Encryption Command

A directive has been introduced in the Storage resource of the Storage Daemon:

Encryption Command = <command>: The command specifies an external program that must provide the keys used to encrypt the Volume.

The Storage Daemon invokes the Encryption Command each time a new Volume is either initialized or mounted on a device that has encryption enabled. We offer a straightforward example script designed to assist in the management of Volume encryption keys.

An example of the Encryption Command setting within the Storage resource in the Storage Daemon configuration is as follows:

Encryption Command = "/opt/bacula/scripts/key-manager.py getkey"

Important

The command is limited to 127 characters. The variable substitutions applicable to the Autochanger Command can also be utilized in the script.

The program can serve as an interface with your existing key management system or independently manage keys.

The sample script named key-manager.py can be installed through the bacula-enterprise-storage-key-manager package, which will place it in the /opt/bacula/scripts directory. Additionally, the install-key-manager.sh script, also part of the bacula-enterprise-storage-key-manager package, is designed to assist in setting up a Master Key:

# sudo -u bacula /opt/bacula/scripts/install-key-manager.sh check

# sudo -u bacula /opt/bacula/scripts/install-key-manager.sh install

The key-manager.py script can be used with the following options:

cipher This is the cipher that Bacula must use. Bacula knows the following ciphers: AES_128_XTS and AES_256_XTS. The key lengths varies depending on the selected cipher. By default, the script uses the AES_128_XTS cipher.

key-dir This is where the symmetric keys are stored. By default, they are stored in the /opt/bacula/etc/keydir directory.

For example, to use the AES_256_XTS cipher, type:

Encryption Command = "/opt/bacula/scripts/key-manager.py getkey --cipher AES_256_XTS"