Baculabacula.us/wp-content/uploads/2015/10/PalestraAna2015.pdf · 12ª Conferencia Latino-americana de Software Livre Protegendo seu backup com o Bacula Security goals Authentication

BaculaProtegendo seu Backup com o Bacula

Palestrante:

Ana Emília Machado de ArrudaBacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es

12ª Conferencia Latino-americana de Software Livre12ª Conferencia Latino-americana de Software Livre

12ª Conferencia Latino-americana de Software Livre

Protegendo seu backup com o Bacula

✔ Security goals

✗ Authentication

✗ Availability

✗ Confidentiality

✗ Integrity

✗ Authenticity

✗ Non-repudiation


Protegendo seu backup com o Bacula

✔ Communications encryption

✔ Data encryption (volumes)

✔ OpenSSL

✔ Public Key Infrastrutcture (PKI)


Data Encryption

✔ File daemon PKI data encryption ✔ Metadata is not encrypted

✔ Symmetric Encryption: - 128 (default), 192, and 256-bit AES-CBC - Blowfish-CBC

✔ Asymmetric Encryption (used to encrypt session keys): - RSA

✔ Message Digest algorithms: - MD5 - SHA1, SHA256, SHA512


Data Encryption

Master(s) key(s):

✔ used to decrypt any backups should the File Daemon key be lost

✔ you can have any number

✔ master private key should not be stored on the client machine

✔ should be backed up to a secure location✔ should never be kept on the same machine as the

Storage Daemon or Director

cat master.key master.crt > master.keypair PKI Keypair = master.keypair


Data Encryption

✔ Generate the self-signed root CA certificate:

openssl genrsa -out ca.key 4096

openssl req -x509 -new -extensions v3_ca / -days 3650 -key ca.key -out ca.crt / -config /opt/bacula/certs/openssl.cnf


Data Encryption

✔ Generate a Master Key Pair:

(at file daemon host)openssl genrsa -aes256 \ -out master.crypto.key 2048openssl req -new -key master.crypto.key \ -out master.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf

(send master.csr to your CA for signing)

(at CA host)openssl x509 -req -days 365 -in master.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out master.crt \ -extfile /opt/bacula/certs/openssl.cnf


Data Encryption

✔ Generate a File Daemon Key Pair for each FD:

(at file daemon host)openssl genrsa -aes256 \ -out client1.crypto.key 2048openssl req -new -key client1.crypto.key \ -out client1.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf

(send client1.csr to your CA for signing)

(at CA host)openssl x509 -req -days 365 -in client1.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out client1.crt \ -extfile /opt/bacula/certs/openssl.cnf


Data Encryption

✔ Remove passphrase from private keys:

openssl rsa -in master.crypto.key \ -out master.key

openssl rsa -in client1.crypto.key \ -out client1.key

✔ Generate master and client PKI keypair:

cat master.key master.crt > master.pem

cat client1.key client1.crt > client1.pem


bacula-fd.conf

FileDaemon { Name = example-fd FDport = 9102 WorkingDirectory = /var/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 20 PKI Signatures = Yes # Enable Data Signing PKI Encryption = Yes # Enable Data Encryption PKI Cipher = AES256 # Since 7.0, specify cipher # Public and Private Keys PKI Keypair = "/etc/bacula/client1.pem" # ONLY the Public Key PKI Master Key = "/etc/bacula/master.crt"}


Communications Encryption

TLS/SSL – communications encryption

✔ Client/Server TLS Requirement Negotiation

✔ TLSv1 Connections with Server and Client Certifcate

Validation

✔ Forward Secrecy Support via Diffe-Hellman

Ephemeral (EDH) Keying



✔ TLS_method(void): the TLS/SSL connection may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols (TLSv1.3 is a draft as of september 2015).

✔ ./configure –with-openssl

✔ Binary packages build with openssl


✔ TLS directives

TLS Enable TLS Verify Peer

TLS Require TLS Allowed CN

TLS Certificate TLS CA Certificate File

TLS Key TLS CA Certificate Dir

TLS DH File



✔ TLS Certifcate CA Dir (CApath) directory must be in “hash format”

root@director:/opt/bacula/certs/cacerts# lsca1.crt ca.crt

root@director:/opt/bacula/certs/cacerts# c_rehash ./Doing ./ca1.crt => db049f96.0ca1.crt => 49c071da.0ca.crt => e03a76f6.0ca.crt => 50d37b24.0

root@director:/opt/bacula/certs/cacerts# ls49c071da.0 ca1.crt db049f96.050d37b24.0 ca.crt e03a76f6.0



Tips

✔ Try to use different public/private key pairs for TLS/SSL communications and data encryption

✔ If you have your own CA, protect her

✔ 2048 or 4096 private key length

✔ Protect all the public/private key pairs involved

✗ chown root:bacula master.crt client1.pem

✗ chmod 640 master.crt client1.pem

12ª Conferencia Latino-americana de Software LivreTips

✔ Run tests with your public/private key pairs

✗ server side (in this case a host running a file daemon):

openssl s_server -accept 9102 \-key client2.example.com.key \-cert client2.example.com.crt \-CApath /opt/bacula/certs/cacerts/ Verify 0

✗ client side (in this case, a director that issues a status client from bconsole):

openssl s_client \-connect client2.example.com:9102 \-key director.example.com.key \-cert director.example.com.crt \-CApath /opt/bacula/certs/cacerts/


Tips

✔ use x509v3 certificates

✔ copy your openssl.cnf to a known directory (/opt/bacula/certs/) and do the necessary modifications for enabling v3 certificates issuing.

✔ use openssl -extensions v3_ca and -extensions v3_req options when generating csr files

✔ use openssl -config /opt/bacula/certs/openssl.cnf with your customizations when issuing certificates

Dúvidas?

Contato:

[email protected]


Documents

Baculabacula.us/wp-content/uploads/2015/10/PalestraAna2015.pdf · 12ª Conferencia Latino-americana de Software Livre Protegendo seu backup com o Bacula Security goals Authentication