Home » Backup » Bacula

Bacula with support for TLS encryption

Today I upgraded my Bacula installation on the Gentoo Bacula director to bacula-1.38. Support for TLS has been integrated into Bacula with version 1.37. Upgrading to 1.37 or greater allows to change the encryption configuration to the built-in TLS implementation (instead of stunnel). The Bacula TLS implementation allows to use TLS encryption and mutual authentication between the director, storage and file daemons. The configuration is on a per-daemon basis, so it is possible to define different encryption parameters (TLS required, TLS verify required) based on the requirements. I'm using CAcert certificates for the host certificates.

Unfortunately, Ubuntu Dapper is still on 1.36.3 and Debian Sarge on 1.36.2 which both do not yet support built-in TLS so those clients will have to wait.

The Gentoo ebuild for the masked app-backup/bacula-1.38.5 still has some issues but it worked quite well for me. I only had to unmerge old python2.3 first or the ebuild would silently fail to install the daemons because it tried to link them against (my broken) python2.3.

Upgrading the Bacula database (I'm using the mySQL backend) to required version 9 was done with a simple 

/usr/libexec/bacula/updatedb/update_mysql_tables_8_to_9 -u root -p

Bacula director

The relevant sections from the director configuration bacula-dir.conf. 

Director {
  Name = director-dir
  DIRport = 9101
  QueryFile = "/var/lib/bacula/query.sql"
  WorkingDirectory = "/var/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "secret"
  Messages = Daemon
  TLS Enable = yes
  TLS Require = no
  TLS Verify Peer = no
  #TLS Allowed CN = "bacula@backup1.example.com"
  #TLS Allowed CN = "administrator@example.com"
  TLS CA Certificate File = /etc/ssl/localhost/cacert.crt
  TLS Certificate = /etc/ssl/localhost/server.pem
  TLS Key = /etc/ssl/localhost/server.key
}

Client {
  Name = client-fd
  Address = client.domain.tld
  FDPort = 9102
  Catalog = MyCatalog
  Password = "secret"
  File Retention = 30 days
  Job Retention = 6 months
  AutoPrune = yes
  #ClientRunBeforeJob=
  TLS Enable = yes
  TLS Require = yes
  #TLS Verify Peer = no
  #TLS Allowed CN = "bacula@backup1.example.com"
  #TLS Allowed CN = "administrator@example.com"
  TLS CA Certificate File = /etc/ssl/localhost/cacert.crt
  TLS Certificate = /etc/ssl/localhost/server.pem
  TLS Key = /etc/ssl/localhost/server.key
}

Bacula file

The client configuration bacula-fd.conf. Additionally to enforcing TLS for this client, I'm also limiting who is able to connect to the host with the director certificate (TLS Allowed CN). 

Director {
  Name = director-dir
  Password = "secret"
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  # Allow only the Director to connect
  TLS Allowed CN = "director.domain.tld"
  TLS CA Certificate File = /etc/ssl/localhost/cacert.crt
  # This is a server certificate. It is used by connecting
  # directors to verify the authenticity of this file daemon
  TLS Certificate = /etc/ssl/localhost/server.pem
  TLS Key = /etc/ssl/localhost/server.key
}
Bookmark/Search this post with:
deliciousdiggredditmagnoliacomnewsvinefurlgoogleyahootechnoratiicerocketpubsub
mike – Sun, 2006 – 06 – 11 13:14
by mikemike's blogadd new comment