key-manager Script and Using Master Key

CommunityEnterprise

The task of the key manager script is to provide the symmetric keys to the Storage Daemon to encrypt and decrypt the Volumes.

The same symmetric key is used for both encryption and decryption of the Volume’s content. To improve security, each Volume is expected to be encrypted using a unique symmetric key. When needed, these keys must be generated for each new Volume or when an existing Volume is recycled. This process can lead to a large amount of key files that need to be managed, which must also be backed up or securely stored. To know more about backing up the keys, click here.

The symmetric keys are stored in the key file``in the ``key directory for each Volume.

It is possible to use a Master Key to avoid keeping all the symmetric keys for each Volume. The Master Key is implemented using a public/private key pair. Both the public and private keys can be stored in the Storage Daemon. The private key is secured with a passphrase. The public key is used to generate an encrypted version of the symmetric keys. An encrypted version of the symmetric key is stored in the Volume label and in the key directory when a Master Key is used.

Using a Master Key gives you a second chance to decrypt your data. You still have the symmetric key (cipher_key) in the key directory and the encrypted version of the symmetric key (enc_cipher_key) in the Volume and the key directory as well. The encrypted version can be combined with the Master Key and the passphrase to generate the cipher_key if the cipher_key is lost or when stealth mode is used.

If the symmetric key is not kept in the key file``in the ``key directory, for example when the stealth option is used or if the key file``in the ``key directory is lost, then the private key must be used to decrypt the encrypted key to be able to read the Volume.

Bacula must be able to access this private key to achieve its goal. The passphrase must be in clear text in the configuration file, or a secure agent holding the passphrase must be manually started by the administrator at every startup. This latter option maintains security if the server is stolen.

The encrypted symmetric keys, along with a unique identifier for the Master Key, are both stored in the Volume and in the key directory directory. In the key directory, enc_cipher_key is encoded in base 64 format, while in the Volume it is stored in binary form.

At restore time, these two pieces of information and the Volume name are provided to the key-manager.py script which is responsible for delivering the correct symmetric key for data decryption.

It is possible to store the symmetric key encrypted in the Volume label and in the key directory directory by using the stealth mode.

The Master Key is intended to offer two primary benefits:

To be able to decrypt multiple Volumes using one, or a set of Master Keys
When the stealth mode is used, the symmetric key is securely stored in an encrypted format alongside the Master Key Id on disk. Consequently, any attempt to restore data without the private key becomes impossible. In the event of a server being compromised or stolen, unauthorized individuals will be unable to access your data.

The stealth mode can be configured in the key-manager.py script configuration file.

The key-manager.py script provided with Bacula uses GnuPG to manage the public/private key.

For further information regarding the key-manager.conf file and and the implementation of the key-manager.py script, refer to the relevant documentation: