Add openssl support to sysutils/bacula9-server

I have bacula9-server already installed and running for years. I need to add data encryption to the software. Unfortunately the 'make config' command does not reveal any openssl options. This link states to use the configure command to add openssl support to bacula: https://www.bacula.org/9.6.x-manuals/en/main/Data_Encryption.html. As such, I am quite unfamiliar with using configure at the command prompt. So I want to be extra careful here.

The main question is- how do we restore unencrypted backup data once we've added encryption support to bacula? There will be several months before unencrypted data is entirely purged. We do not have the luxury of spinning up a new server just for encrypted backup. I was mulling the idea of keeping pre-encryption server and client configurations files which could be substituted as needed in order to restore. Has anyone encountered this particular situation and how did they work around this as part of the transition? Or does Bacula have the capability of handling unencrypted data after being configured for encryption?

What steps are needed to safely reinstall bacula9-server with base openssl support? I also have a need to rebuild the bacula9-client with openssl support.

Looking at this post: https://forums.freebsd.org/threads/...-after-move-from-openssl111-to-openssl.73693/, it looks like I need to uninstall bacula9-server and do something similar to the following:

Code:
cd /usr/ports/sysutils/bacula9-client && \
make clean && \
make extract && \
make patch && \
cd work && \
cd bacula-9.6.7_1 && \
./configure --with-openssl --with-postgresql --prefix=/usr/local && \
make && \
make install

I'm not exactly sure if the 'make extract', 'make patch', 'cd work', and 'cd bacula 9.6.7_1' lines are needed here? Is the following all I need:

Code:
cd /usr/ports/sysutils/bacula9-client && \
make clean && \
./configure --with-openssl --with-postgresql --prefix=/usr/local && \
make && \
make install

Can I reinstall without deinstalling?

Boy, I wish they would add support for base openssl, openssl in ports, as well as libressl in the make config options! I have been spoiled! sysutils/bareos has an openssl option in their make config.

In addition, if there are patches in the future, what steps are necessary in order to safely update with openssl support?

Pointers would be appreciated!

~Doug
 
The main question is- how do we restore unencrypted backup data once we've added encryption support to bacula?
What makes You think it would do anything else than just restore it?
(And, btw, what about a test environment to figure out such things?)
(And, btw, afaik bextract cannot extracxt encrypted data - so, when we're at it, what about the DR&contingency plan? ;) (*) )

Code:
cd /usr/ports/sysutils/bacula9-client && \
make clean && \
make extract && \
make patch && \
cd work && \
cd bacula-9.6.7_1 && \
./configure --with-openssl --with-postgresql --prefix=/usr/local && \
make && \
make install

Or you could simply add this to your /etc/make.conf
Code:
.if ${.CURDIR:C/.*\/sysutils\/bacula[0-9]+-(client|server)//} == ""
CONFIGURE_ARGS+=--with-openssl
.endif

But then, there might be a reason why this is not engaged by default...

(*) Me running the bareos fork, with two databases so that each will backup itself into the respective other (full postgres redolog+fileimage backup, compatible with PG rel.13).
 
maybe you should upgrade to a recent version of bacula ... the version 9 got its last update in 2020, version 13 is the current version. Using a current version also reduces the risk of running into problems with openssl version not being compatible with that old bacula version...
 
BTW, you could just try it out (install and configure some certificates) - because it seems to me that the client would link with SSL by default...
 
Back
Top