Encrypt Backup

[vzfanatic]

Hello,

I'd like to encrypt my backups. It seems there is an encryption option in vzdump command but I don't know how to set it up or use it.

Could someone guide me on how to setup a password, and, how to tell proxmox to encrypt the automated backups? I use remote storage and I want to protect my containers data. I believe I have to edit the backup config, so I'd be grateful for instructions.

Thank you!

 

[e100]

I have not seen an encryption option in vzdump.

We backup to removable hard drives and use a vzdump hook script to mount the encrypted partition using cryptsetup.

 

[bhennigar]

I know this may be a little out of date but may I get more information about how your encrypting the backups to removable hard drives?

 

[e100]

Please do not blindly follow this information, your devices paths may be different and this is mostly just from my memory which may be flawed.
In my setup I have a hot swap SATA bay that is connected to the motherboard and the BIOS uses AHCI which hot swaps well on every system I have used so far.

First you need to create an encrypted disk:

apt-get install cryptsetup

#Create a key file
dd if=/dev/urandom of=/etc/keyfile bs=1024 count=4
chmod 600 /etc/keyfile

#Partition your disk
parted /dev/sdj
mklabel gpt 
mkpart primary ext3 1 3000.00GB 

#Make the new encrypted volume:
cryptsetup luksFormat /dev/sdj1 /etc/keyfile

#If you want to add a password that can also decrypt the volume:
cryptsetup luksAddKey /dev/sdj1 --key-file=/etc/util/keyfile

#Open the encrypted volume:
cryptsetup luksOpen /dev/sdj1 backup --key-file=/etc/keyfile

#Create a filesystem on the encrypted volume:
mkfs.ext4 /dev/mapper/backup

#Close the encrypted volume:
cryptsetup luksClose backup

Create a hook script that can mount your encrypted volume.

/usr/local/bin/vzdump-hook.sh

#!/bin/bash

if [ "$1" == "job-start" ]
then
        #echo "INFO: Calling cryptsetup"
        cryptsetup luksOpen [B]/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1[/B] backup --key-file=/etc/keyfile

        #Sun/Mon/Tue/Wed/Thu/Fri/Sat
        if [[ `date  "+%a"` == "Sat" || `date  "+%a"` == "Sun" ]]
        then
                e2fsck -y /dev/mapper/backup
        fi
        mount -o barrier=0,noatime,data=writeback /dev/mapper/backup /backup

fi

if [[ "$1" == "job-end" || "$1" == "job-abort" ]]
then
        #echo "Closing access to disk"
        sync
        umount /backup

        #close encryption
        cryptsetup luksClose backup
fi

NOTE:
The bold path defines where to find the backup disk.
Using by-path you can ensure that the same port is used each time you swap a disk, it might be /dev/sde one day and /dev/sdf the next but the by-path will remain the same.
To figure out the path I usually just look at the output of:

ls -la /dev/disk/by-path/

Make the script executible:

chmod 755 /usr/local/bin/vzdump-hook.sh

edit /etc/vzdump.conf and add this:

script: /usr/local/bin/vzdump-hook.sh

You will also need to create the folder /backup (or wherever you want the encrypted volume mounted) and add that directory as backup storage path in Proxmox.

Don't forget to backup your key file to a safe place.

 

[bhennigar]

This looks fantastic! I will try it out on my test box in the next few days
So once I have this set up, I'd continue to use the backup scheduler in the proxmox web console?

 

[e100]

Yes, whenever vzdump runs it will run the hook script.

Since it also unmounts and closes the encrypted volume you can swap the disk anytime a backup is not running.

I've been running this backup method for at least three years now. We have four disks for each server, three disks stored off site and one disk in the server rotated weekly.

The only downside to this is the weight of the disks.