key-manager.conf File Format

When using the master key feature, you can set up your master keys in the key-manager.conf file that is stored in /opt/bacula/etc. This file is automatically populated with one master-key at installation time. This file is not required if you don’t use a master-key:

[default]
gnupghome="/opt/bacula/etc/gnupg"

[0378FB9C839FF9F207834D89DB856A1A513B7AB4]
#volume_regex=Volume[0-9]+|TestVolume[0-9]+
uid=bacula@localhost
passphrase=xm3ynBi7MfHTUovls4QV8OtBT5rfAnXwT8Wb7wjVRyCT
stealth=off

The supported fields are:

• gnupghome: This is where GnuPG stores your keys

• volume_regex: A regex that is used by the key manager to know if this master key must be used with one volume

• uid: The uid helps you to identify the key

• passphrase: This is the passphrase of the key

• stealth: When stealth is used, the key manager does not store the symmetrical keys in the KEYDIR directory.

The default gnupghome directory is in /opt/bacula/etc/gnupg. When using GnuPG, you must use the –homedir option like: –homedir /opt/bacula/etc/gnupg, or set the GNUPGHOME environment variable:

export GNUPGHOME="/opt/bacula/etc/gnupg"

You must define a section for every master key you want to use. The name of the section is the Key-ID of your public/private key. You can get the Key-ID when listing your keys:

bacula $ GNUPGHOME=/opt/bacula/etc/gnupg gpg -k
/opt/bacula/etc/gnupg/pubring.kbx
-----------------------------------------------------
pub   rsa3072 2023-01-11 [SC]
      0378FB9C839FF9F207834D89DB856A1A513B7AB4
uid           [ultimate] Bacula <bacula@localhost>
sub   rsa3072 2023-01-11 [E]

Notice that the public key has a sub key that allows encryption. This is the [E] in the last line. If your public/private key does not own such a key, you cannot use it with the key manager.

The volume_regex are checked sequentially. The first regex that matches the volume name submitted to the key manager will be used even if another volume_regex matches the name of the volume. By default the volume_regex is commented out to not activate the master key feature.

The uid is only informative, and is not used by the key manager.

When stealth is set to on, the key manager does not keep the symmetrical keys in clear text in the KEYDIR directory. When on, you should also not specify a passphrase.

When the passphrase of the public/private key is not set, but required by the key manager, it relies on the gpg-agent to provide the key.

See also

Go back to:

• New Storage Daemon Directives

• Encryption Command

• Compatibility between Volumes Using BB02 and BB03 Formats

• Interoperability between Encrypted and Unencrypted Volumes

• Using Master Key

• Master Key Implementation

Go to:

• Backup Your Keys

• What Is Encrypted

Go back to the Storage Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.