When Bacula Requests Passphrase

CommunityEnterprise

When you choose maximum security by not storing the passphrase value in your key-manager.conf file and you also have activated the stealth mode, you must provide the passphrase via the gpg-agent. If you forget to preload the passphrase in advance, Bacula will warn you and wait until you provide the passphrase.

In the bconsole status director output, the following job status is reported:

 Running Jobs:
 Console connected using TLS at 12-Aug-25 13:27
  JobId  Type Level     Files     Bytes  Name              Status
 ======================================================================
      2  Back Full          0         0  LinuxHome            is waiting for a passphrase to access a volume
 ====

In the device status:

 Device status:

 Device File is "DiskAutochanger" (/mnt/volumes) waiting for:
     Volume:      TestVolume001
     Pool:        Default
     Media type:  File
     Total Bytes Read=64,512 Blocks Read=1 Bytes/block=64,512
     Positioned at File=0 Block=0
    Device is BLOCKED waiting for a passphrase to access volume "TestVolume001",
        Pool:        Default
        Media type:  File
        Master Key:   61EAF637AC66795A Bacula <bacula@localhost> 61EAF637AC66795A C7CACB749E1033BE 1 0
        Keygrip:      6515D50B2F410A05C9B6861C7F6F08C1E702CC11
 Device state:
    OPENED !TAPE LABEL !APPEND !READ !EOT !WEOT !EOF !WORM !NEXTVOL !SHORT !MOUNTED !MALLOC
    Writers=0 reserves=1 blocked=2 enabled=1 usage=100,539,319
 Attached JobIds: 2
 Device parameters:
    Archive name: /mnt/volumes Device name: DiskAutochanger
    File=0 block=0
    Min block=0 Max block=0
    Available Space=71.63 GB
 ==

And inside the job log:

 sd JobId 2: 3305 Waiting passphrase for volume "TestVolume001", master key is "61EAF637AC66795A Bacula <bacula@localhost> 61EAF637AC66795A C7CACB749E1033BE 1 0", keygrip is 6515D50B2F410A05C9B6861C7F6F08C1E702CC11
 sd JobId 2: Please enter passphrase for Volume "TestVolume001" for:
     Job:          LinuxHome.2025-08-12_13.28.00_05
     Storage:      "DiskAutochanger" (/mnt/volumes)
     Pool:         Default
     Media type:   File
     Master Key:   61EAF637AC66795A Bacula <bacula@localhost> 61EAF637AC66795A C7CACB749E1033BE 1 0
     Keygrip:      6515D50B2F410A05C9B6861C7F6F08C1E702CC11

At this point, you need SSH access to the Storage Daemon server. Then the passphrase can be loaded into the cache by either using gpg-preset-passphrase or gpg-connect-agent utilities. The key-manager.conf file contains multiple examples on how to load the passphrase, see Key-Manager.conf documentation for the details.

A typical command is:

sudo -u bacula /usr/lib/gnupg/gpg-preset-passphrase --homedir /opt/bacula/etc/gnupg --preset 6515D50B2F410A05C9B6861C7F6F08C1E702CC11

Notice that 6515D50B2F410A05C9B6861C7F6F08C1E702CC11 is the keygrip of the key, and C7CACB749E1033BE is the last half of the Master Key ID.

Compare with the content of your key-manager.conf:

[47CFFAD240466FEE7B2DE124C7CACB749E1033BE]
# The name of this section is the master-key fingerprint,
# below are the uid and keygrip of this master-key
#
# keygrip=6515D50B2F410A05C9B6861C7F6F08C1E702CC11
# uid=bacula@localhost

After that, you must wake up the Storage Daemon using the bconsole mount command so it can retry using the Volume. Check the status to ensure that the passphrase was accepted:

mount storage=DiskAutochanger
@sleep 5
status storage=DiskAutochanger

Below, see the examples of errors that can be triggered by the key-manager:

When you try to use an encrypted Volume and the Master Key is not defined in the configuration file:

bacula-sd JobId 6: Fatal error: [SF3993] Error loading encryption key to "READ" Volume "TestVolume001":
                   ERR=got error message: "configuration file "/opt/bacula/etc/key-manager.conf" has no section "47CFFAD240466FEE7B2DE124C7CACB749E1033BE""
bacula-sd JobId 6: Warning: acquire.c:277 Read acquire: [SF3993] Error loading encryption key to "READ" Volume "TestVolume001":
                   ERR=got error message: "configuration file "/opt/bacula/etc/key-manager.conf" has no section "C0EC224C0EEB362AC3B0D7089887EA8A0F5B859E""

When you use the wrong passphrase:

bacula-sd JobId 7: Fatal error: [SF3993] Error loading encryption key to "READ" Volume "TestVolume001":
                   ERR=got error message: "decryption error for volume "TestVolume001": gpgme_op_decrypt_verify: GnuPG: No secret key"
bacula-sd JobId 7: Warning: acquire.c:277 Read acquire: [SF3993] Error loading encryption key to "READ" Volume "TestVolume001":
                   ERR=got error message: "decryption error for volume "TestVolume001": gpgme_op_decrypt_verify: GnuPG: No secret key"

More details on gpg-connect-agent and gpg-preset-passphrase utilities are available at: https://gnupg.org/documentation/manuals/gnupg-2.0/Helper-Tools.html

See also

Previous articles:

• key-manager.conf File Format

• key-manager Script Implementation

Go back to: key-manager Script and Using Master Key.