Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Preparing The Hard Drives:

Creating The Filesystem In The Encrypted Container

Before the filesystem may be created on the drive, the encrypted container must first be unlocked and opened with the secure 4096 Byte key file:

Unlock the encrypted container with the following command:

root@host: # cryptsetup -v luksOpen --key-file=/etc/bacula/include/Bacula_Key_File /dev/sde tempcontainer
key slot 1 unlocked.
Command successful.

If successful (as indicated above) there will now be a new block device node in /dev/mapper called tempcontainer:

root@host: # ls -la /dev/mapper
total 0
drwxr-xr-x  2 root root     220 Jan 23 14:49 .
drwxr-xr-x 15 root root   14920 Jan 23 14:49 ..
crw-rw----  1 root root  10, 62 Jan 22 15:34 control
brw-rw----  1 root disk 254,  1 Jan 22 15:34 tempcontainer

Next a filesystem is created inside this unlocked, encrypted container block device node. You may use any filesystem you prefer (ext2, ext3, ext4, reiserfs, xfs, jfs, etc). We will be using reiserfs in all of our examples.

As root, run the following command on each drive and answer yes to the "...is entire device, not just one partition!" warning:

root@host: # mkreiserfs /dev/mapper/tempcontainer
mkreiserfs /dev/mapper/tempcontainer
mkreiserfs 3.6.19 (2003 www.namesys.com)
--[snip credits]--
/dev/mapper/tempcontainer is entire device, not just one partition!
Continue (y/n):y
Guessing about desired format.. Kernel 2.6.34-gentoo-r2-SMP is running.
Format 3.6 with standard journal
Count of blocks on the device: 247712
Number of blocks consumed by mkreiserfs formatting process: 8219
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: 6c5b725d-50c4-4605-b750-4f23575b9b5f
Initializing journal - 0%....20%....40%....60%....80%....100%
--[snip credits]--

ReiserFS is successfully created on /dev/mapper/tempcontainer.

Close the encrypted container and remove the device-mapper block device node in /dev/mapper:

root@host: # cryptsetup -v luksClose tempcontainer
Command successful

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.