Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Preparing The Hard Drives:

Testing Each Drive

Now we will unlock the encrypted container, mount the reiserfs filesystem, set the permissions so that Bacula can write to it, and then unmount the filesystem in the encrypted container and close the container. This will verify that everything is working correctly before we move on to automating the whole process.

Create a temporary location to mount our encrypted filesystems. (Perform this first step only once):

root@host: # mkdir /mnt/temp

Perform the following six steps for each drive.

Unlock the encrypted container:

root@host: # cryptsetup -v luksOpen --key-file=/etc/bacula/include/Bacula_Key_File /dev/sde tempcontainer
key slot 1 unlocked.
Command successful.

Mount the filesystem in the encrypted container:

root@host: # mount -t reiserfs /dev/mapper/tempcontainer /mnt/temp

Verify that it was mounted OK:

root@host: # mount -t resiserfs
/dev/mapper/tempcontainer on /mnt/temp type reiserfs (rw)

Set the ownership and permissions so that only the Bacula user may write to this filesystem, then list the mounted directory to verify proper ownership:

root@host: # chown -R bacula:bacula /mnt/temp
root@host: # chmod 750 /mnt/temp
root@host: # ls -la /mnt/temp
total 699644065
drwxr-x--- 4 bacula bacula        2352 Jan 24 13:41 .
drwxr-xr-x 3 root   root             0 Jan 23 15:37 ..

Unmount the encrypted partition:

root@host: # umount /mnt/temp

And finally, close the encrypted container and remove the device-mapper block device node in /dev/mapper:

root@host: # cryptsetup -v luksClose tempcontainer
Command successful.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.