Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Automating The Process:

OK! All of your new hard drives are encrypted, and each has a filesystem inside the encrypted container which spans the entire drive. The next steps begin to pull all of this together so that creating the device-mapper block device node, unlocking the encrypted container, and mounting the filesystem in the encrypted container is all done automatically.

Configuring udev:

If the drives were not encrypted, nothing else would need to be done with regards to configuring udev.

This is true because on most current Linux systems, when a drive is plugged into the system, udev creates a block device node in /dev/ (eg: /dev/sde, /dev/sdd, etc) and also creates the appropriate symlinks in the /dev/disk/by-id, /dev/disk/by-label, /dev/disk/by-path, and /dev/disk/by-uuid - with each symlink pointing to the device's block node (eg: /dev/sde).

The drive can then be referenced by its block device node, (/dev/sde), or by any one of the symlinks created under the /dev/disk directory structure.

We could then move on to configure autofs where we are going to make use of the device's UUID symlink in the /dev/disk/by-uuid directory.

However, since our drives are encrypted, we need to address this additional issue by making some configuration additions to udev's rules so that udev can unlock the encrypted partitions on our drives and then create the required symlinks in the /dev/disk directory structure (including the /dev/disk/by-uuid directory) pointing to the device's block node of the unlocked container in the /dev/mapper directory.

Using a filesystem's UUID for referencing a removable drive is handy since the UUID will always be the same*, whereas a device's kernel block device node (/dev/sda, /dev/sdb, etc) may be different depending on the order in which it is added to the system and the number of drives presently connected etc.

*Note: A filesystem's UUID can be changed, but we are not going to do that, so for all intents and purposes the UUID will always be the same. :)

udev's Rule Files
udev's custom rules (on Gentoo) are located in the /etc/udev/rules.d directory. The filenames of the files in this directory begin with a number and the ones ending with ".rules" are processed by udevd in numeric order.

We are going to create a file called /etc/udev/rules.d/55-eSATA-LUKS.rules containing the following block of text:


KERNEL!="sd[a-z]*", GOTO="end"
ACTION=="add", PROGRAM!="/sbin/blkid -p %N", GOTO="end"
# Open luks partition if necessary
PROGRAM=="/sbin/blkid -o value -p -s TYPE %N", RESULT=="crypto_LUKS", ENV{crypto}="mapper/", ENV{device}="/dev/mapper/%k"
ENV{crypto}!="?*", ENV{device}="%N"
ACTION=="add", ENV{crypto}=="?*", RUN+="/sbin/cryptsetup luksOpen --key-file=/etc/bacula/include/Bacula_Key_File %N %k"
ACTION=="add", ENV{crypto}=="?*", TEST!="/dev/mapper/%k", GOTO="end"
ACTION=="remove", ENV{crypto}=="?*", RUN+="/sbin/cryptsetup luksClose %k"

Without going into too much detail about writing udev rules (others have done a great job already - See credits on the last page of this post), the udev rules file listed above basically says the following:

  • When a device is detected, check to see if it is a hard drive (eg: sda, sdb, sdc, and so on). If it is not, we're done, and go to the end of this rule file.
  • If it is a hard drive, check it using the blkid program to see if it is of type "crypto_LUKS"
  • It is is a "crypto_LUKS" container, unlock the encrypted container using the secure 4096 Byte key file. The cryptsetup command is passed the temporary device node %N (a temporary node which udev creates to reference the device before the device's final device node is created) and the kernel's device node %k (eg: sde). This command is responsible for unlocking the encrypted container and creating the block device node in /dev/mapper as seen previously.
  • Finally, if the udev rule was called because the device has been removed, then a command is run to close the encrypted container and remove the device-mapper block node in /dev/mapper.

Now tell udevd to reload its rule files:

root@host: # udevadm control --reload-rules

If you plug in one of your newly configured drives you should see in a new device-mapper block node created in /dev/mapper with the same name as the kernel device of the drive:

root@host: # ls -la /dev/mapper
total 0
drwxr-xr-x  2 root root     180 Jan 24 16:37 .
drwxr-xr-x 15 root root   14980 Jan 24 16:32 ..
crw-rw----  1 root root  10, 62 Jan 22 15:34 control
brw-rw----  1 root disk 254,  4 Jan 22 15:34 sde

The device-mapper block device name sde was assigned by the %k in the cryptsetup line in our udev rules file above.

If you unplug the drive and wait a few seconds, the /dev/mapper/sde block device node should be automatically removed. If this device node is not automatically created or deleted, go no further. Something is not working correctly with your udev rules and you have some troubleshooting to do. If this is all working as expected, then you are ready to configure autofs in the next section

*NOTE* - On my test system, there is a 180 second (3 minute) delay from the time I plug a drive in and the /dev/mapper block device node is created. During this delay there is a udevadm settle process running. I understand that the udevadm settle command has a 180 second default timeout, but I'd really like to understand what is causing this unneccessary delay. If someone can help me clear this one issue up I'd really appreciate it! Please leave a comment below.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.


Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the code without spaces and pay attention to upper/lower case.