Backup Central

Hi all,

I do backups with data encryption. Backups as well as restores on the
clients work without problems.
Now I want to be able to do restores with the server (or another one)
only. The doc says that adding the following line would be enough.

PKI Keypair = "/etc/bacula/keys/master.keypair"

So my working bacula-fd.conf on the server looks like this (just the PKI
part):

PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "/etc/bacula/keys/server-fd.pem"
PKI Master Key = "/etc/bacula/keys/master.cert"

Next I replaced server-fd.pem with master.keypair like mentioned in
the doc. I made the master.keypair accordingly.
That doesn't work. Neither putting the client-fd.pem in place.

I got this error:

Error: restore.c:944 Missing cryptographic signature
for /path/to/my/file

Thus the question is how to do a restore on a fd other than the one the
Backup was made with.

Thank you for enlighten me

Oliver

------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Am Mon, 19 Dec 2011 17:14:15 +0100 schrieb Oliver Hoffmann:

Hi all,

I do backups with data encryption. Backups as well as restores on the
clients work without problems.
Now I want to be able to do restores with the server (or another one)
only. The doc says that adding the following line would be enough.

PKI Keypair = "/etc/bacula/keys/master.keypair"

So my working bacula-fd.conf on the server looks like this (just the PKI
part):

PKI Signatures = Yes PKI Encryption = Yes PKI Keypair =
"/etc/bacula/keys/server-fd.pem"
PKI Master Key = "/etc/bacula/keys/master.cert"

Next I replaced server-fd.pem with master.keypair like mentioned in the
doc. I made the master.keypair accordingly.
That doesn't work. Neither putting the client-fd.pem in place.

I got this error:

Error: restore.c:944 Missing cryptographic signature for
/path/to/my/file



I had problems restoring files from an encrypted backup if "Replace:
always" was not selected on the restore job.

But I do not remember the exact error message.

- Thomas


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Am Mon, 19 Dec 2011 17:14:15 +0100 schrieb Oliver Hoffmann:

Hi all,

I do backups with data encryption. Backups as well as restores on
the clients work without problems.
Now I want to be able to do restores with the server (or another
one) only. The doc says that adding the following line would be
enough.

PKI Keypair = "/etc/bacula/keys/master.keypair"

So my working bacula-fd.conf on the server looks like this (just
the PKI part):

PKI Signatures = Yes PKI Encryption = Yes PKI Keypair =
"/etc/bacula/keys/server-fd.pem"
PKI Master Key = "/etc/bacula/keys/master.cert"

Next I replaced server-fd.pem with master.keypair like mentioned in
the doc. I made the master.keypair accordingly.
That doesn't work. Neither putting the client-fd.pem in place.

I got this error:

Error: restore.c:944 Missing cryptographic signature for
/path/to/my/file



I had problems restoring files from an encrypted backup if "Replace:
always" was not selected on the restore job.

But I do not remember the exact error message.

- Thomas


Thanx for your reply. All my attempts had "Replace: always", because
it is default. The only way that works still is to have a file restored
on (and with) the client.
If I change from PKI Keypair = "/etc/bacula/keys/server-fd.pem" to PKI
Keypair = "/etc/bacula/keys/master.keypair" and do a restart of the FD,
I get:

Failed to load private key for File daemon "server-fd"
in /etc/bacula/bacula-fd.conf.

Oliver









------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

* Am Mon, Dec 19 2011 at 17:14:15 +0100 , schrieb Oliver Hoffmann:
Hi all,

I do backups with data encryption. Backups as well as restores on the
clients work without problems.
Now I want to be able to do restores with the server (or another one)
only. The doc says that adding the following line would be enough.

PKI Keypair = "/etc/bacula/keys/master.keypair"

So my working bacula-fd.conf on the server looks like this (just the PKI
part):

PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "/etc/bacula/keys/server-fd.pem"
PKI Master Key = "/etc/bacula/keys/master.cert"

Next I replaced server-fd.pem with master.keypair like mentioned in
the doc. I made the master.keypair accordingly.
That doesn't work. Neither putting the client-fd.pem in place.

I got this error:

Error: restore.c:944 Missing cryptographic signature
for /path/to/my/file

Thus the question is how to do a restore on a fd other than the one the
Backup was made with.

This looks correct. That is exactly the way we do it and it works.
Maybe your master.keypair is broken ? Does the output of
"openssl x509 -in /path/to/master.keypair -noout -text"
look good ? Is the private key in the keypair-file ?

Good luck,
Christoph


Thank you for enlighten me

Oliver

------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

--
Christoph Kluenter E-Mail: support < at > iphh.net
Technik Tel: +49 (0)40 374919-10
IPHH Internet Port Hamburg GmbH Fax: +49 (0)40 374919-29
Wendenstrasse 408 AG Hamburg, HRB 76071
D-20537 Hamburg Geschaeftsfuehrung: Axel G. Kroeger

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

* Am Mon, Dec 19 2011 at 17:14:15 +0100 , schrieb Oliver Hoffmann:
Hi all,

I do backups with data encryption. Backups as well as restores on
the clients work without problems.
Now I want to be able to do restores with the server (or another
one) only. The doc says that adding the following line would be
enough.

PKI Keypair = "/etc/bacula/keys/master.keypair"

So my working bacula-fd.conf on the server looks like this (just
the PKI part):

PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "/etc/bacula/keys/server-fd.pem"
PKI Master Key = "/etc/bacula/keys/master.cert"

Next I replaced server-fd.pem with master.keypair like mentioned in
the doc. I made the master.keypair accordingly.
That doesn't work. Neither putting the client-fd.pem in place.

I got this error:

Error: restore.c:944 Missing cryptographic signature
for /path/to/my/file

Thus the question is how to do a restore on a fd other than the one
the Backup was made with.

This looks correct. That is exactly the way we do it and it works.
Maybe your master.keypair is broken ? Does the output of
"openssl x509 -in /path/to/master.keypair -noout -text"
look good ? Is the private key in the keypair-file ?

Good luck,
Christoph


Thank you for enlighten me

Oliver


The keypair looks sane. I did 'cat master.key master.cert >
master.keypair' like written in the doc.

Well, I got it. The password of the master.key has to be removed!
Furthermore I saw that the keys are valid for 30 days only. Again the
doc concerning encryption is very lousy. Sorry to say that. Maybe
there'll be a more recent and complete version? At least of the TLS and
data encryption part.

Cheers,

Oliver














------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Bacula-users mailing list
Bacula-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users