Master Key Implementation
The master key is implemented using a public/private key pair. The public key is stored on the Storage Daemon and is used to encrypt the automatically generated symmetrical keys. The private key does not need to be stored on the Storage Daemon to run backups.
The encrypted key and a unique identifier for the master key are stored into the label of the volume. At restore time, these two pieces of information, and the volume name are provided to the key manager that must provide the correct symmetrical key.
There are a few scenarios to consider:
You don’t use the stealth mode, and the key-manager can use the passphrase of the private key that you have provided in the configuration file to decrypt the symmetrical key coming from the volume or use the clear version of the symmetrical key stored locally.
You use the stealth mode, and the key-manager asks GnuPG to decrypt the symmetrical key coming from the volume. There are two possibilities here:
The passphrase of the private key has been preset, or is still in the cache of the gpg agent and gpg can decrypt the symmetrical key
Bacula waits until the user provides the passphrase
The key-manager provided with Bacula uses GnuPG to manage the public/private key.
See also
Go back to:
Go to:
Go back to the Storage Daemon Data Encryption chapter.
Go back to the main Data Encryption chapter.
Go back to the main Advanced Features Usage page.