There are many different situations and various needs.
Especially if you have a need for off-site backups, and even more so if
you're processing any kind of sensitive data, you have to (and might be
obliged by law to do so - enter GDPR or HIPAA, for example).
Encrypting storage units (tapes/lvm volumes and so on) is a bit
different and addresses different needs than client-side encryption.
As you pointed out, bareos-fd encryption lets you encrypt all data and
makes the backup possible without the backing up party being able to
access raw data (there's always the issue with metadata which is not
encrypted but that's a different subject).
There is also another angle to this - with media encryption you have
just that - media encryption. And anyone compromising the cryptographic
material used to encrypt said media gains access to all the data
contained on said media. In case of client-side backup it's possible
(and advised) to encrypt each client with own key so that each client
can be managed independently of another.
To sum it up - there are different needs, so there are different
solutions :-)
I'm only wondering (I admit, probably because I didn't read the docs
enough times ;->) if the connection is still encrypted if we use
client-side encryption on bareos-fd? That would make the data in transit
double-encrypted which is a bit pointless.
Best regards,
MK
On 21/12/2020 17:33, Brock Palen wrote:
Personally I would not use data encryption at the client if not required. Use
the newer versions of Bareos where it uses PSK (pre shared keys) using the
password to set up an encrypted tunnel over which the data rides. Thus it
lands on your SD unencrypted but the data is encrypted over the wire.
If you need encrypt the data at rest use LVM or Fuse encryption for disk
volumes, and LTO encryption for tape. This will encrypt the data at rest, but
avoid managing keys for clients. Also makes restores not dependent on those
SSL certs only for the disk volume and tape which is all managed on the server
and can be easily replicated by the admin team. (I keep all my tape secret in
1password encrypted note and GPG encrypted file, and only needed if I lose my
catalog dump/backup, which is treated differently than my client backups).
The only reason I see today to use File Damon Encryption as documented in that
page is if you need to promise the client you cannot access their data. That
is _only_ true if only the client has the private key, AND to double what MK
said there is huge risk that the client will lose that key and not have it
recoverable when you need to do a restore.
If you rely on encryption using PSK which should be automatic if any recent
bareos version it’s much less error prone.
Eg Look for: Connected Client: mlds at mlds:9102, encryption:
PSK-AES256-CBC-SHA
In your job logs. I do this all without managing certificates on the FD.
Brock Palen
bro...@mlds-networks.com
www.mlds-networks.com
Websites, Linux, Hosting, Joomla, Consulting
On Dec 21, 2020, at 8:21 AM, Spadajspadaj <spadajspa...@gmail.com> wrote:
bareos-fd.conf is a configuration file for bareos-filedaemon. Bareos filedaemon
is the program running on the client which you are backing up.
As per the documentation (which you already found), all data is encrypted on
client prior to being sent to server (or to Storage Daemon, to be precise).
But please, read the documentation again (and again if need be) so you
understand how it's working so you don't accidentaly lose your keys (and hence
any possibility of decrypting the backed up data!).
Best regards,
MK
On 21/12/2020 14:14, Gonçalo Sousa wrote:
Can someone help me please
On Monday, December 7, 2020 at 4:04:51 PM UTC Gonçalo Sousa wrote:
I am trying to implement data encryption on bareOS following this
documentation: https://docs.bareos.org/TasksAndConcepts/DataEncryption.html
I have already created/generated the .cert, .pem and .key files on the BareOS
server.
My question is where do I configure them, on the example only mentions
bareos-fd.conf
Is this file located on /etc/bareos/bareos-dir.d/client/ ?
All the keys, pem and cert files must be located on the BareOS server right?
All the configuration is only made on the BareOS right?
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/955a1789-27f7-4f96-84a5-808aac6a2698n%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/f370d739-65fb-5ed9-25da-30e78304258c%40gmail.com.
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to bareos-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/c919acec-aa7a-0e2e-8e6d-c7d4ac33f064%40gmail.com.
