I just committed support for cryptographic signatures in the File Daemon. The signatures are stored using the ASN.1 syntax I previously outlined. The code supports multiple signers, but the configuration file only supports the specification of a single signing key. You can, however, specify multiple trusted public keys, and any signatures made with those keys will be accepted.
If you would like to play with the code (it should be fairly robust), it can be checked out via anonymous CVS. It may take some time for SourceForge's anonymous CVS servers to update.
cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/bacula login cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/bacula co -r Branch-1_38-encryption -P bacula
Pass the --with-openssl flag to configure (Argument should be either 'yes' or the path to the OpenSSL library, eg /usr/local):
./configure --with-openssl=yes
The new configuration options are:
To generate a keypair, use the openssl(1) command.
First, create your private key (no passphrase):
landonf@zadder:~> openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus ..............................................+++ ..............................................................+++ e is 65537 (0x10001)
Next, create your self-signed certificate:
landonf@zadder:~> openssl req -new -out cert.pem -key key.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organization, Ltd. Organizational Unit Name (eg, section) []:Example Working Group Common Name (eg, YOUR name) []:host.example.org Email Address []:backups@example.org
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Copy both certificate and key to a combined file:
landonf@zadder:~> cat cert.pem key.pem >combined.pem
Here's an example configuration:
FileDaemon {
Name = example-fd
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
PKI Signatures = Yes PKI Keypair = "/usr/local/etc/bacula/signing-keypair.pem" PKI Trusted Signer = "/usr/local/etc/bacula/signing-keypair-old.pem" }