Backup Your Keys
CommunityEnterpriseIn the event that you lose your symmetric keys and/or your Master Key(s), the recovery of your data will not be possible. Therefore, it is important to backup your keys.
If you use GnuPG, we recommend to use Master Key(s) for Volume Encryption. Our key-manager.py script integrates with GnuPG to
handle one or more Master Keys. As an encrypted version of the Volume symmetric key is stored within the volume, you no longer need to
back up the symmetric keys located in /opt/bacula/etc/keydir - you only need to save your Master Keys.
Backup Your Master Keys
By default, Master Keys are stored in the /opt/bacula/etc/gnupg
directory. This location is defined in the key manager configuration file,
typically found at /opt/bacula/etc/key-manager.conf, within the [default]
section under the gnupghome directive, as described in key-manager.conf File Format.
The key-manager.conf file location can be modified using the
--config option in the command associated with
the Encryption Command
directive. The passphrase is also stored in the key-manager.conf at creation time.
Therefore, you only need to back up the key-manager.conf
file and the /opt/bacula/etc/gnupg directory.
We recommend using GnuPG import/export options, which simplify restoring keys on a Storage Daemon that already uses GnuPG.
You must backup:
your GnuPG private keys
your passphrases
and the
key-manager.conffile.
The default id for your Bacula master key is bacula@localhost.
You can export your default private key by running the commands below on the Storage Daemon:
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --export-secret-keys --armor --output private_key.asc bacula@localhost
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --export-ownertrust > ownertrust.txt
# sudo -u bacula cp /opt/bacula/etc/key-manager.conf key-manager.conf.bak
The first command will ask for your passphrase.
Store the 3 files private_key.asc, ownertrust.txt, key-manager.conf.bak and your passphrase in a secure location.
Remember to save your passphrase.
The public key is included with your privates key.
Restore Your Master Keys
It is possible to use multiple Master Keys, but If your Storage Daemon does not already have a working GnuPG setup, you must create an empty directory to restore your keys.
# sudo -u bacula mkdir /opt/bacula/etc/gnupg
# sudo -u bacula chmod go-rwx /opt/bacula/etc/gnupg
As soon as you have a /opt/bacula/etc/gnupg directory with the correct permissions, you can restore your saved keys using:
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --import private_key.asc
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --import-ownertrust ownertrust.txt
If you have multiple Master Keys, you may end up with two keys using the same default UID bacula@localhost.
To avoid entering the wrong passphrase, you can edit one of the keys:
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --edit-key <MASTER-KEY-FINGERPRINT>
The <MASTER-KEY-FINGERPRINT> is the hexadecimal string of your key, for example: FBB29DB0594A29C2584CBF3F64051FB55A1AD3BC.
Below is a full transcript of the operation. It requires adding a new uid, deleting the previous one, and setting trust:
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg --edit-key FBB29DB0594A29C2584CBF3F64051FB55A1AD3BC
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ultimate] (1). Bacula <bacula@localhost>
gpg> adduid
Real name:
Email address: bacula_restored@localhost
Comment:
You selected this USER-ID:
"bacula_restored@localhost"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <== It will ask you for your passphrase
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ultimate] (1) Bacula <bacula@localhost>
[ unknown] (2). bacula_restored@localhost
gpg> uid 1
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ultimate] (1)* Bacula <bacula@localhost>
[ unknown] (2). bacula_restored@localhost
gpg> deluid
Really remove this user ID? (y/N) y
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ unknown] (1). bacula_restored@localhost
gpg> trust
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ unknown] (1). bacula_restored@localhost
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec rsa2048/64051FB55A1AD3BC
created: 2025-08-01 expires: never usage: SCEAR
trust: ultimate validity: ultimate
ssb rsa2048/828D9726BD40F78F
created: 2025-08-01 expires: never usage: SEA
[ unknown] (1). bacula_restored@localhost
gpg> save
# sudo -u bacula gpg --homedir /opt/bacula/etc/gnupg -k
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/bac/workspace/bee/regress/bin/gnupg/pubring.kbx
-----------------------------------------------------
pub rsa2048 2025-08-01 [SCEAR]
FBB29DB0594A29C2584CBF3F64051FB55A1AD3BC
uid [ultimate] bacula_restored@localhost
sub rsa2048 2025-08-01 [SEA]
pub rsa2048 2025-08-01 [SCEAR]
4205ADF0B223D8656C0A977D7A5F01D210FA3333
uid [ultimate] Bacula <bacula@localhost>
sub rsa2048 2025-08-01 [SEA]
After restoring the keys, restore your key-manager.conf.bak file or merge its contents to any
existing /opt/bacula/etc/key-manager.conf.
When merging two key-manager.conf files, pay particular attention to the volume_regex field and
section order to ensure that each Volume is handled by the right section - for example, avoid having two catch-all .* patterns.
Backup Your Symmetric Keys
Each time a new Volume is created or recycled with encryption enabled,
a new symmetric key is generated and a file is created or modified in the key directory
/opt/bacula/etc/keydir. If the masterkey option is off in the matching section in the key-manager.conf,
then no master key is used and the unique copy of the cipher_key is stored in this directory.
Therefore, it is advisable to synchronize this key to a secure location immediately upon its generation.
For example, this is the VolEncrypted-0001 file created in the /opt/bacula/etc/keydir directory,
which contains the symmetric key (cipher_key):
# cat keydir/VolEncrypted-0001
volume_name: VolEncrypted-0001
cipher: AES_256_XTS
cipher_name: AES_256_XTS
cipher_key: 0aej1mtz1UU3VgS8H8o2zV54bEFPiAsMgie0IkiV4ouD7+X/laubrWMp4hsqGskAWX07luJe4vTCaB1GBWfpqA==
This file must exist in the Storage Daemon to recover data stored in the VolEncrypted-0001.
The default directory for the keys, located at /opt/bacula/etc/keydir, can be modified
using the --key-dir option in the command line, which is configured
by the Encryption Command directive.
If you do not use a Master Key, this directory must be backed up regularly.
We also recommend backing up the /opt/bacula/etc/key-manager.conf file.
Restore Your Symmetric Keys
Be careful when copying you key files back - do not overwrite newer files.
Use the --update=none option of the cp command , or
--update=older when you can safely rely on timestamps..
Go back to: Best Practices with Volume Encryption.