--On Thursday, November 19, 2015 01:03:59 PM +0000 Martin Simmons <mar...@lispworks.com> wrote:
> Does Bacula ever check for expired [data encryption] certs? I suspect > not, so the question about rollover strategy is a moot one. I've empirically verified this to be the case; I performed a backup using a short-lived data encryption cert, then waited for the cert expiry date to pass. I then: 1. Restored files from datasets that had been backed up using the cert before the cert had expired (ie: decrypt using an expired cert) 2. Modified files and then performed a new backup with the expired cert (ie: encrypt using an expired cert) 3. Restored the modified files from (2). (ie: decrypt using an expired cert data that had also been encrypted with an expired cert) For the test I used a director and storage daemon at version 7.0.5_3 on FreeBSD, and a client daemon at 5.2.13-18 on CentOS 7.1.1503. However to protect against a change in behavior in the future, I think that in the future I will create certificates that either have no expiry date, or have a date that is further in the future than the expected system life. Remember, this is only referring to data encryption, not network encryption. Thanks everyone for your input. Devin ------------------------------------------------------------------------------ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
