Menu
▾
▴
Re: [Bacula-users] setting up an autochange in the cloud
|
From: Bill A. <wa...@pr...> - 2024-10-21 15:15:54
|
On 10/21/24 1:45 AM, Stefan G. Weichinger wrote: > > So that means for best protection I would need "storage daemon data > volume encryption"? Or even better: enable both? > > I assume enabling both would add overhead in terms of CPU usage etc Hello Stefan, Not sure I would call FD encryption plus SD encryption "better", only because you have the added task of managing the keys/certs on the client(s) in addition to the SD re-encrypting the already FD-encrypted data and you needing to make sure the encryption key files for each SD-encrypted cloud volume are safely maintained. :) So, more CPU use on client(s). and on SD, and more admin work, but yes, data would be encrypted twice in such a setup. > Is there a working example somewhere? > > Just setting "Volume Encryption = yes" leads to issues labelling the > volumes here, I assume that a keypair is needed somewhere. > > thanks In addition to setting "Volume Encryption = yes" in each of your your SD's c loud devices, you also need the following in your SD's top-level configuration: ----8<---- EncryptionCommand = "/path/to/key-manager.py getkey" ----8<---- The actual path will depend on the Bacula community maintainer for your distro. :) Hope this helps, Bill -- Bill Arlofski wa...@pr... |
