How to: Bareos Data Encryption (Ubuntu)

Created by Michelle Ritzema at 13-03-2018 12:02:40 +0100


Welcome to a helpful tutorial for setting up Bareos' Data Encryption! 

For this how-to we assume that you have some basic knowledge of Bareos and Ubuntu. If you are looking for a way to set up your Bareos backup system instead, we refer you to our basic setup tutorial.

With Data Encryption, data is encrypted on the client, prior to sending it to the storage daemon on the backup server. For more information, see the official Bareos/Bacula documentation.


Content

  • Update the server and client
  • Set-up configuration
    • 1. Bareos server - create directory
    • 2. Bareos server - generate master key pair
    • 3. Bareos server - transfer master public key
    • 4. Bareos server - generate client key pair
    • 5. Bareos server - generate .pem file
    • 6. Bareos server - security measures
    • 7. Client server - security measures
    • 8. Client server - update configuration
    • 9. Client server - restart daemon
  • Check if it works
    • 1. Client server - Place a simple text file
    • 2. Bareos server - Run unencrypted job
    • 3. Bareos server - Run encrypted job
    • 4. Bareos server - Check the difference


In this tutorial user input is indicated in bold and italic font. When executing the commands, replace these words with the corresponding values.

Note that the encryption used in this tutorial is aes256. You can pick any of the following encryption types: 
des | des3 | idea | aes128 | aes256


Update the server and client

It is very important to first make sure that both the server and client are up to date.

wget -q http://download.bareos.org/bareos/release/latest/ubuntu_version/Release.key -O- | apt-key add -
printf "deb http://download.bareos.org/bareos/release/latest/ubuntu_version/ /\n" > /etc/apt/sources.list.d/bareos.list
apt-get update
apt-get dist-upgrade
/usr/sbin/bareos-fd --version

Example:

wget -q http://download.bareos.org/bareos/release/latest/xUbuntu_16.04/Release.key -O- | apt-key add -
printf "deb http://download.bareos.org/bareos/release/latest/xUbuntu_16.04/ /\n" > /etc/apt/sources.list.d/bareos.list


Set-up configuration

1. Bareos server - create directory

Navigate to the Bareos folder and create a new directory to store the keys in.

cd /etc/bareos
mkdir keys
cd keys


2. Bareos server - generate master key pair

The first step is to create a master key pair. The master key will be used to decrypt backups if a client key is lost. The public key (the .cert file) will be copied to the client to be used in the data encryption. The private key will stay on the backup server. Store the pass phrase for the private key in a secure location.

openssl genrsa -aes256 -out master.key 4096
openssl req -new -key master.key -x509 -out master.cert -days 3650

Example:

root@backup:/etc/bareos/keys# openssl genrsa -aes256 -out master.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................................++
.............................................................................++
e is 65537 (0x10001)
Enter pass phrase for master.key:
Verifying - Enter pass phrase for master.key:
 
root@backup:/etc/bareos/keys# openssl req -new -key master.key -x509 -out master.cert -days 3650
Enter pass phrase for master.key:
You will be to be asked to enter information that will be incorporated
into your certificate request.
What you are going to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid-Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:backup.exampledomain.com
Email Address []:backup@exampledomain.com


3. Bareos server - transfer master public key

We move the public master key (the .cert file) to all the clients that we wish to back up.

scp master.cert user@client:/etc/bareos


4. Bareos server - generate client key pair

Next, we need to generate a key pair for each client that we want to back up on the Bareos server. Store the pass phrase for the private key in a secure location.

openssl genrsa -aes256 -out fd-hostname.key 4096
openssl req -new -key fd-hostname.key -x509 -out fd-hostname.cert -days 3650

Example:

root@backup:/etc/bareos/keys# openssl genrsa -aes256 -out fd-web.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................................++
.............................................................................++
e is 65537 (0x10001)
Enter pass phrase for fd-web.key:
Verifying - Enter pass phrase for fd-web.key:
 
root@backup:/etc/bareos/keys# openssl req -new -key fd-web.key -x509 -out fd-web.cert -days 3650
Enter pass phrase for fd-web.key:
You will be to be asked to enter information that will be incorporated
into your certificate request.
What you are going to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid-Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:web.exampledomain.com
Email Address []:web@exampledomain.com


5. Bareos server - generate .pem file

To allow the Bareos file daemon to use the keys for encryption, we need to store a copy of the client's unencrypted private and public key on the client itself. Because the private key is encrypted, we first unencrypt it with openssl. Then we combine these keys into a .pem file and copy the public client pem file to the client itself.

openssl rsa -in fd-hostname.key -out fd-hostname-clear.key
cat fd-hostname-clear.key fd-hostname.cert > fd-hostname.pem
scp fd-hostname.pem user@client:/etc/bareos


6. Bareos server - security measures

Finally, we can clean up the unencrypted files on the Bareos server for security, and change the ownership and rights on the remaining keys.

rm fd-hostname-clear.key fd-hostname.pem
chown root:bareos master.key master.cert fd-hostname.key fd-hostname.cert
chmod 640 master.key master.cert fd-hostname.key fd-hostname.cert


7. Client server - security measures

Navigate to the Bareos directory. Here we also change the ownership and rights on the keys that we copied from the backup server.

cd /etc/bareos
chown root:bareos master.cert fd-hostname.pem
chmod 640 master.cert fd-hostname.pem


8. Client server - update configuration

Next we need to add the keys to the file daemon's configuration to enable data encryption. Here we can also choose what kind of encryption cipher to use.

vim bareos-fd.conf
PKI Signatures = Yes                          # Enable Data Signing
PKI Encryption = Yes                          # Enable Data Encryption
PKI Keypair = "/etc/bareos/fd-hostname.pem"   # Public and Private Keys
PKI Master Key = "/etc/bareos/master.cert"    # ONLY the Public Key
PKI Cipher = aes256                           # Specify desired PKI Cipher here

Example:

Director {
  Name = bareos-dir
  Password = "57930cc366270da6d214589d4d85ada0"
}
 
FileDaemon {
  Name = web-fd
  Maximum Concurrent Jobs = 20
 
  PKI Signatures = Yes                          # Enable Data Signing
  PKI Encryption = Yes                          # Enable Data Encryption
  PKI Keypair = "/etc/bareos/fd-web.pem"        # Public and Private Keys
  PKI Master Key = "/etc/bareos/master.cert"    # ONLY the Public Key
  PKI Cipher = aes256                           # Specify desired PKI Cipher here
}
 
Messages {
  Name = Standard
  director = backuphost = all, !skipped, !restored
}


9. Client server - restart daemon

Finally, to start encrypting the backup data, we restart the file daemon.

service bareos-fd restart


Check if it works

1. Client server - Place a simple text file

You can easily check if the data has been encrypted correctly. Place a plain text file on your client with the string "AAAABBBBCCCCDDDD".

echo "AAAABBBBCCCCDDDD" > /abcd.txt


2. Bareos server - Run unencrypted job

First you have to run the job without encryption. To do this, you need to disable the configuration in bareos-fd.conf from step 8 and restart the file daemon. Run the job on the backup server via the bconsole (or alternatively via the web-ui) and wait until it completes.

On the client

vim bareos-fd.conf
service bareos-fd restart

On the backup server

bconsole
run

Example:

root@backup:~# bconsole
Connecting to Director backup:9101
1000 OK: bareos-dir Version: 17.2.4 (21 Sep 2017)
Enter a period to cancel a command.
*run
Automatically selected Catalog: MyCatalog
Using Catalog "MyCatalog"
A job name must be specified.
The defined Job resources are:
     1: web
     2: RestoreFiles
     3: BackupCatalog
     4: backup-bareos-fd
Select Job resource (1-6): 1
Run Backup job
JobName:  web
Level:    Incremental
Client:   web
Format:   Native
FileSet:  LinuxAll
Pool:     Incremental (From Job IncPool override)
Storage:  File (From Job resource)
When:     2018-07-13 11:09:08
Priority: 10
OK to run? (yes/mod/no): yes


3. Bareos server - Run encrypted job

Next you re-enable the configuration in bareos-fd.conf, restart the file daemon, and run the job again. Wait until the job is completed.

On the client

vim bareos-fd.conf
service bareos-fd restart

On the backup server

bconsole
run


4. Bareos server - Check the difference

Now it's time to compare the two backups. Bareos stores the backups at the location '/var/lib/bareos/storage/'. Open both the unencrypted and the encrypted files in vim.

vim /var/lib/bareos/storage/unencrypted_file
vim /var/lib/bareos/storage/encrypted_file


Unencrypted backup:
Notice that you can find the string "AAAABBBBCCCCDDDD".

Encrypted backup:
Notice that the string "AAAABBBBCCCCDDDD" cannot be found anywhere.


And that's all there is to it! Thanks for following along with this tutorial.

Comments

Comments are turned off.