Storage Daemon Data Volume Encryption

CommunityEnterprise

The Storage Daemon is responsible for encrypting data stored in the Bacula Volume by using the Encryption Command specified in the Storage resource configured within the Storage Daemon.

Each time a new volume is initialized or mounted on a device with encryption enabled, the Storage Daemon invokes the Encryption Command. A simple but fully functional example script - the key-manager.py script - is available to assist in managing Volume encryption keys. You can modify the script or write your own, a lot of comments explain how the script works.

Bacula uses symmetric keys to encrypt the Volumes, meaning that the same key is used for both encryption and decryption of the Volume’s content. To improve security, each Volume is encrypted using a different key. The key-manager.py script generates and provides these keys to the Storage Daemon when needed. These keys must be generated for a new Volume or when a Volume is recycled, which can lead to a large amount of key files that need to be managed and securely stored.

To streamline this process, the Storage Encryption can use a Master Key, implemented using a public/private key pair. The key-manager.py script uses GnuPG to implement this Master Key feature. The symmetric keys are encrypted using this Master Key and stored in the header of the Volume, thereby eliminating the necessity to store the symmetric keys directly.

Note

If Data Spooling is enabled, the data located in the specified Spool Directory is not subject to encryption.

Note

There is little advantage in using Storage Encryption with Dedup devices if you don’t also encrypt the data stored by the Dedupengine. The data in the dedup volumes consists only of references that include sizes and hashes of the chunk values. Only the filename and the file attributes could be secured by this feature alone.

Important

Ensure that the spooled data is not saved on insecure storage.