Storage Daemon Data Volume Encryption

The Storage Daemon is responsible for encrypting data stored in the Bacula Volume by using the Encryption Command specified in the Storage resource configured within the Storage Daemon.

Each time a new volume is initialized or mounted on a device with encryption enabled, the Storage Daemon invokes the Encryption Command. A very simple example script - the key-manager.py script - is available to assist in managing Volume encryption keys.

Bacula uses symmetric keys to encrypt the Volumes, meaning that the same key is used for both encryption and decryption of the Volume’s content. To improve security, each Volume is expected to be encrypted using a different key. The key-manager.py script provides these keys to the Storage Daemon when needed. These keys must be generated for a new Volume or when a Volume is recycled, which can lead to a large amount of key files that need to be managed and securely stored.

To streamline this process, the Storage Encryption can use a Master Key, implemented using a public/private key pair.

The symmetric keys used for encrypting the data within the Volume are encrypted using the Master Key, thereby eliminating the necessity to store the symmetric keys directly.

Note

If Data Spooling is enabled, the data located in the specified Spool Directory is not subject to encryption.

Important

Ensure that the spooled data is not saved on insecure storage.

Read more:

• What is Encrypted
• Compatibility between Encrypted and Unencrypted Volumes
• New Storage Daemon Directives
• key-manager Script and Using Master Key
• Best Practices with Volume Encryption

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.