Encrypted offsite backups on auto-mounted media with Bacula & vchanger


  • I have to thank a guy that I only saw referenced as "dave" whose website seems to have gone missing. Dave's page titled: "Privacy tools and discussion for Debian GNU/Linux" was one of the first clear resources I had found several years back when I was learning about Cryptsetup and LUKS and I still have my printed hard-copy of his (now extinct) page.
  • Uwe Hermann whose web page titled: "HOWTO: Disk encryption with dm-crypt / LUKS and Debian" was also a big help in getting clear information on Cryptsetup and LUKS.
  • Josh Fisher who's excellent vchanger program extends Bacula's disk-to-disk capabilities in a very flexible and scalable manner.
  • I'd also like to thank someone who goes by the nick "jodel" on the gentoo forums for this post which was instrumental in helping me to understand the power of udev.
  • Darrik Mazey and Matt Tidd for listening to me drone on about this project, and assisting in proof reading this very long document.
  • And finally, Kern Sibbald and the rest of the Bacula team at Bacula.org (Open-Source Bacula) and Bacula Systems (Enterprise Bacula Support) for writing, releasing and maintaining Bacula, an open-source, modular, flexible, scalable, enterprise-ready client-server bacukup solution.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.