Adding backup to a new server with PKI encryption and TLS

Trunet's Place - Portfolio
Jump to: navigation, search
  • Generate keypair on director

/etc/bareos/keys/generate-key.sh

#!/bin/bash
DOMAIN=$1
 
if [ -z $DOMAIN ];
then
	echo "Provide domain"
	exit 1
fi
 
cd /etc/bareos/keys
 
openssl genrsa -out fd-$DOMAIN.key 2048
openssl req -new -key fd-$DOMAIN.key -x509 -out fd-$DOMAIN.cert
cat fd-$DOMAIN.key fd-$DOMAIN.cert >fd-$DOMAIN.pem
 
chgrp bareos *${DOMAIN}*
chmod 440 *${DOMAIN}*
  • Generate TLS cert and key(don't forget to complete the common name)
#!/bin/bash
DOMAIN=$1
 
if [ -z $DOMAIN ];
then
	echo "Provide domain"
	exit 1
fi
 
cd /root/ca
openssl genrsa -aes256 -out intermediate/private/$DOMAIN.key.pem 4096
chmod 400 intermediate/private/$DOMAIN.key.pem
 
openssl req -config intermediate/openssl.cnf -key intermediate/private/$DOMAIN.key.pem -new -sha256 -out intermediate/csr/$DOMAIN.csr.pem
 
openssl ca -config intermediate/openssl.cnf \
      -extensions mutual_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/$DOMAIN.csr.pem \
      -out intermediate/certs/$DOMAIN.cert.pem
 
chmod 444 intermediate/certs/$DOMAIN.cert.pem
 
openssl rsa -in intermediate/private/$DOMAIN.key.pem -out intermediate/private/$DOMAIN.nopass.key.pem
  • Copy crt, key to correct directories on director
cp /root/ca/intermediate/private/DOMAIN.nopass.key.pem  /root/ca/intermediate/certs/DOMAIN.cert.pem /etc/bareos/ssl
  • Configure client on director
Client {
  Name = server-fd
  Address = DOMAIN
  Password = "ANYTHING_SAFE"
  File Retention = 60 days
  Job Retention = 6 months
  AutoPrune = yes
 
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bareos/ssl/ca-chain.cert.pem
  TLS Certificate = /etc/bareos/ssl/DOMAIN.cert.pem
  TLS Key = /etc/bareos/ssl/DOMAIN.nopass.key.pem
}
  • Install bareos-client on the new server
wget -O /etc/yum.repos.d/bareos.repo http://download.bareos.org/bareos/release/latest/CentOS_7/bareos.repo
yum install bareos-client
  • Copy crt, key and pki files from director to the new server
rsync -av /etc/bareos/ssl/DOMAIN* /etc/bareos/ssl/ca-chain.cert.pem /etc/bareos/ssl/dh1024.pem root@server:/etc/bareos/ssl
rsync -av /etc/bareos/keys/fd-DOMAIN* /etc/bareos/keys/master* root@server:/etc/bareos/keys
  • Configure bareos-fd.conf
Director {
  Name = director-dir
  Password = "ANYTHING_SAFE"
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Allowed CN = "director"
  TLS CA Certificate File = /etc/bareos/ssl/ca-chain.cert.pem
  TLS Certificate = /etc/bareos/ssl/DOMAIN.cert.pem
  TLS Key = /etc/bareos/ssl/DOMAIN.nopass.key.pem
  TLS DH File = /etc/bareos/ssl/dh1024.pem
}
 
FileDaemon {                          # this is me
  Name = server-fd
  FDAddresses = {
    ipv6 = { addr = :: ; }
  }
  Maximum Concurrent Jobs = 20
  compatible = no
 
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /etc/bareos/ssl/ca-chain.cert.pem
  TLS Certificate = /etc/bareos/ssl/DOMAIN.com.cert.pem
  TLS Key = /etc/bareos/ssl/DOMAIN.nopass.key.pem
 
  PKI Signatures = Yes
  PKI Encryption = Yes
  PKI Keypair = "/etc/bareos/keys/fd-DOMAIN.pem"
  PKI Master Key = "/etc/bareos/keys/master.crt"
}
 
# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = director-dir = all, !skipped, !restored
}