Master Key Implementation

The master key is implemented using a public/private key pair. The public key is stored on the Storage Daemon and is used to encrypt the automatically generated symmetrical keys. The private key does not need to be stored on the Storage Daemon to run backups.

The encrypted key and a unique identifier for the master key are stored into the label of the volume. At restore time, these two pieces of information, and the volume name are provided to the key manager that must provide the correct symmetrical key.

There are a few scenarios to consider:

• You don’t use the stealth mode, and the key-manager can use the passphrase of the private key that you have provided in the configuration file to decrypt the symmetrical key coming from the volume or use the clear version of the symmetrical key stored locally.

• You use the stealth mode, and the key-manager asks GnuPG to decrypt the symmetrical key coming from the volume. There are two possibilities here:

  • The passphrase of the private key has been preset, or is still in the cache of the gpg agent and gpg can decrypt the symmetrical key

  • Bacula waits until the user provides the passphrase

The key-manager provided with Bacula uses GnuPG to manage the public/private key.

See also

Go back to:

• New Storage Daemon Directives

• Encryption Command

• Compatibility between Volumes Using BB02 and BB03 Formats

• Interoperability between Encrypted and Unencrypted Volumes

• Using Master Key

Go to:

• key-manager.conf File Format

• Backup Your Keys

• What Is Encrypted

Go back to the Storage Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.