Baculabacula.us/wp-content/uploads/2015/10/PalestraAna2015.pdf · 12ª Conferencia Latino-americana...
Transcript of Baculabacula.us/wp-content/uploads/2015/10/PalestraAna2015.pdf · 12ª Conferencia Latino-americana...
BaculaProtegendo seu Backup com o Bacula
Palestrante:
Ana Emília Machado de ArrudaBacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es
12ª Conferencia Latino-americana de Software Livre12ª Conferencia Latino-americana de Software Livre
12ª Conferencia Latino-americana de Software Livre
Protegendo seu backup com o Bacula
✔ Security goals
✗ Authentication
✗ Availability
✗ Confidentiality
✗ Integrity
✗ Authenticity
✗ Non-repudiation
12ª Conferencia Latino-americana de Software Livre
Protegendo seu backup com o Bacula
✔ Communications encryption
✔ Data encryption (volumes)
✔ OpenSSL
✔ Public Key Infrastrutcture (PKI)
12ª Conferencia Latino-americana de Software Livre
Data Encryption
✔ File daemon PKI data encryption ✔ Metadata is not encrypted
✔ Symmetric Encryption: - 128 (default), 192, and 256-bit AES-CBC - Blowfish-CBC
✔ Asymmetric Encryption (used to encrypt session keys): - RSA
✔ Message Digest algorithms: - MD5 - SHA1, SHA256, SHA512
12ª Conferencia Latino-americana de Software Livre
Data Encryption
Master(s) key(s):
✔ used to decrypt any backups should the File Daemon key be lost
✔ you can have any number
✔ master private key should not be stored on the client machine
✔ should be backed up to a secure location✔ should never be kept on the same machine as the
Storage Daemon or Director
cat master.key master.crt > master.keypair PKI Keypair = master.keypair
12ª Conferencia Latino-americana de Software Livre
Data Encryption
✔ Generate the self-signed root CA certificate:
openssl genrsa -out ca.key 4096
openssl req -x509 -new -extensions v3_ca / -days 3650 -key ca.key -out ca.crt / -config /opt/bacula/certs/openssl.cnf
12ª Conferencia Latino-americana de Software Livre
Data Encryption
✔ Generate a Master Key Pair:
(at file daemon host)openssl genrsa -aes256 \ -out master.crypto.key 2048openssl req -new -key master.crypto.key \ -out master.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf
(send master.csr to your CA for signing)
(at CA host)openssl x509 -req -days 365 -in master.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out master.crt \ -extfile /opt/bacula/certs/openssl.cnf
12ª Conferencia Latino-americana de Software Livre
Data Encryption
✔ Generate a File Daemon Key Pair for each FD:
(at file daemon host)openssl genrsa -aes256 \ -out client1.crypto.key 2048openssl req -new -key client1.crypto.key \ -out client1.csr -extensions v3_req \ -config /opt/bacula/certs/openssl.cnf
(send client1.csr to your CA for signing)
(at CA host)openssl x509 -req -days 365 -in client1.csr \ -CA ca.crt -CAkey ca.key -Cacreateserial \ -out client1.crt \ -extfile /opt/bacula/certs/openssl.cnf
12ª Conferencia Latino-americana de Software Livre
Data Encryption
✔ Remove passphrase from private keys:
openssl rsa -in master.crypto.key \ -out master.key
openssl rsa -in client1.crypto.key \ -out client1.key
✔ Generate master and client PKI keypair:
cat master.key master.crt > master.pem
cat client1.key client1.crt > client1.pem
12ª Conferencia Latino-americana de Software Livre
bacula-fd.conf
FileDaemon { Name = example-fd FDport = 9102 WorkingDirectory = /var/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 20 PKI Signatures = Yes # Enable Data Signing PKI Encryption = Yes # Enable Data Encryption PKI Cipher = AES256 # Since 7.0, specify cipher # Public and Private Keys PKI Keypair = "/etc/bacula/client1.pem" # ONLY the Public Key PKI Master Key = "/etc/bacula/master.crt"}
12ª Conferencia Latino-americana de Software Livre
Communications Encryption
TLS/SSL – communications encryption
✔ Client/Server TLS Requirement Negotiation
✔ TLSv1 Connections with Server and Client Certifcate
Validation
✔ Forward Secrecy Support via Diffe-Hellman
Ephemeral (EDH) Keying
12ª Conferencia Latino-americana de Software Livre
Communications Encryption
✔ TLS_method(void): the TLS/SSL connection may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols (TLSv1.3 is a draft as of september 2015).
✔ ./configure –with-openssl
✔ Binary packages build with openssl
12ª Conferencia Latino-americana de Software Livre
✔ TLS directives
TLS Enable TLS Verify Peer
TLS Require TLS Allowed CN
TLS Certificate TLS CA Certificate File
TLS Key TLS CA Certificate Dir
TLS DH File
Communications Encryption
12ª Conferencia Latino-americana de Software Livre
✔ TLS Certifcate CA Dir (CApath) directory must be in “hash format”
root@director:/opt/bacula/certs/cacerts# lsca1.crt ca.crt
root@director:/opt/bacula/certs/cacerts# c_rehash ./Doing ./ca1.crt => db049f96.0ca1.crt => 49c071da.0ca.crt => e03a76f6.0ca.crt => 50d37b24.0
root@director:/opt/bacula/certs/cacerts# ls49c071da.0 ca1.crt db049f96.050d37b24.0 ca.crt e03a76f6.0
Communications Encryption
12ª Conferencia Latino-americana de Software Livre
Tips
✔ Try to use different public/private key pairs for TLS/SSL communications and data encryption
✔ If you have your own CA, protect her
✔ 2048 or 4096 private key length
✔ Protect all the public/private key pairs involved
✗ chown root:bacula master.crt client1.pem
✗ chmod 640 master.crt client1.pem
12ª Conferencia Latino-americana de Software LivreTips
✔ Run tests with your public/private key pairs
✗ server side (in this case a host running a file daemon):
openssl s_server -accept 9102 \-key client2.example.com.key \-cert client2.example.com.crt \-CApath /opt/bacula/certs/cacerts/ Verify 0
✗ client side (in this case, a director that issues a status client from bconsole):
openssl s_client \-connect client2.example.com:9102 \-key director.example.com.key \-cert director.example.com.crt \-CApath /opt/bacula/certs/cacerts/
12ª Conferencia Latino-americana de Software Livre
Tips
✔ use x509v3 certificates
✔ copy your openssl.cnf to a known directory (/opt/bacula/certs/) and do the necessary modifications for enabling v3 certificates issuing.
✔ use openssl -extensions v3_ca and -extensions v3_req options when generating csr files
✔ use openssl -config /opt/bacula/certs/openssl.cnf with your customizations when issuing certificates