One last class of communication remains, this is from File Daemon to Storage Daemon. This is the key one that will ensure your data from your clients to your backup server will be encrypted.
First we tell the Storage Daemon to require TLS on its listening socket, edit /usr/local/etc/bacula-sd.conf:
Remeber my example uses a Storage Daemon that runs on the host director1.example.com if yours is somewhere else, just use the certificate for the host it runs on.
Storage {
Name = janus-sd
SDPort = 9103
WorkingDirectory = "/export/bacula/db"
Pid Directory = "/var/run"
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = no
TLS CA Certificate File = /usr/local/etc/bacula/certs/cacert.pem
TLS Certificate = /usr/local/etc/bacula/certs/director1.example.com.cert
TLS Key = /usr/local/etc/bacula/certs/director1.example.com.key
}
The Storage Daemon now requires incoming connections to use TLS, but we need to tell the File Daemon to speak TLS, edit your /usr/local/etc/bacula-fd.conf on client1.example.com:
FileDaemon {
Name = client1-fd
FDport = 9102
WorkingDirectory = /var/db/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 20
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
TLS Certificate = /usr/local/etc/bacula/client1.example.com.cert
TLS Key = /usr/local/etc/bacula/client1.example.com.key
}
Now simply restart the bacula-sd and bacula-fd everywhere and you should be able to run a backup, at this point all your communications are TLS enabled.