Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Since backups are the most important process regardless of what industry you are in, it pays to put a lot of thought into creating a reliable, easy-to-use, scalable, and secure backup solution.

Why reliable?
This should be pretty obvious. Without a reliable backup solution that "just works" you can not be 100% sure that you will be able to restore any data at any time, and this clearly a bad thing. Files are lost or accidentally deleted by users and there is no excuse for not being able to restore this data.

Why easy-to-use?
If your backup process is not simple and painless for the end users (eg: the person or persons responsible for rotating the backup media) then sooner or later shortcuts will be taken, steps will be skipped, errors or warnings will be ignored, and you will not have the data you need when disaster strikes - and it will strike, it's just a matter of time.

Why Scalable?
How much data are you backing up today? Tomorrow? Next week, month, year? If you build a backup system to only handle your current needs, it will surely need to be replaced sooner than you'd think. You want to make sure that the backup solution you build will take care of your needs now and will continue to work into the future with minor adjustments rather than needing to be completely replaced in a year or two

Why Secure?
The only thing more important than having good offsite backups of your data is making sure that someone else does not have access to your data. This is where encryption comes in. If your backups are written to an encrypted device (hard drive, tape drive, CDROM, etc) then you can safely transport your backup media on a regular schedule to an off-site location without the fear of your data being compromised.

The Concept:

The end result we are working towards is an inexpensive, reliable, open-source backup system with multiple, removable, encrypted, inexpensive SATA hard drives that may be removed and changed by an end user without the need to do more than unplug a drive and plug another one in.

Each encrypted drive will contain many 10GB files which Bacula treats as file volumes. The 10GB value for each volume was chosen since it is a reasonable filesize if/when a volume or multiple volumes need to be moved from one drive or system to another.

To reach our goal of creating a reliable, easy-to-use, scalable, and secure backup solution, we will be making use of the following tools/technologies:

  • Linux Operating system - Gentoo is the distribution used, but these instructions will work with any Linux distribution.
  • Bacula - An open-source, client-server based, scalable, enterprise-ready backup solution. This tutorial assumes that you have a working Bacula configuration
  • vchanger - vchanger was designed to be used with Bacula to utilize multiple, removable disk drives as backup media.
  • cryptsetyup - Cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. We will be using LUKS, the Linux Unified Key Setup, the standard for hard disk encryption.
  • udev - udev provides a dynamic device directory on a Linux system containing only the files for actually present devices. It creates or removes device node files in the /dev directory as they are added or removed.
  • autofs - autofs is used to automatically mount a device or partition when access to a directory is attempted. The auto-mounting is performed based on user-defined rules.
  • SATA Drives - In this tutorial, we are using several 750GB standard internal SATA hard drives. They will be connected to the system via an eSATA dock.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.