Encrypted offsite backups on auto-mounted media with Bacula & vchanger

Configuring vchanger:

Josh Fisher has not only done an excellent job on his vchanger program, but his installation and configuration documentation is some of the most detailed and clear documentation I have seen. That being the case, I will not go into too much detail on installing and configuring vchanger - there is no reason to re-invent the wheel. Instead, I will direct you to the vchanger Project Page on Sourceforge where you may download the vchanger source code and installation documentation.

Take the time to go through the vchanger documentation paying careful attention to the sections titled: 3. Overview and 4. Virtual Autochanger Implementation. These two sections will give you a clear understanding of some vchanger definitions, and the general concept of vchanger's functionality and its interaction with Bacula.

Make sure that you also go through and understand sections 8. Configuring vchanger, 9. Initializing New Magazines and 10. Testing vchanger. These sections are the core of getting vchanger to work with Bacula.

Our system consists of:

  • An external eSATA dock.
  • Six (6) encrypted 750GB SATA drives.
  • Each drive contains sixty-nine (69) 10GB Bacula "file" volumes.
  • All volumes are in one pool called "Offsite-eSATA"

For reference, our vchanger.conf file is listed below with all comments and blank lines removed. The vchanger documentation and the comments in the default vchanger.conf file are very detailed and helpful and many of the settings are self-explanatory, but one setting to note is the "automount dir" line.

This line tells vchnager under which directory that autofs has been configured to automount the filesystems on the encrypted partitions and therefore where to expect to find its magazines, drives, and volumes. Since we are using autofs to automount our drives, we need to uncomment the "automount dir" line and define this setting as "/mnt/eSATA-1_Backups", the same directory configured in our /etc/autofs/auto.master file.

The UUIDs in the lines defining our magazines were the UUIDs reported by the blockid program earlier during testing, as well as by the mkreiserfs program when the filesystems were created.

/etc/bacula/include/vchanger.conf

changer_name = "c0"
work_dir = /var/lib/bacula/vchanger/c0
logfile = /var/lib/bacula/vchanger/c0.log
log_level = LOG_ERR
Virtual_Drives = 1
slots_per_magazine = 69
magazine_bays = 1
automount_dir = /mnt/eSATA-1_Backups

magazine = "UUID:6c5b725d-50c4-4605-b750-4f23575b9b5f"
magazine = "UUID:e6ffe50b-bbe7-854f-fea8-766ae1265eba"
magazine = "UUID:f73dedc6-e570-e605-02d3-5ad3a07519b9"
magazine = "UUID:267e5d28-8c20-f5ed-fca6-ae051b01c9f3"
magazine = "UUID:d9e60274-a828-e2ea-c07f-1a11ca7141a2"
magazine = "UUID:8e30757a-2f10-cde3-29e8-ca4a36d18134"

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Few Modifications

A few things I ran into running this on current versions of cryptsetup.

1. You can create the encrypted drive WITH key in one command now;
cryptsetup -v luksFormat /dev/sdb --key-file /etc/bacula/include/Bacula_Key_File

2. There is a new format for the arguments? for key-file. For example;
cryptsetup -v luksOpen --key-file /etc/bacula/include/Bacula_Key_File /dev/sdb tempcontainer

3. I had to install some requirements in my ubuntu server 12.04 x64.
sudo apt-get install libblkid-dev
and
sudo apt-get install uuid-dev

4. I had a lot of trouble with the Client = None and Fileset = None. I thought they were built in keywords, wasn't until I read http://blog.serverfault.com/2011/01/10/some-notes-on-setting-up-backups-... that I realized they were just dummy ones created.

Very informative ,well written.

Thank you, this tutorial helped a huge amount.I've been struggling to automate the decryption and mounting/unmounting. This tutorial enabled me to accomplish exactly what we needed.

Great job!

Hi! Great job with this howto!

I'm using Bacula since 2.4 releases and it's the first time I found a solution to encrypt all the Bacula volumes and get the 'perfect' OUT-OF-OFFICE solution.

Thanks!

Thanks so much for this!
Incredibly thorough. As a recent Bacula convert I've found it really useful.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <b> <i> <u> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
7
P
H
s
Y
5
Enter the code without spaces and pay attention to upper/lower case.