Backup Your Keys

In the event that you lose your symmetric keys and/or your Master Key(s), the recovery of your data will not be possible. Therefore, it is important to backup your keys. Each time a new Volume is generated or recycled with encryption activated, a new symmetric key is created, therefore it is advisable to synchronize this key to a secure location immediately upon its creation.

By default, your symmetric keys are located in the /opt/bacula/etc/keydir directory. Thus, it is important to backup or synchronize the contents of this directory to a secure location.

For example, this is the Vol-0004 file created in the /opt/bacula/etc/keydir directory:

# cat keydir/Vol-0004
cipher: AES_128_XTS
cipher_key: X9m2cWwekR+6xuPj3+XNbthXdSZkQ9qjW9CDfojzNrA=  <--- this is the symmetric key
volume_name: Vol-0004

This file must exist in the Storage Daemon to recover your data stored in the Vol-0004.

The default directory for the keys, located at /opt/bacula/etc/keydir, can be modified using the --key-dir option in the command line, which is configured with the Encryption Command directive defined. This directory must be backed up regularly.

By default, your Master Keys are kept at the /opt/bacula/etc/gnupg directory. This location is defined in the key manager configuration file, typically found at /opt/bacula/etc/key-manager.conf, within the [default] section under the gnupghome directive as seen above. The key-manager.conf file can be moved using the --config option in the command associated with the Encryption Command directive. The default passphrase is also stored in the key-manager.conf. You just need to backup the key-manager.conf file, and the /opt/bacula/etc/gnupg directory.

You can export your default private key using the command:

# gpg --homedir /opt/bacula/etc/gnupg --output private.pgp --armor --export-secret-key bacula@localhost

It requests the passphrase that is saved in you key-manager.conf file. This exports an ASCII armored version of your private key into the private.pgp file. You can print it and/or save it on a USB drive or in another location.

Go back to the Best Practices with Volume Encryption chapter.

Go back to the Storage Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.