On Feb 16, 2009, at 11:15 AM, Steve Polyack wrote:
Feature Request Form
Item n: Storage Daemon based encryption
Origin: Steve Polyack
Date: 16 February 2009
Status: new
What: The ability to encrypt and decrypt data that moves between
the storage daemon and its storage devic
On Feb 18, 2009, at 10:43 AM, Landon Fuller wrote:
... and signatures could still be verified.
Spoke a little too soon. Signatures are written out with the x509
subjectkeyidentifier from the public key.
A mismatched pair would need to have matching subjects for validation,
and that
On Feb 18, 2009, at 3:26 AM, Martin Simmons wrote:
On Tue, 17 Feb 2009 20:24:02 -0800, Landon Fuller said:
The private key is needed during backup if you use PKI Signatures.
Right. Currently, enabling PKI encryption also enables signing, but
the encryption implementation does not require
On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote:
That sounds backwards to me. Shouldn't the encrypter (backup) use
the public
key to keep the data safe? Then only the decrypter (restore) can
read the
data, using the private key.
Right. A symmetric session key is used for each backup r
s, we didn't really intend to give pkgsrc the cold shoulder,
just to explore a different direction.
To bring this back on-topic wrt Bacula, the Bacula MacPort has no
maintainer, but if anyone would like to separate it into client &
server ports, I'd be happy to commit the diffs.
On Jan 8, 2008, at 23:26, Dan Langille wrote:
[snip]
Then I thought, if you want to do that, why not just encrypt at the
SD instead of the FD. If you're a big company and you want to
encrypt, why not do it all in one place? Why bother distributing
the same key everywhere? Or multiple k
On Jan 3, 2008, at 05:19, Carles Pina i Estany wrote:
Hello,
I have a short question. I only wonder if someone is using it or not
(so, if Bacula supports it or doesn't support). We made some tests and
we couldn't do but we will re-test.
Question is: is it possible to cypher the data in bacul
On Jan 3, 2008, at 07:49, Sven Carstens wrote:
03-Jan 16:12 epistaxis-dir: ERROR in openssl.c:74 Connect failure:
ERR=error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
03-Jan 16:12 epistaxis-dir: *Console*.2008-01-03_16.12.28 Fatal
error: TLS negotiation failed wi
On Dec 14, 2007, at 07:08, Jorge Cabello wrote:
Reading this I have a new doubt:
Is it posible to restore the encrypted files as they are
(encrypted) and
to use later another tool to unencrypt them?
The short answer is "with work - yes". You would need to find a way
to extract the symm
On Dec 12, 2007, at 02:58, Dimitrios wrote:
When a job ends, it sends me a report via email and in that report
it contains:
Encryption: no
I'm using TLS encryption in all places (DIR, FD, SD, etc), but the
above suggests that nothing is encrypted.
Or am i wrong, and my transportation/com
On Nov 1, 2007, at 7:52 AM, Vladimir Doisan wrote:
> Currently I have "signatures" set in the FileSet as "signature = MD5"
> and
> "PKI Signature = yes" in client-fd (I assume SHA256 is default)
>
> Is it necessary to have them set in both places? Can I safely get
> rid of
> "signature = MD5" f
On Oct 4, 2007, at 5:01 PM, Dave wrote:
Hello,
Is anyone using tls with the latest bacula? I've installed the
latest
server on both FreeBSD via ports, and a CentOS 5 box, and i'm
getting the
same tls error, unable to load certification information on both.
I just upgraded our primary
On Sep 25, 2007, at 17:35, Dave wrote:
Hello,
I upgraded my bacula from 2.03 to 2.2.4 and now i am getting an
error
msg: can not initialize tls context for Storage device catalog in my
bacula-dir.conf file. Other than the upgrade i haven't changed any
options
in the configs. I've used
On Jun 15, 2007, at 5:18 AM, Kern Sibbald wrote:
Hello,
I am now working on bug #807, where decrypting files gets signature
digest
errors on each file restored. As far as I can tell, these are
*false* error
messages, most likely due to the fact that Microsoft BackupWrite()
does not
res
ec-dir: No Files found to prune.
11-mai 15:09 nec-dir: End auto prune.
It works perfectly when I use the original keypair.
Can anyone see where the problem comes from ?
Le jeudi 10 mai 2007 à 21:34 -0700, Landon Fuller a écrit :
On May 10, 2007, at 4:51 AM, massano jerome wrote:
Le jeudi 10
On Mar 14, 2007, at 13:41, Jorj Bauer wrote:
Let's take the DNS security issue off the table for the moment.
As I mentioned at some point, that's mostly paranoia. As you say,
you'd
have to compromise both DNS and one of the root CAs to exploit it. I
only mentioned it for those that are total
Sorry for the late arrival. An opendarwin.org e-mail hiccup ate my
subscription.
Kern Sibbald wrote:
Well, I care, and I don't trust DNS at all. From what I read here,
IMO the current implementation is nothing like I imagined -- it is
not the state of the art in security. With ssh, I gener
On Dec 3, 2006, at 12:06 PM, Kern Sibbald wrote:
These two issues appear to be due to some bugs in Robert Nelson's new
blocking encryption restore code. I'm going to spend today fixing
remaining issues there.
OK, thanks.
I've committed rewrite of the block-preserving encryption restoration
On Dec 3, 2006, at 12:06 PM, Kern Sibbald wrote:
On Sunday 03 December 2006 20:57, Landon Fuller wrote:
On Dec 3, 2006, at 11:41 AM, Kern Sibbald wrote:
On Sunday 03 December 2006 19:46, Landon Fuller wrote:
Signature validation is done on what is actually written to disk
(upon restore
On Dec 3, 2006, at 11:41 AM, Kern Sibbald wrote:
On Sunday 03 December 2006 19:46, Landon Fuller wrote:
It would be negligent of me if this feature isn't ready for release;
what are the remaining blockers that you are concerned about?
Well, for example, the digest/signature routines
On Dec 3, 2006, at 7:26 AM, Kern Sibbald wrote:
Volume data format, and it has known bugs (digest problems), which
means that
if any fixes involve changing the data format (as one does that I
found this
morning)
If you're referring to digesting/signing sparse blocks (the change
you comm
On Dec 3, 2006, at 7:26 AM, Kern Sibbald wrote:
I'm still targeting it before the end of the year, but it looks
like one major
new feature will not be enabled, and that is data encryption. The
code just
is not stable (it doesn't pass a simple regression test), and it
affects the
Volume da
(new thread for a new topic, and resending to the list since I sent
from the wrong From address. Whoops.)
On Nov 28, 2006, at 08:44, Benjamin Chambers wrote:
I'm doing some more testing for a client of ours, but this looks to
be the fault
of me running through tests too quickly and possibly k
Morning,
Thanks for reporting this -- I believe this was a bug in the newly
added block-preserving restoration code. I committed a fix for this,
and a few other issues.
Do you think you could try again with the latest code from CVS?
Thanks,
Landon
On Nov 27, 2006, at 5:47 PM, Benjamin Cham
I'm going to wander off on a completely off-topic license discussion.
I apologize in advance.
On Nov 13, 2006, at 02:21, Alan Brown wrote:
On Fri, 10 Nov 2006, Les Mikesell wrote:
Is a non-free version a big issue for you? I've always been a big
fan
of perl's dual-license approach which
On Nov 8, 2006, at 06:54, Kern Sibbald wrote:If you have any problems with this procedure, now is the time to speak up. I'd just like to reiterate that if this is going to hose you, let us know -- I can implement backwards compatibility if necessary.-landonf
PGP.sig
Description: This is a digitall
On Nov 7, 2006, at 16:41, Kern Sibbald wrote:
Hello Landon,
Hopefully this one will come through intact ...
Super! That assuages my concerns completely.
Thanks!
Landon
PGP.sig
Description: This is a digitally signed message part
On Nov 7, 2006, at 16:09, Kern Sibbald wrote:
Howdy Kern,
2. In their copyright transfer agreement, they explicitly give you
the same rights that I gave you (as best I can see from a quick
reading of it -- please verify this and let me know if you have any
issues). This is explained in the cop
On Nov 6, 2006, at 16:42, Kern Sibbald wrote:If any of you have concerns, comments, or questions, please do not hesitate to voice them now, either on the Bacula email lists or directly to me. I'm somewhat concerned about the FSF's copyright assignment policy combined with the GPL license. My willin
On Nov 2, 2006, at 16:29, Robert Nelson wrote:
In that case, would you like me to commit the code I have?
That'd be super. Thanks for fixing it.
I agree about reworking the stream implementation. The existing
code could
be written as a number of filters: gzip, openssl, sparse, block/
deb
g the compressed data size
with each
compressed block.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Landon
Fuller
The encryption does not include compression -- It made more sense
to piggyback on the existing compression code. Also, thanks for
cat
On Nov 2, 2006, at 13:22, Robert Nelson wrote:
The problem is that currently there are three filters defined:
compression,
encryption, and sparse file handling. The current implementation of
compression and sparse file handling both require block boundary
preservation. Even if zlib streamin
On Nov 2, 2006, at 08:30, Robert Nelson wrote:
Landon,
I've changed the code so that the encryption code prefixes the data
block
with a block length prior to encryption.
The decryption code accumulates data until a full data block is
decrypted
before passing it along to the decompressio
On Nov 1, 2006, at 2:20 PM, Michael Brennen wrote:
On Wednesday 01 November 2006 15:33, Arno Lehmann wrote:
This sounds like compression should be automatically disabled when
encrypton is enabled. Should be useless anyway as encrypted data
should
no longer be compressible.
Not if compres
On Oct 5, 2006, at 11:21 AM, Deric Abel wrote:
Hello all, Two questions -:
1. Is the tape encryption all or nothing, or is it possible to
pick and
choose what files/directories are or are not? If so, how?
The file daemon encryption is all-or-nothing.
2. If a disaster occurred and al
On Oct 2, 2006, at 11:16 PM, Michael Brennen wrote:
I have not been able to run with the "PKI Master Key" directive; the
error is something about not being able to load the private key.
Your error is different, which makes me wonder if you are really
running the cvs version, but you might try s
On Sep 4, 2006, at 11:35, Lech Karol Pawłaszek wrote:
Hello bacula users!
I wonder if any of you have tried to encrypt your data (on a client-
side)
using a symmetric algorithm (like AES). I know that -beta can
perform signing
and encrypting data using asymmetric RSA keys, but AFAIK it's mu
Howdy --
Sorry for missing the TLS e-mails, I've been out in the Yosemite back
country.
Can you get a backtrace with symbols out of this crash?
-landonf
On Sep 5, 2006, at 5:21 PM, Dan Langille wrote:
I'm trying to setup TLS with one client. I have two other clients
working with TLS. At
On Aug 23, 2006, at 2:48 PM, Michael Brennen wrote:
Landon's web site on encryption indicates that the on-disk (should
that be on-medium, to include tape and other?) format may change
during the beta testing. Can anyone give insight on how stable the
encryption format is? Thanks...
Howdy M
On Aug 11, 2006, at 13:24, Mike wrote:
I have a possible situation at work where one user (I'll not
go into the details) needs to have all files from that
workstation encrypted before they get on the network and on
tape. Has there been a discussion, plan, or option I've overlooked
such that the
On Aug 2, 2006, at 07:58, Skylar Thompson wrote:
Skylar Thompson wrote:
I just installed Bacula 1.38 in FreeBSD, using a Postgres backend.
bacula-dir starts up fine, but when I start up bconsole to go to
label a
tape I get a segfault. I've tried running at debug 1024. This is
what I
get o
On Jul 19, 2006, at 12:31, R.I. Pienaar wrote:
hello,
I am in the process of deploying Bacula for my own use and that of
some people I contract to, I had a need for TLS between the various
connections and found the documentation were very misleading and
incomplete so after much list searching
Francisco Reyes wrote:
> Michel Meyers writes:
>
>> Correct: There's encryption of the communication between the File Daemon
>> and the Storage Daemon but no encryption of the data as it is written to
>> tape/HDD/CD/DVD. That's still on the todo list.
>
> Ok. Thanks for explanation. Perhaps the d
Bill Moran wrote:
> On Sat, 8 Apr 2006 21:22:26 -0500
> Erich Prinz <[EMAIL PROTECTED]> wrote:
>
>> Let me know if you want the pre compiled FD.
>
> Would you mind putting this up on ftp or something for me to grab.
> So far I've been unable to build from source or Darwin Ports.
>
> Thanks.
Wha
[EMAIL PROTECTED] wrote:
> Hi,
>
> I would like to know more about the actual status of the encryptions with
> Bacula.
>
> - Can we encrypt datas on tape ? I see in the FileSet options that there is
> possible "encryption" option, but it's not documented. Is it hard to
> implement ?
There is
On Mar 6, 2006, at 12:28, Dean Waldow wrote:
I may be remembering incorrectly, but, I don't think you need a
license. I believe it is part of the OSX license itself. Can
anyone else comment on this? I think this is especially the case
for the server license because the server is often whe
On Mar 9, 2006, at 3:52 AM, Andreas Aronsson wrote:
I really think I got it working now!
When I am comparing with the instructions given here:
http://www.bacula.org/rel-manual/Bacula_TLS.html
The difference in my conf is:
bacula-fd.conf; add
# "Global" File daemon configuration specificati
On Mar 8, 2006, at 06:30, Andreas Aronsson wrote:# I have also tried with selfsigned certs, one for each daemon according to these instructions: # http://landonf.bikemonkey.org/code/bacula/Configuring_Bacula_Encryption.20060305184424.26351.sandbox.html Just to clarify, these instructions are for en
On Mar 6, 2006, at 12:09, Dwayne Hottinger wrote:
Heres my big problem. I dont have Xcode on any of my production
10.3.9 OSX
servers so I cant build my bacula-fd's on them for the new 1.38
release. I
upgraded my main backup server (linux) to 1.38 and not my clients
so now I get
some err
On Mar 6, 2006, at 10:15, Arno Lehmann wrote:
Hi,
On 3/6/2006 2:59 PM, Dwayne Hottinger wrote:
... that he needs 1.38 for MacOS X
Thanks,
I know thats the problem. But I dont see a dist for 1.38 dist for
os x 10.3.x. Is there a build for the -fd on osx 10.3? Or how do
I build for the o
Erich Prinz wrote:
Super. That actually helps a ton. Thought I was losing my mind.
I have VS Express and presume that will be sufficient for compiling
sake. Looks like there are other pieces to the puzzle that need to
happen and will check back in through the process.
For VC++ Express-spec
On Mar 1, 2006, at 2:15 AM, Chris Crowther wrote:
Landon Fuller wrote:
Who is generally handles the Win32 Bacula builds?
Whoever it is has a lot of patience or luck, having tried to do it
myself :)
Does anyone know if it's actually possible to build it with TLS
suppo
Arno Lehmann wrote:
Hello,
On 2/27/2006 3:13 PM, kernel[consulting] info wrote:
I have a problem restoring files from the wx-console running on WinXP.
I was told to use bacula version 1.38.5, but i am unable to find the
binary win32 release of 1.38.5. Can anyone please be so kind to point me
i
On Feb 14, 2006, at 13:50, Dan Langille wrote:
On 5 Feb 2006 at 18:33, Landon Fuller wrote:
In the spirit of status reports -- Bacula's File Daemon now has
complete
support for signing and encryption data prior to sending it to the
Storage Daemon, and decrypting said data upon receipt
Landon Fuller wrote:
One other issue worth raising -- The director can currently overwrite
any file on the FD, including the encryption keys or the FD
configuration file, thus exposing private data to the director.
Something else I forgot to mention; the file daemon also ensures data
Dan Langille wrote:
On 5 Feb 2006 at 18:33, Landon Fuller wrote:
In the spirit of status reports -- Bacula's File Daemon now has complete
support for signing and encryption data prior to sending it to the
Storage Daemon, and decrypting said data upon receipt from the Storage
Daemon.
Bacula's File Daemon now has complete support for signing and encryption
data prior to sending it to the Storage Daemon, and decrypting said data
upon receipt from the Storage Daemon.
There is a small memory leak I need to track down, and some remaining
bits and pieces to implement, but I wante
On Jan 17, 2006, at 10:15 AM, Landon Fuller wrote:
DarwinPorts (http://darwinports.opendarwin.org) includes a port for
1.38.2.
If I get some time, I'll update that to 1.38.4.
I've updated the DarwinPort to 1.38.4. It should be available from
the rsync server shortly.
-landonf
On Jan 17, 2006, at 10:03, Arno Lehmann wrote:
Hello,
On 1/17/2006 1:00 PM, Florian Kieling wrote:
hello,
in our network we have systems with linux, windows and macosx . for
linux and
windows i've found packages with the file-daemon and the bconsole.
but on
the package for macosx (1.36.1) c
On Jan 16, 2006, at 8:12 AM, Andras Horvai wrote:
Hi Jari,
Thanks for your answer, but the firewall was the problem.
Your next problem will be that 1.36 and 1.38 are not compatible. =)
-landonf
PGP.sig
Description: This is a digitally signed message part
Aleksandar Milivojevic wrote:
> I've just started experimenting with new TLS feature. One thing that almost
> immediattely popped out.
>
> It would be good to have "TLS Allowed DN" and "TLS Allowed Peer Certificate"
> options (or something shorter for the second one).
>
> The first option (TLS A
Aleksandar Milivojevic wrote:
> If client certificate for bconsole is passhprase protected, there is a prompt
> displayed to enter the passphrase. Then bconsole hangs. Ctrl-C doesn't
> work.
> The only way to get out is to kill it from another terminal.
>
> # bconsole
> Connecting to Director
Phil Stracchino wrote:
> Didier Herrera wrote:
>
>>Hello all,
>>I've been trying to install a Bacula client on a Sun ultra 10 with OS
>>Solaris 2.8, I use the following to configure:
>>CFLAGS="-g" ./configure \
>> --sbindir=/bacula/bin \
>> --sysconfdir=/bacula/bin \
>> --enable-client-only \
>> -
Kern Sibbald wrote:
> On Friday 09 December 2005 09:00, Davide Bolcioni wrote:
>
>>Kern Sibbald wrote:
>>
>>>The current "production" release is Bacula version 1.38.2. Between the
>>>time it was released (22 November 2005) and now, there are a number of
>>>bugs that have been fixed, which some us
Phil Stracchino wrote:
Frank Sweetser wrote:
On Mon, Dec 05, 2005 at 11:07:14PM +0100, Kern Sibbald wrote:
Yes, as I mentioned in a previous email. You are using encrypted comm. The
current way it is programmed, this is exactly what will happen because it
runs in non-blocking read mode.
Kern Sibbald wrote:
On Sunday 20 November 2005 22:35, Landon Fuller wrote:
Win32 support for transport encryption requires a small amount of code
to implement entropy gathering using Microsoft's Crypto API. I'm the
blocking factor there -- building the win32 file daemon is compli
Kern Sibbald wrote:
On Sunday 20 November 2005 22:35, Landon Fuller wrote:
Additionally, the GUI consoles/tray monitor do not support transport
encryption. This is just a matter of copying the relevant code from
bconsole. This would be an excellent small project for an aspiring
developer
Arno Lehmann wrote:
Hmm. A good manual section about VPN setup could solve these problems :-)
Seriously, using a VPN to backup data would be one good option as long
as transport encryption is not fully implemented. Once transport
encryption is stable, things look different... One possible solu
Ray Burr wrote:
Landon Fuller wrote:
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new
TLS data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
[...]
I just set mine up
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new TLS data
encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
bacula-dir.conf:
Director {# define myself
On Oct 31, 2005, at 07:43, Brian Keifer wrote:
This weekend brought us another daylight savings change. It seems
that all of
our director/storage servers that had a job running at the time that
the clocks
changed are now unable to use any of their available volumes. I've
had to stop
and res
Felix Schwarz wrote:
Hi all,
I'm experiencing some configurations issues enabling TLS on 1.37.38.
bacula-dir.conf
Director {# define myself
Name = maindirector
TLS Enable = yes
TLS Require = yes
TLS Certificate = /etc/bacula/certs/server1.schwarz.local.crt
TL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mike wrote:
| Hello,
|
| I'm going to be setting up a new backup "system" for my work in the next
| couple of days,
| and I'm interested in using a new (1.37.38) version of Bacula (as I'm
| interested in the
| database changes, and the SSL support)- b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kern Sibbald wrote:
| I had to modify the Bacula GPL license to be acceptable to Debian (I'm
not in
| the least complaining as I respect their position). This was because
| OpenSSL, which for some reason is not OpenSource or at least was not
at the
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kern Sibbald wrote:
| 1. Please help encourage Landon Fuller implement data encryption by
| contributing to EFF. If you haven't seen the announcement about this,
please
| visit: http://www.bacula.org/?page=news For those of you who
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| Disks are very convenient but a bit expensive for archival storage. A
72 GB DAT tape is about $20. A hard drive is a bit more.
|
| You have to think about the the threats that you are protecting against.
These are real problems -- I'll address how
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Lee wrote:
| Switching gears for a moment...
| Jesse also brought up another subject which has occurred to me as
well. For
| the daemons I completely agree with keeping the config files in
/etc/bacula
| but for console and gui programs it makes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The easiest method for adding encryption to Bacula would be via basic
symmetric key encryption, coupled with MAC for data integrity
validation. However, public key algorithms provide a few key features
that symmetric algorithms can not, namely:
Dan Langille$100
Tom Plancon $65
Total: $1,165
Thank you for your donation! The EFF has taken notice:
"In addition, huge thanks to Landon Fuller and the Bacula Project for
helping to raise money for EFF..."
79 matches
Mail list logo
