Backup With Bacula And LUKS Encrypted USB Disks – Part 1

Standard

I think is is time again to share some interesting stuff with you.
A few month ago, I have set up a new backup solution with Bacula and USB disks as backup media. I am not going to argue why Bacula is our preferred backup software or why USB disks are great for backups. You will have to find it out on your own. So let’s get more into detail now.

As our company policies require all media to be encrypted, no excepetion was made for the backup media of cause. This were the requirements for the new system:

      1. Attached USB disks must be accessible by the system and backup software, without the need of manual actions by the backup operator
      2. The filesystem should be in an unmounted state when detaching the USB disk to prevent data corruption. Also, no manual actions should be needed.
      3. The disks have always to be mounted to the same location for Bacula to use them
      4. The backup should be as flexible as possible, e.g. it should not really matter if the disk was changed or not. This is really important on holidays, as I do not want to update volume attributes all the time.

    The solution for the first three requirements is a combination of LUKS encryption with a keyfile and an automounter like autofs. Encrypting with LUKS and a keyfile is really easy as you will see. To fulfill the last requirement I have chosen a Bacula configuration based on a virtual tape changer. But first we have to prepare udev with some config and scripts to make a device available for autofs.

    UDEV CONFIG & SCRIPTS

    /etc/udev/rules.d/99-unlock-lucks.rules
    This rules makes UDEV call /usr/local/bin/unlock-luks with the name of the new device and the name the decrypted device should get by the device mapper (here: bacula) as parameter.

    ACTION=="add",BUS=="usb",KERNEL=="sd?1",RUN+="/usr/local/bin/unlock-luks /dev/%k bacula"

    /usr/local/bin/unlock-luks
    This script takes care if a new device was attached to the system. If UDEV calls this script and the device mapper still sees the device, this is caused by the device mapper taking a long time before dropping a detached device from its database. In case the system still thinks the device is mounted, force an umount and close the crypto device before setting up the new crypto device. If this looks very strange to you, I can appease you, It’s working pretty well for month now. Of cause this script has to be made executable.

    (
  ISATTACHED=`dmsetup ls | grep ^bacula | wc -l`
  if [ $ISATTACHED -eq 1 ]
  then
    umount /dev/mapper/$2 --force
    cryptsetup luksClose $2
  fi
  cryptsetup --key-file=/etc/luks.key luksOpen $1 $2
)

    Now that UDEV is prepared let’s create some fully encrypted USB disks:

    CREATING A KEYFILE
    First of all, we need to create a good keyfile. In 2010 a 4096 bit key should be enough. To create such a keyfile dd does a good job:

    dd if=/dev/random of=/etc/luks.key bs=1024 count=4

    ENCRYPTING THE DISK
    I suppose you only have one partition on your USB disk, so encrypt it. Usually USB disks are handled by the SCSI subsystem, so it device name starts with sd. Warning: The next step overwrites any existing data on that partition.

    cryptsetup luksFormat /dev/<sd?1> /etc/luks.key

    FORMATTING THE ENCRYPTED PARTITION
    Before you really can format the partition you should unplug the disk and reattach it to the system. If your UDEV configuration and scripts work as expected, you should see the device /dev/mapper/bacula. Finally put a filesystem onto the new device with

    mke2fs -j -T largefile -L "usbchanger1" /dev/mapper/bacula

    As you can see the filesystem also gets labled with usbchanger1. This is neccesarry for the automounter to identify the filesystem. I used the largefile flag, as each volume Bacula creates is a big file of several gigabytes.

    CONFIGURING AUTOFS
    I suppose there is nothing special about the two files for you. Just create the mountpoint /mnt/usbchanger1, modify or create the two files and restart the autofs daemon.

    /etc/auto.master

    /mnt/usbchanger1    /etc/auto.usbchanger1    --timeout=10

    /etc/auto.usbchanger1

    magazine  -fstype=auto,rw  :/dev/disk/by-label/usbchanger1

    That’s all for now. You should now be able to attach an USB disk with an encrypted filesystem on it to the system and access it through the path /mnt/usbchanger1/magazine. If nothing keeps the device open it will be unmounted after ten seconds. Now you are ready to configure Bacula. I am going to explain this in part 2 of this tutorial soon.

2 thoughts on “Backup With Bacula And LUKS Encrypted USB Disks – Part 1

  1. Lots of good information, thanks for sharing.

    This may be helpful to us since we also use Bacula, and I am attempting to change our method of using “udev-plus-external-scripts” to automount/umount several eSATA drives that we use with vchanger to instead (or also) use autofs which will give us more flexibility.

    Of course each drive is encrypted via cryptsetup so the udev-called scripts open the drive and mount it decrypted. But our current method does not allow us to make use of the flexibility that vchanger offers, so again your posting may provide some help to us. Thanks.

    BTW, I noticed one thing you might want to check in your posting above:

    –[snip]–
    ENCRYPTING THE DISK
    ….
    cryptsetup luksFormat /dev/ /etc/luks.key
    –[snip]–

    Be careful there. You may have just overwrote your whole /dev directory structure, including all attached drives. Of course you didn’t actually do that, and that was surely just a typo, but some people may just cut-n-paste from your posting.

    🙂


    Bill Arlofski
    Reverse Polarity, LLC

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.