Security Features

The following article presents the security features of Bacula.

Bacula is a solution known by its especially strong security standards that allow not only to keep data safe, but also all the infrastructure around it. Because of its modern and advanced security features, Bacula is relied on by many of the largest government and defence organizations. Some more details about security related features are presented below:

• Distributed and isolated architecture with limited privileges among each component

• FIPS 140-2 compliance

• Automatic encryption for all network communications (can be turned off or modified with custom certificates)

• Verification of files previously catalogued:

  • File integrity purposes to detect silent data corruption

  • System break-in detection (Tripwire-like capability)

• CRAM-MD5 password authentication between each component (daemon)

• Configurable Data encryption at rest on a Client by Client basis

• Configurable Data encryption at rest globally at Storage Daemon level

• Computation of MD5, SHA1, SHA256 or SHA512 signatures of the file data

• Immutable disk volume feature for Linux based storage destinations

• Immutable NAS Support (Netapp SnapLock, DataDomain RetentionLock or HPE StoreOnce Catalyst among others)

• Immutable tape support (WORM)

• Immutable cloud support (S3 ObjectLock, Azure Blob immutable)

• Connectivity to Active Directory or LDAP services to protect access

• 2-Factor authentication through One-Time Password (OTP), allowing use of smartphones with bio-metric functions to access Bacula’s web GUI

• Advanced Ransomware protection tools, such as:

  • Security module to detect vulnerabilities, bad configurations, missing updates and many other threats on Windows and Linux

  • Automatic malware protection by known hash checking for backup, restore and verify processes

  • Antivirus Plugin to detect malware on stored data

  • BGuardian Plugin to automate security analysis for backups, detecting issues and providing detailed reports and alerts

• Advanced File Daemon restriction mechanisms to limit backup, restore or scripts scope by path, user or group id

• Monitoring integrations with SNMP and Security Information and Event Management (SIEM) Systems

• Agnostic N-Tier backup support including offsite and/or cloud copies.

• Backup poisoning detection (described here)

• Automatic security configuration assessment (described here)

• Console Directory authentication (ldap/ad director connector through Bacula Pluggable Authentication Module).

• Auditory logging (through Event Messages)

• User Role Base Access capabilities through resource ACLs

See also

Go back to:

• Core Features

Go to:

• Storage Destinations

• NAS and External Protection

• Endpoint Features

• Cloud and Virtualization

• Databases

• Supported Applications

Go back to the About Bacula Enterprise chapter.

Go back to the Bacula Enterprise Fundamentals chapter.