--On Thursday, November 19, 2015 10:49:07 AM +0100 Marcin Haba <ganius...@gmail.com> wrote:
> You can renew your certs. True, as long as you're ok with using the old key. However t won't work, for example, if you need to expand your key size. > I think that important is understand that data stored by Bacula is not > encrypted by ANY from public keys. Yes, that is true. However you need the keypair to get at the ephemeral key. My original question was made, and still stands, with that understanding. Talking about encrypting something with an assymmetric key is usually made with the assumption that the reader knows that there is an ephemeral key being used for symmetric encryption. > In short it means that you are able to > decrypt session key not by only ONE key, but by Client private key and > private Master Key. [...] > You can do restore as long as you have private Master Key, because in > this case for decrypt session keys from volumes there is used private > Master Key as only one valid. Of course, you have to provide the > private Master Key to your Client. Understood, but if one postulates that the master key has a similar expiry date then having yet another keypair doesn't solve the problem. (It doesn't have the same date in my case, but in the general case it might be the same, or your master key may expire before the client key. The situation with the master key is really an analog to the situation with the client key. Solve one and you solve the other.) Besides, the master key is special in that it is typically the same for all clients, so you wouldn't want to put the private master key on a client permanently just in case you find the need to restore something. > Some time ago I prepared a few diagrams that show Bacula data > encryption algorighm. Here are the diagrams in English version: > > http://www.bacula.pl/data_encryption.html That diagram is a bit simplified in that it implies that the client can check an arbitrary number of keypairs instead of the current maximum of two. If it was in fact an arbitrary number one could solve the problem by listing both the old and the new client keypair. However, even if the fd code will do this today (I don't know; I've not checked the source), it appears that you can't specify more than two keypairs in the fd configuration file anyway, so there's no way to trigger it. I don't have an issue with the diagram as an explanation, it's just that it describes the (AFAIK non-existent) general case solution. Devin ------------------------------------------------------------------------------ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
