Luis Cuenca wrote:
> Hi, i need to help about to enhance the security in the files of the
> configuration, since the passwords do not encrypted in the archives of
> configuration, there is some way to encrypted them.
To encrypt the passwords in the configuration files would be useless,
because you then have three choices:
(1) You have a hardcoded encryption key or key passphrase, which is
available for use by Bacula ... and therefore by anyone with access to
Bacula and its configuration files. Result: No net gain of security.
(2) You have a key passphrase stored on disk to enable Bacula to decode
the encrypted passwords. Of course, to be secure, this password must
itself be encrypted, requiring an encryption key to be stored for Bacula
to decrypt it with, requiring a stored encryption key which must be
encrypted to protect it .... well, you can see where this is going.
(3) You have encrypted passwords stored on disk, and every time a Bacula
daemon on any machine needs to use one, it must ask the operator on that
machine to enter an encryption key. Result, say goodbye to all
unattended operation, because an operator must oversee almost any
operation, and all your operators have to know all the passwords anyway.
Little to no net gain in security.
Really, the answer is simply to not make the configuration files
world-readable. Follow the defaults and have them readable only by the
user Bacula runs as and by root, and restrict access to the Bacula user.
Let's face it, if a hypothetical attacker has gained root on a system,
that system is completely compromised anyway, and all data on that
machine is vulnerable that is not encrypted using a key which is neither
stored on nor accessible from that machine.
The passwords are never sent across the network in clear anyway. Secure
the machine, keep the config files readable only by authorized users,
and you really don't have a problem.
--
Phil Stracchino [EMAIL PROTECTED]
Renaissance Man, Unix generalist, Perl hacker
Mobile: 603-216-7037 Landline: 603-886-3518
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
