TLS Configuration for Bacula with CAcert

Two measures (as far as I know) are available for secure data backup with Bacula. One is for communication channel security using TLS across Bacula entities like storage daemon, file daemon, bconsole, director, and so on because Bacula spans multiple hosts over the net. The other is back(ed) up date set encryption with PKI.

Let me share how I figured out TLS configuration with certificates from This configuration can go for any sections (Storage, Director, FileDaemon, …) asking you set TLS glue.

FileDaemon { # this is me
Name = some_name
FDport = 9102
WorkingDirectory = /var/spool/bacula
Pid Directory = /var/run
Maximum Concurrent Jobs = 3

TLS Enable = yes
TLS Require = yes
# TLS Verify Peer = yes
TLS Certificate = location_to_cert_file_you_got_from_cacert
TLS Key = location_to_private_key_you_generated_yourself
TLS CA Certificate File = location_to_root_cert_file_you_got_from_cacert

PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
PKI Keypair = blah_blah.pem # Public and Private Keys
PKI Master Key = blah_blah_master.cert # ONLY the Public Key


Three commands to get CAcert certificate

On UNIX box (I am doing on Linux, actually), run these commands, fill out appropriate information then keep the files generated. You may change file names as needed. From the following example, you have to keep server.csr to request certificate at and privatekey.txt to put it into server configuration. Upon the issuance of certificate, you can name it as you like (eg. certificate.crt)

  • openssl genrsa -des3 -out ca.pkey.txt 1024
  • openssl rsa -in ca.pkey.txt -out privatekey.txt
  • openssl req -new -key ca.pkey.txt -out server.csr