Using Master Key

Bacula uses symmetric keys to encrypt the volumes. This means that the same key is used to encrypt and also to decrypt the volume content. To improve security, each volume is expected to be encrypted using a different key. The task of the key manager is to provide these keys to the Storage Daemon. When needed, these keys must be generated for a new volume or when the volume is recycled. This can result in a large amount of key files to handle, which must also be backed up or kept in a safe place.

The master key is implemented using a public/private key pair. The public key is kept on the Storage Daemon to generate the encrypted version of the symmetric keys while the private key may be kept somewhere else.

The master key is designed to provide two advantages:

• To be able to decrypt multiple volumes using one, or a set of master keys

• When the stealth mode is used, the symmetric key is never stored on disk, which makes any restore impossible without the private key. If your server is hacked or stolen, nobody is able to restore your data.

See also

Go back to:

• New Storage Daemon Directives

• Encryption Command

• Compatibility between Volumes Using BB02 and BB03 Formats

• Interoperability between Encrypted and Unencrypted Volumes

Go to:

• Master Key Implementation

• key-manager.conf File Format

• Backup Your Keys

• What Is Encrypted

Go back to the Storage Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.