My alerting system tells me that I have some file daemons that have been
merrily encrypting their data for quite a while. In particular, the
expiry dates for the data encryption x509 certs are coming up soon.
Well, this brings up an interesting question that I'd not really
considered in depth: Given that you can only specify two keys
in the bacula-fd.conf file, what is the best strategy during key
rollover? That is, that time period after making a new client
keypair available, and the retention time of the backups that were
made with the old keypair?
First off, I think that the master key specification doesn't enter
the picture; there is still a need for encrypting with the master
public key, for the usual reasons.
The first section of the data encryption chapter says to not change
the location of the client keypair. Fair enough. This implies that
the new keypair should be used to overwrite the old. That's great
for performing backups, but what about doing restores?
I suspect the answer is:
1. Save a copy of the old keypair (presumably there are copies
offline already, but best to be explicit)
2. Overwrite the old client keypair with the new keypair.
3. Resume backup operations.
4. If you have to restore data from a time after the key replacement,
then it's business as usual.
5. If you have to restore data from a time prior to the key replacement,
then you need to copy the old keypair over top of the new,
(presumably) restart the file daemon, perform the restore,
copy the new keypair back on top of the old, restart the file daemon,
and then continue with normal operations again.
This implies that you also need to keep track of what the flag day
is when you change the certificate for a given client. (Although this
may be recorded in your certificate maintenance system, if any.)
Does anyone have a better procedure?
Devin
------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
