20:12 Sun, 06 Nov 2005 PST -0800

Bacula Encryption - First Milestone Reached

File Daemon Signing Support Implemented

I just committed support for cryptographic signatures in the File Daemon. The signatures are stored using the ASN.1 syntax I previously outlined. The code supports multiple signers, but the configuration file only supports the specification of a single signing key. You can, however, specify multiple trusted public keys, and any signatures made with those keys will be accepted.

If you would like to play with the code (it should be fairly robust), it can be checked out via anonymous CVS. It may take some time for SourceForge's anonymous CVS servers to update.

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/bacula login
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/bacula co -r Branch-1_38-encryption -P bacula

Pass the --with-openssl flag to configure (Argument should be either 'yes' or the path to the OpenSSL library, eg /usr/local):

./configure --with-openssl=yes

The new configuration options are:

To generate a keypair, use the openssl(1) command.

First, create your private key (no passphrase):

 landonf@zadder:~> openssl genrsa -out key.pem 2048
 Generating RSA private key, 2048 bit long modulus
 e is 65537 (0x10001)

Next, create your self-signed certificate:

landonf@zadder:~> openssl req -new -out cert.pem -key key.pem
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:California
 Locality Name (eg, city) []:San Francisco
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organization, Ltd.
 Organizational Unit Name (eg, section) []:Example Working Group
 Common Name (eg, YOUR name) []:host.example.org
 Email Address []:backups@example.org
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Copy both certificate and key to a combined file:

 landonf@zadder:~> cat cert.pem key.pem >combined.pem

Here's an example configuration:

FileDaemon {
 Name = example-fd
 FDport = 9102                  # where we listen for the director
 WorkingDirectory = /var/bacula
 Pid Directory = /var/run
 Maximum Concurrent Jobs = 20
 PKI Signatures = Yes
 PKI Keypair = "/usr/local/etc/bacula/signing-keypair.pem"
 PKI Trusted Signer = "/usr/local/etc/bacula/signing-keypair-old.pem"

[/code/bacula] permanent link