Restoring an encrypted backup
Restoring an encrypted backup job follows the same process as restoring an unencrypted backup job. There are no additional parameters or changes required, and we have covered restoring backup jobs in previous articles.
From the log file, Bacula first decrypts the data, verifies the signature and then writes the data to the file. It’s also worth noting that the file is created first, before the data is decrypted and verified. I discuss this minor point in the next section.
Unencrypted file name information
As we saw from the log file and from the Wireshark snippets, Bacula does not encrypt file names. When encryption is enabled, the content of the file will be encrypted but the file name will be sent and stored unencrypted. I’m assuming that this is a design decision in order to allow the user on the Bacula server to select the files that should be restored. Since information can be learned based on file names this may be a concern to some users.
Error messages and issues
In this section, we look at some error messages that occurs when Bacula fails to restore an encrypted backup. What happens if you try to restore an encrypted backup with no keys? Bacula will allow the administrator to select the files that should be restored and the job will start. However, once the data is sent to the client, the restore will fail with the following error messages.
Now, assuming we generate a new set of keys from the same CA that issued the client’s keys. Then we change out the client’s keys with the new set of keys. If we try to restore using the new keys, we get the following error message.
Restoring using Master key
So, to restore a backup using the Master Key parameter, the master key and the certificate must be concatenated into one file. We did this step with the client keys a little earlier. The new “key pair” needs to be transferred to the client securely, and the PKI KeyPair parameter’s value changed to point to that file. Note that the same precautions must be taken with this file as with the original file as it contains a private key.
Then we save the bacula-fd.conf file, restart the Bacula client and run the restore as normal. This will only work if the Master Key parameter was specified when the backup was made.
In this article we looked at configuring and storing encrypted backups in Bacula. This is a useful feature when we perhaps don’t fully trust the storage server and there may be several reasons for this. The storage server might be a cloud service and there might be multiple users capable of accessing that server. Again, please be aware that when enabling encrypted backups, the user must ensure that the keys used to encrypt the backups are kept securely, preferably offline and offsite. There are no ways to restore a backup if the keys used for that backup is lost.
As always, any thoughts, comments or questions. Let me know in the comment section or drop me an email.