Removable datastore with LUKS on a USB hard drive

J

jonathan.young

Well-Known Member
Apr 26, 2020
35
2
48
60
I have a USB hard drive encrypted with LUKS currently connected to my Proxmox Backup Server through a mount point defined in fstab. I would like to be able to use the 'Removable Datastore' feature with this drive but unfortunately it does not work. Looking inside datastore.cfg, I can see normal (unremovable) datastores have a path whereas removable datastores additionally have a backing device which is the UUID of the partition on the USB drive. Although LUKS partitions have a UUID they point to /dev/mapper/dm? rather than the physical device which seems to break this functionality.

Before anyone suggests it, the reason I am using LUKS on this partition is because the backups inside the datastore are unencrypted and I want to be able to keep this USB drive both offsite and secure (as part of my 1-2-3 backup plan). The (unencrypted) backups on this drive are copied over from my main datastore and I would rather not encrypt everything not only for the cpu overhead but also for the complexity it would add to my system.

Like I say, it works fine: it would just be nice to be able to use the newly added 'Removable Datastore' functionality for my encrypted USB drive.

Can anyone help? Thanks in advance.
 
  • Like
Reactions: CRCinAU and djinn
I'd also like to find a way for this functionality to work with removable datastore for the same reasons you mentioned.
Currently it is scripted to add/remove datastore everytime but this is not optimal. Does anyone have a solution?
 
I am not sure if it's possible to use the UUID of the contained FS with removable datastores (have you tried?) - in any case the locking/unlocking/LUKS handling would still need to be done by you/your scripts..
 
Interestingly, I came across this thread hunting for this type of feature.

I currently use a backup system that I've built over 20+ years of use that uses rsync + snapshots + btrfs that also backs up the latest VM contents to an external disk when inserted / hotplugged. This uses LUKS etc as well as BTRFS snapshots on the removable drive.

In looking at moving to PBS, I'd need to replicate this type of functionality where I have 3 x external disks that get plugged in to sync the latest backups on Tues / Thurs / Weekend.

The more automated the better in my case - but I can't find any documentation on how PBS handles removable volumes to know how difficult this would end up being.
 
So, here's what I've come up with so far......

I hooked into udev via /etc/udev/rules.d/local.rules as:
Code: 
KERNEL=="sda", ACTION=="add", ENV{SYSTEMD_WANTS}+="backup_to_usb.service"
KERNEL=="sdb", ACTION=="add", ENV{SYSTEMD_WANTS}+="backup_to_usb.service"

That fires off the following systemd service when a drive is hotplugged as /dev/sda or /dev/sdb:
Code: 
[Unit]
Description=Backup system to usb drive

[Service]
Type=oneshot
ExecStart=/root/bin/run-usb-backup

[Install]
WantedBy=multi-user.target

Then the script /root/bin/run-usb-backup is as follows:

Code: 
#!/bin/bash
shopt -s nullglob

for drv in /dev/sd*; do
        /usr/sbin/cryptsetup isLuks $drv
        if [[ "$?" == 0 ]]; then
                echo "Scanned $drv: LUKS"
                UUID=$(blkid -o value -s UUID $drv)
                echo " - UUID: $UUID"
                                if [ ! -f /root/keyfiles/$UUID ]; then
                                echo "No keyfile found... Skipping..."
                                continue
                fi

                cryptsetup open --key-file /root/keyfiles/$UUID $drv luks-$UUID
                LABEL=$(e2label /dev/mapper/luks-$UUID)
                if [ -z $LABEL ]; then
                                echo "No label found... Exiting..."
                                exit 1
                fi
                echo " - LABEL: $LABEL"
                mount /dev/mapper/luks-$UUID /mnt/datastore/$LABEL
                proxmox-backup-manager datastore update $LABEL --delete maintenance-mode

                if [ ! -f /no-auto-backup ]; then
                                proxmox-backup-manager sync-job run $LABEL
                                proxmox-backup-manager garbage-collection start $LABEL
                                proxmox-backup-manager datastore update $LABEL --maintenance-mode offline
                                sync && sync && sync
                                umount /mnt/datastore/$LABEL
                                cryptsetup close luks-$UUID
                                udisksctl power-off -b $drv
                fi
        else
                echo "Scanned $drv: Not LUKS"
        fi
done

The USB drives are prepared via `cryptsetup luksFormat --key-file /root/keyfiles/<uuid> /dev/sda1` - and then a filesystem created on it with `mkfs.ext4 -L $LABEL` - where $LABEL matchs a datastore name in PBS.

It would be much better if PBS understood LUKS and gave you the option to wipe a disk and then create a LUKS encrypted datastore on it - I'm not sure it'd be that much of a deviation from the existing workflow - but this seems to work for now...

Oh, and if you touch a file called `/no-auto-backup`, then the disk will attach, become online, but not auto-run the sync job and GC...

And yeah - set up a job for the sync with your preferences, and make sure you call it the same as the FS label as the Job ID.
 
supporting LUKS there out of the box might be a nice addition - do you mind filing an enhancement request?
 
You must log in or register to reply here.
Top Bottom