Encrypt Backup

vzfanatic

Active Member
Jul 22, 2008
67
0
26
Hello,

I'd like to encrypt my backups. It seems there is an encryption option in vzdump command but I don't know how to set it up or use it.

Could someone guide me on how to setup a password, and, how to tell proxmox to encrypt the automated backups? I use remote storage and I want to protect my containers data. I believe I have to edit the backup config, so I'd be grateful for instructions.

Thank you!
 
Please do not blindly follow this information, your devices paths may be different and this is mostly just from my memory which may be flawed.
In my setup I have a hot swap SATA bay that is connected to the motherboard and the BIOS uses AHCI which hot swaps well on every system I have used so far.

First you need to create an encrypted disk:
Code:
apt-get install cryptsetup

#Create a key file
dd if=/dev/urandom of=/etc/keyfile bs=1024 count=4
chmod 600 /etc/keyfile

#Partition your disk
parted /dev/sdj
mklabel gpt 
mkpart primary ext3 1 3000.00GB 

#Make the new encrypted volume:
cryptsetup luksFormat /dev/sdj1 /etc/keyfile

#If you want to add a password that can also decrypt the volume:
cryptsetup luksAddKey /dev/sdj1 --key-file=/etc/util/keyfile

#Open the encrypted volume:
cryptsetup luksOpen /dev/sdj1 backup --key-file=/etc/keyfile

#Create a filesystem on the encrypted volume:
mkfs.ext4 /dev/mapper/backup

#Close the encrypted volume:
cryptsetup luksClose backup

Create a hook script that can mount your encrypted volume.

/usr/local/bin/vzdump-hook.sh
Code:
#!/bin/bash

if [ "$1" == "job-start" ]
then
        #echo "INFO: Calling cryptsetup"
        cryptsetup luksOpen [B]/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0-part1[/B] backup --key-file=/etc/keyfile

        #Sun/Mon/Tue/Wed/Thu/Fri/Sat
        if [[ `date  "+%a"` == "Sat" || `date  "+%a"` == "Sun" ]]
        then
                e2fsck -y /dev/mapper/backup
        fi
        mount -o barrier=0,noatime,data=writeback /dev/mapper/backup /backup

fi

if [[ "$1" == "job-end" || "$1" == "job-abort" ]]
then
        #echo "Closing access to disk"
        sync
        umount /backup

        #close encryption
        cryptsetup luksClose backup
fi
NOTE:
The bold path defines where to find the backup disk.
Using by-path you can ensure that the same port is used each time you swap a disk, it might be /dev/sde one day and /dev/sdf the next but the by-path will remain the same.
To figure out the path I usually just look at the output of:
Code:
ls -la /dev/disk/by-path/

Make the script executible:
Code:
chmod 755 /usr/local/bin/vzdump-hook.sh

edit /etc/vzdump.conf and add this:
Code:
script: /usr/local/bin/vzdump-hook.sh

You will also need to create the folder /backup (or wherever you want the encrypted volume mounted) and add that directory as backup storage path in Proxmox.

Don't forget to backup your key file to a safe place.
 
This looks fantastic! I will try it out on my test box in the next few days
So once I have this set up, I'd continue to use the backup scheduler in the proxmox web console?
 
Yes, whenever vzdump runs it will run the hook script.

Since it also unmounts and closes the encrypted volume you can swap the disk anytime a backup is not running.

I've been running this backup method for at least three years now. We have four disks for each server, three disks stored off site and one disk in the server rotated weekly.

The only downside to this is the weight of the disks.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!