View Issue Details

IDProjectCategoryView StatusLast Update
0000679bareos-corestorage daemonpublic2023-03-23 16:30
Reportermgu Assigned Tobruno-at-bareos  
Status closedResolutionnot fixable 
OSUbuntuOS Version16.04 
Product Version14.2.7 
Summary0000679: Key unwrapping fails in 14.2.7 for Keys generated in 14.2.2
DescriptionWe use an ubuntu 12.04 system running bareos 14.2.2 as our productive backup solution. The backups are done on tape with encryption enabled. We now wish to restore this data on a system running ubuntu 16.04 and bareos 14.2.7.

Trying to restore data from tape on an ubuntu 16.04 system running bareos 14.2.7 fails with the following error message:
  " ERROR in scsicrypto-sd.c:392 scsicrypto-sd: Failed to unwrap encryption key, probably wrong KeyEncryptionKey in config "

Trying to test out the unwrapping of encryption keys using bscrypto in bareos 14.2.7 fails and is easily reproduced. It work on ubuntu 12.04 and bareos 14.2.2.

The switch from OpenSSL to GnuTLS between bareos 14.2.2 and 14.2.7 most likely breaks the ability to decrypt tape drives.

Steps To ReproduceSystem A running bareos 14.2.2 with OpenSSL on ubuntu 12.04
System B running bareos 14.2.7 with GnuTLS on ubuntu 16.04

SystemA # bscrypto -b -k <KeyEncryptionKey> -w <EncryptionKey>
## --> Key is unwrapped correctly

SystemB # bscrypto -b -k <KeyEncryptionKey> -w <EncryptionKey>
## --> Failed to aes unwrap the keydata read from <KeyEncryptionKey> using the wrap data from <EncryptionKey>, aborting...
TagsNo tags attached.




2023-03-23 16:30

manager   ~0004941

GNUTls is not supported, only openSSL can be used

Issue History

Date Modified Username Field Change
2016-08-04 14:42 mgu New Issue
2023-03-23 16:30 bruno-at-bareos Assigned To => bruno-at-bareos
2023-03-23 16:30 bruno-at-bareos Status new => closed
2023-03-23 16:30 bruno-at-bareos Resolution open => not fixable
2023-03-23 16:30 bruno-at-bareos Note Added: 0004941