Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Preparing The Hard Drives:

Encrypting The Drives

Once each of the drives has been completely overwritten with random data, it is time to create the encrypted container that will hold our Bacula backup data. I say container rather than partition because I prefer to use the entire drive since creating one or more partitions is not required, and would serve us no purpose.

Generate a key file to unlock the encrypted containers

We are going to be using a randomly generated key file to open and unlock our encrypted containers. This key file will be created using random data taken from /dev/urandom.

Create a secure 4096 Byte key file from /dev/urandom:

root@host: # dd if=/dev/urandom of=/etc/bacula/include/Bacula_Key_File bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.000635056 s, 6.4 MB/s

Set the ownership and permissions of the key file to make it readable only by root:

root@host: # chown root:root /etc/bacula/include/Bacula_Key_File
root@host: # chmod 400 /etc/bacula/include/Bacula_Key_File

Keep this key file in a safe place (or multiple places), accessible only by you. Encrypt a copy of it with GPG and store it on a thumb drive if you like, but what ever you do, don't lose it. If you lose this key file, you will not be able to access the data on your drives. You have been warned.

Create the encrypted container on each drive

We will use a "less-than-secure", simple, temporary passphrase that will be only used for three things:

  • Create the encrypted LUKS container on each drive
  • Store itself to Key Slot 0 of the LUKS container
  • Add the secure 4096 Byte key file to Key Slot 1 of the LUKS container

Once the 4096 Byte key file has been added to key slot 1 of the LUKS container, it is immediately used to remove the temporary passphrase from key slot 0 of the LUKS container. The 4096Byte key file will then be the only way to unlock the encrypted container on the hard drive to access the data or to add/remove other keys.

Perform these next three steps with each new drive, be sure to check the dmesg output after plugging in each new drive to verify that you are operating on the correct device and substitute it for /dev/sde in the example below:

root@host: # echo "tempvolpassphrase" | cryptsetup -v luksFormat /dev/sde
Command successful.

Now add the 4096 Byte key file to key slot 1 of the LUKS container:

root@host: # cryptsetup -v luksAddKey /dev/sde /etc/bacula/include/Bacula_Key_File
Enter any LUKS passphrase: tempvolpassphrase entered, no keystrokes will be echoed
key slot 0 unlocked.
Command successful.

Remove the simple temporary passphrase in key slot 0 of the LUKS container using the secure 4096 Byte key file that we just stored in key slot 1:

root@host: # cryptsetup -v luksKillSlot /dev/sde 0 --key-file /etc/bacula/include/Bacula_Key_File
key slot 0 verified.
Command successful.

Now, each hard drive has an encrypted LUKS container that can only be unlocked with the secure 4096 Byte key file stored in key slot 1 of the LUKS encrypted container.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.