Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Preparing The Hard Drives:

Overwriting the drives with random data
In order to be sure that your data is securely protected, the first step in preparing each drive requires that we overwrite the entire drive with random data. This will ensure that it will be (nearly) impossible for someone to determine where your encrypted data begins and where it ends, making it much more difficult for them to mount a cryptographic attack on your drives to gain access to your data.

On Linux (or any *nix system) there exists a simple but useful tool called dd. dd has several uses, but we will be using it to overwrite each of the removable hard drives with random data from /dev/urandom.

The first step is to plug in a new drive and then determine what block device node your system assigns to it. To find out, run dmesg after plugging the drive in. You should then see something similar to this at the end of the dmesg output:

root@host: # dmesg
ata7: exception Emask 0x10 SAct 0x0 SErr 0x0 action 0xe frozen
ata7: irq_stat 0x02400000, PHY RDY changed
ata7: hard resetting link
ata7: link is slow to respond, please be patient (ready=0)
ata7: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
ata7.00: ATA-8: ST3750528AS, CC38, max UDMA/133
ata7.00: 1465149168 sectors, multi 0: LBA48 NCQ (depth 0/32)
ata7.00: configured for UDMA/133
ata7: EH complete
scsi 6:0:0:0: Direct-Access     ATA      ST3750528AS      CC38 PQ: 0 ANSI: 5
sd 6:0:0:0: Attached scsi generic sg2 type 0
sd 6:0:0:0: [sde] 1465149168 512-byte logical blocks: (750 GB/698 GiB)
sd 6:0:0:0: [sde] Write Protect is off
sd 6:0:0:0: [sde] Mode Sense: 00 3a 00 00
sd 6:0:0:0: [sde] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
 sde: unknown partition table
sd 6:0:0:0: [sde] Attached SCSI disk

The bolded text in the dmesg output above shows that when the Seagate ST3750528AS 750GB SATA drive was plugged into an eSATA dock, udev assigned it a block device node of /dev/sde. Your drive may be assigned a different node and you need to be 100% sure that you identify the correct drive because the next command will completely overwrite the entire contents of the drive, including the partition table.

As root, be sure to substitute sde with the correct device indicated by dmesg on your system and run the following command:

root@host: # dd if=/dev/urandom of=/dev/sde bs=1M

Repeat these two steps (dmesg & dd) for each of the remaining drives.

*IMPORTANT* Depending on the size of the hard drive and the speed of the system, this operation will take hours or even days. Be patient. To ensure that your encrypted hard drives are as secure as possible against a cryptographic attack, you must allow this process to finish on each drive.

If you are impatient, or just want to know how far along the process is, you can keep track of the process in another shell by typing the following command:

root@host: # while true; do killall -USR1 dd; sleep 1; done

This will send a USR1 signal to the running dd command every second, causing the running dd command to display it's progress like so:

415308037312 bytes (415 GB) copied, 64613.7 s, 6.4 MB/s
390926+9047 records in
390926+9046 records out
415322717376 bytes (415 GB) copied, 64615.7 s, 6.4 MB/s
390940+9047 records in
390939+9047 records out
415337101874 bytes (415 GB) copied, 64617.7 s, 6.4 MB/s
390954+9047 records in
390953+9047 records out
415351781938 bytes (415 GB) copied, 64619.8 s, 6.4 MB/s

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.