Bacula. Ana Emília Machado de Arruda. Protegendo seu Backup com o Bacula. Palestrante: Bacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es

Transcription

1 Bacula Protegendo seu Backup com o Bacula Palestrante: Ana Emília Machado de Arruda Bacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es

2 Protegendo seu backup com o Bacula Security goals Authentication Availability Confidentiality Integrity Authenticity Non-repudiation

3 Protegendo seu backup com o Bacula Communications encryption Data encryption (volumes) OpenSSL Public Key Infrastrutcture (PKI)

4 Data Encryption File daemon PKI data encryption Metadata is not encrypted Symmetric Encryption: (default), 192, and 256-bit AES-CBC - Blowfish-CBC Asymmetric Encryption (used to encrypt session keys): - RSA Message Digest algorithms: - MD5 - SHA1, SHA256, SHA512

5 Data Encryption Master(s) key(s): used to decrypt any backups should the File Daemon key be lost you can have any number master private key should not be stored on the client machine should be backed up to a secure location should never be kept on the same machine as the Storage Daemon or Director cat master.key master.crt > master.keypair PKI Keypair = master.keypair

6 Data Encryption Generate the self-signed root CA certificate: openssl genrsa -out ca.key 4096 openssl req -x509 -new -extensions v3_ca / -days key ca.key -out ca.crt / -config /opt/bacula/certs/openssl.cnf

7 Data Encryption Generate a Master Key Pair: (at file daemon host) openssl genrsa -aes256 \ -out master.crypto.key 2048 openssl req -new -key master.crypto.key \ -out master.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf (send master.csr to your CA for signing) (at CA host) openssl x509 -req -days 365 -in master.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out master.crt \ -extfile /opt/bacula/certs/openssl.cnf

8 Data Encryption Generate a File Daemon Key Pair for each FD: (at file daemon host) openssl genrsa -aes256 \ -out client1.crypto.key 2048 openssl req -new -key client1.crypto.key \ -out client1.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf (send client1.csr to your CA for signing) (at CA host) openssl x509 -req -days 365 -in client1.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out client1.crt \ -extfile /opt/bacula/certs/openssl.cnf

9 Data Encryption Remove passphrase from private keys: openssl rsa -in master.crypto.key \ -out master.key openssl rsa -in client1.crypto.key \ -out client1.key Generate master and client PKI keypair: cat master.key master.crt > master.pem cat client1.key client1.crt > client1.pem

10 bacula-fd.conf FileDaemon { Name = example-fd FDport = 9102 WorkingDirectory = /var/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 20 PKI Signatures = Yes # Enable Data Signing PKI Encryption = Yes # Enable Data Encryption PKI Cipher = AES256 # Since 7.0, specify cipher # Public and Private Keys PKI Keypair = "/etc/bacula/client1.pem" # ONLY the Public Key PKI Master Key = "/etc/bacula/master.crt" }

11 Communications Encryption TLS/SSL communications encryption Client/Server TLS Requirement Negotiation TLSv1 Connections with Server and Client Certifcate Validation Forward Secrecy Support via Diffe-Hellman Ephemeral (EDH) Keying

12 Communications Encryption TLS_method(void): the TLS/SSL connection may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols (TLSv1.3 is a draft as of september 2015)../configure with-openssl Binary packages build with openssl

13 Communications Encryption TLS directives TLS Enable TLS Verify Peer TLS Require TLS Allowed CN TLS Certificate TLS CA Certificate File TLS Key TLS CA Certificate Dir TLS DH File

14 Communications Encryption TLS Certifcate CA Dir (CApath) directory must be in hash format ls ca1.crt ca.crt c_rehash./ Doing./ ca1.crt => db049f96.0 ca1.crt => 49c071da.0 ca.crt => e03a76f6.0 ca.crt => 50d37b24.0 ls 49c071da.0 ca1.crt db049f d37b24.0 ca.crt e03a76f6.0

15 Tips Try to use different public/private key pairs for TLS/SSL communications and data encryption If you have your own CA, protect her 2048 or 4096 private key length Protect all the public/private key pairs involved chown root:bacula master.crt client1.pem chmod 640 master.crt client1.pem

16 Tips Run tests with your public/private key pairs server side (in this case a host running a file daemon): openssl s_server -accept 9102 \ -key client2.example.com.key \ -cert client2.example.com.crt \ -CApath /opt/bacula/certs/cacerts/ Verify 0 client side (in this case, a director that issues a status client from bconsole): openssl s_client \ -connect client2.example.com:9102 \ -key director.example.com.key \ -cert director.example.com.crt \ -CApath /opt/bacula/certs/cacerts/

17 Tips use x509v3 certificates copy your openssl.cnf to a known directory (/opt/bacula/certs/) and do the necessary modifications for enabling v3 certificates issuing. use openssl -extensions v3_ca and -extensions v3_req options when generating csr files use openssl -config /opt/bacula/certs/openssl.cnf with your customizations when issuing certificates

18 Dúvidas? Contato: