In some situations, you might want to run two instances of the Bareos File Daemon (bareos-fd) on a single client, one with data encryption enabled and one without. For example, maybe you want to encrypt only backups to off-site storage, and keep local backups unencrypted for better storage deduplication and lower risk due to lost encryption keys.

One way to do this is to run the encryption-enabled bareos-fd on a non-standard port 9104.

Procedure

Keys

1. Set up a directory on the Bareos Director (or somewhere else secure) to contain the master and client keypairs.

   mkdir /etc/bareos/pki
   chmod 750 /etc/bareos/pki
   chown root:bareos /etc/bareos/pki
   

2. Generate the master keypair.

   openssl genrsa -out master.key 2048
   openssl req -new -key master.key -x509 -out master-pub.cert
   

3. Generate a client keypair and prepare a PEM file. req_defaults.conf has some optional OpenSSL defaults.

   openssl genrsa -out spot.example.org-enc-fd.key 2048
   openssl req -config req_defaults.conf -key spot.example.org-enc-fd.key -x509 -out spot.onnela.feep.org-enc-fd.cert
   cat spot.example.org-enc-fd.key spot.onnela.feep.org-enc-fd.cert > spot.onnela.feep.org-enc-fd.pem
   chmod 600 spot.example.org-enc-fd.pem
   

4. Copy master-pub.cert and the client PEM file to /etc/bareos-enc/pki on the client.

Client

Systemd Service

Assuming there is also an unencrypted bareos-fd running on this client, we’ll create a second configuration directory tree and systemd service. Otherwise, this can all be configured in the standard location.

1. Install the bareos-filedaemon package.

2. Make a copy of the standard configuration directory and its contents.

   cp -av /etc/bareos /etc/bareos-enc
   

3. Create a directory for the keys.

   mkdir /etc/bareos-enc/pki
   chmod 750 /etc/bareos-enc/pki
   chown root:bareos /etc/bareos-enc/pki
   

4. Copy master-pub.cert and the client PEM file into /etc/bareos-enc/pki

5. Make a copy of the default systemd unit file.

   1. Debian

      cp /usr/lib/systemd/system/bareos-filedaemon.service /etc/systemd/system/bareos-filedaemon-enc.service
      

   2. Fedora

      cp /usr/lib/systemd/system/bareos-fd.service /etc/systemd/system/bareos-fd-enc.service
      

6. Edit the copied unit file, adding a parameter pointing to the new configuration directory.

   ExecStart=/usr/sbin/bareos-fd -c /etc/bareos-enc -f
   

7. Also update Alias by adding -enc to the service name.

8. Enable the new service.

   systemctl enable bareos-filedaemon-enc
   

Bareos Configuration

1. Enable encryption and alternate port number in /etc/bareos-enc/bareos-fd.d/client/myself.conf

   Client {
     Name = spot.example.org-fd
     FD Port = 9104
   
     PKI Signatures = yes
     PKI Encryption = yes
     PKI Keypair    = "/etc/bareos-enc/pki/spot.example.org-enc-fd.pem"
     PKI Master Key = "/etc/bareos-enc/pki/master-pub.cert"
     PKI Cipher     = aes256
   }
   

2. Enable connection from the Bareos Director to the File Daemon on the alternate port.

   1. Debian

      ufw allow from 172.16.0.156 proto tcp to any port 9104
      

   2. Fedora

      firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.16.0.156/32 port port=9104 protocol=tcp accept'
      firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.16.0.156/32 port port=9104 protocol=tcp accept' --permanent
      

3. Add client using the Bareos console.

   configure add client name=spot.example.org-enc-fd address=172.16.0.125 port=9104 password=somepassword
   

4. Add the MD5 hash to the client’s /etc/bareos-enc/bareos-fd.d/director/bareos-dir.conf.

5. Start the File Daemon.

   systemctl start bareos-filedaemon-enc
   

6. Test connection from the Director, and configure a backup job as usual.

References

• https://docs.bareos.org/TasksAndConcepts/DataEncryption.html