Encryption Command

CommunityEnterprise

A directive has been introduced in the Storage resource of the Storage Daemon:

Encryption Command = <command>

The command specifies an external program that must provide the keys used to encrypt the Volumes.

The Storage Daemon invokes the Encryption Command each time a new Volume is either initialized or mounted on a device that has encryption enabled. We offer a straightforward example script designed to assist in the management of Volume encryption keys.

An example of the Encryption Command setting within the Storage resource in the Storage Daemon configuration is as follows:

Encryption Command = "/opt/bacula/scripts/key-manager.py getkey"

Important

The command is limited to 127 characters. The variable substitutions applicable to the Autochanger Command can also be utilized in the script.

The program can serve as an interface with your existing key management system or independently manage keys.

The sample script named key-manager.py can be installed through the bacula-enterprise-storage-key-manager package, which will place it in the /opt/bacula/scripts directory. Additionally, the install-key-manager.sh script, also part of the bacula-enterprise-storage-key-manager package, is designed to assist in setting up a Master Key:

# sudo -u bacula /opt/bacula/scripts/install-key-manager.sh check

# sudo -u bacula /opt/bacula/scripts/install-key-manager.sh install

Note that the install part generates a 2048-bit key and this may take some time on machines with low entropy, such as CentOS 7. On such machines, it is recommended to install the rng-tools package.

Below is the help message from the key-manager.py script:

**usage:** key-manager.py.in getkey [-h] [--key-dir DIRECTORY] [--config CONFIG] [--log LOGFILE] [--debug] [--verbose] [--interactive] [--cipher CIPHER]

Retrieve a key

options:
  -h, --help            show this help message and exit
  --key-dir DIRECTORY, -k DIRECTORY
                        the directory where to store the keys
  --config CONFIG, -C CONFIG
                        the configuration file
  --log LOGFILE         setup the logfile
  --debug, -d           set logging level to DEBUG
  --verbose, -v         set logging level to INFO
  --cipher CIPHER, -c CIPHER
                        set the default cipher in NULL, AES_128_XTS, AES_256_XTS

The script allows only one subcommand getkey.

• key-dir is the directory where symmetric keys are stored. The default is the /opt/bacula/etc/keydir directory.

• config is the configuration file, the default is /opt/bacula/etc/key-manager.conf. If specified, the file must exist. If not specified, the file will be used if it exists.

• log defines the location of the log files, the default is /opt/bacula/working/key-manager.log. By default only errors and warnings are logged.

• debug increases logging level to DEBUG.

• verbose increases logging level to INFO.

• cipher This is the cipher that Bacula must use. Bacula supports the following ciphers: AES_128_XTS and AES_256_XTS. The key lengths varies depending on the selected cipher, but the size of the data does not change. The NULL cipher does not modify the data and is intended only for testing. By default, the script uses the AES_128_XTS cipher.

For example, to use the AES_256_XTS cipher, use:

Encryption Command = "/opt/bacula/scripts/key-manager.py getkey --cipher AES_256_XTS"

See also

Previous articles:

• Volume Encryption

Go back to: New Storage Daemon Directives.