Bacula has multiple daemons (Director, Storage, File) and relies on shared passwords/TLS between them. Harden daemon trust, TLS, and backup catalog access.
- Use strong unique passwords for each Bacula daemon relationship.
- Never reuse default/example passwords from templates.
- Restrict Director and Storage daemon connectivity to known hosts.
- Segment Bacula control traffic onto a backup VLAN where possible.
¶ 2) Enforce TLS for File and Storage daemons
- Enable TLS for FD/SD communication and verify certificates.
- Protect certificate/private key files with root-only permissions.
- Rotate certificates before expiry.
- Disable insecure fallback modes.
¶ 3) Protect catalogs and restore paths
- Restrict DB user privileges for Bacula catalog.
- Encrypt catalog backups and protect retention metadata.
- Lock restore destinations to controlled paths/hosts.
- Audit restore operations and administrative commands.
¶ Verification commands
bacula-dir -? 2>/dev/null | head
grep -R "Password\|TLS\|TLS Enable\|TLS Require" /etc/bacula 2>/dev/null | head -n 40
sudo ss -tulpn | grep -E ':9101|:9102|:9103'
- Bacula documentation: https://www.bacula.org/documentation/
- Bacula source: https://github.com/bacula-community/bacula
- Bacula package security tracking (Debian): https://security-tracker.debian.org/tracker/source-package/bacula