key pair. I use the following configuration in my bacula client profile:
$bacula_ssldir = "/usr/local/etc/bacula/certs"
$pki_crt = "${bacula_ssldir}/${facts['networking']['fqdn']}-pki.crt"
$pki_key = "${bacula_ssldir}/${facts['networking']['fqdn']}-pki.key"
$pki_keypair = "${bacula_ssldir}/${facts['networking']['fqdn']}-pki-crt+key.pem"
exec { 'generate-bacula-pki-key':
command => "umask 077 && openssl genrsa -out ${pki_key} 4096",
path => '/usr/bin',
creates => $pki_key,
provider => 'shell',
}
-> exec { 'generate-bacula-pki-crt':
command => "openssl req -new -x509 -key ${pki_key} -out ${pki_crt} -days 3650 -subj /CN=${facts['networking']['fqdn']}",
path => '/usr/bin',
creates => $pki_crt,
}
-> concat { $pki_keypair:
ensure => present,
owner => 'root',
group => 'bacula',
mode => '0440',
}
concat::fragment { 'bacula-pki-crt':
target => $pki_keypair,
source => $pki_crt,
order => '10',
}
concat::fragment { 'bacula-pki-key':
target => $pki_keypair,
source => $pki_key,
order => '20',
}
Note: Be sure to save a copy of your private key! An encrypted copy of it will not help you, so do not just add it to a job. Copy it to trusted reliable offline reliable storage. As an example, I store copies on multiple USB keys, give them to customers and they are in charge of storing them securely at different places (small safe in the office, vault of the bank, etc).
This makes it harder to loose access to backups since at least 2 nodes will hold the keys. BTW, be sure that whatever happens, you will be able to get back a copy of any key or your backup will not be usable.
If your key pairs are on the Puppet Master, simply use a file
resource to copy it on your node.