What is Encrypted

The main goal of encryption is to safeguard the Volume’s data from unauthorized access by individuals lacking the Volume key. Bacula effectively achieves this, however, it is important to note that encryption alone does not guard against alterations to the Volume.

The initial block of the Volume is the Volume label, which remains unencrypted. Certain information is necessary for the effective management of the Volume. The user-provided data within the Volume label are: the hostname, volumename, poolname. The hostname can be obscured through the use of the STRONG encryption mode.

Important

Data in your Catalog database, e.g. directories, filenames, and JobLog are not encrypted.

Attackers may also make undetected modifications to the Volumes. To safeguard Volumes against modifications, it is advisable to utilize the immutable feature known as Volume Protection.

The XXH64 checksum inside each Volume is encrypted using the encryption key. This is not as strong as using a certified signature, but it provides substantial confidence that the block cannot be modified easily.

In conclusion, with Volume encryption activated, one can be assured that:

• An attacker cannot read any of your data

• An attacker cannot substitute a Volume with another one

• An attacker cannot modify the contents of a Volume

Important

Volume encryption should be complemented by the addition of Volume protection.

See also

Go to:

• Compatibility between Encrypted and Unencrypted Volumes

• New Storage Daemon Directives

• key-manager Script and Using Master Key

• Best Practices

Go back to the Storage Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.