Page tree
Skip to end of metadata
Go to start of metadata

Product Version: 6.0
Last Modified: 31 Dec 2015

Question

How can I manually encrypt a Backup Repository?

Background

Starting from version 5.7, you can create Backup Repositories with the encryption option.
If you still want to encrypt your Backup Repository manually, refer to the information below.

To keep VM backups in an encrypted form, you can set up AES 256 encrypted volume on a Linux machine and then create a Backup Repository on the encrypted volume. Note that the volume should be unencrypted in order to write data to it. After backup is complete, the Backup Repository can be detached in the product (to ensure that the data is consistent) and the volume can be unmounted (so it becomes encrypted again). Before the next job run, the volume should be decrypted and the Backup Repository should be attached to the product. These operations can be automated with scripts and using NAKIVO Backup & Replication HTTPS APIs.

Solution

Follow the steps below to set up an encrypted volume on a Ubuntu machine.

Prerequisites

Ubuntu 12.04 x64 machine with Transporter installed or Transporter Virtual Appliance.

Step 1: Prepare a Linux Machine

  1. Log in to the machine as root or switch to root using: 

    su

  2. Install required packages:

    apt-get update

    apt-get install -y scsitools cryptsetup

  3. Add a new SCSI disk to the machine. The disk will be used to store the Backup Repository and should have enough space to keep your backups.
  4. Rescan the SCSI bus for a new hardware by executing the following command:

    rescan-scsi-bus

  5. Identify the attached disk label – look for “sdX” in the output of the following command with the “ sdd: unknown partition table”:
    dmesg | tail

Step 2: Set up and mount the encrypted filesystem

Let’s assume the volume is recognized by your system as /dev/sdb.

  1. Set up the cryptographic device mapper (AES, 256-bit key, password hashing with sha256):

    cryptsetup -y -c aes -s 256 -h sha256 create CUSTOM_LABEL /dev/sdb

  2. Enter a password and confirm it.
  3. Format the created volume into a filsystem (ext3, ext4, xfs…). For example:
    mkfs.ext4 -m 0 /dev/mapper/CUSTOM_LABEL
  4. Create a directory for unlocked repository (to be used by the product):

    mkdir /opt/nakivo/CUSTOM_LABEL

  5. Instruct the OS to mount the encrypted device on each boot:

    echo “crypt /dev/sdb none none” >> /etc/crypttab

    echo “/dev/mapper/CUSTOM_LABEL /opt/nakivo/CUSTOM_LABEL ext4 defaults 0 2″ >> /etc/fstab

  6. Mount the volume and configure permissions:

mount /opt/nakivo/CUSTOM_LABEL

chown bhsvc:bhsvc /opt/nakivo/CUSTOM_LABEL

chmod 770 /opt/nakivo/CUSTOM_LABEL

The encrypted filesystem will be mounted to the folder /opt/nakivo/CUSTOM_LABEL on each system boot. Note that you need to enter the password each time the system boots. Otherwise, the data won’t be decrypted.

Step 3: Create a backup repository on the encrypted volume

  1. Open Configuration > Repositories in NAKIVO Backup & Replication.
  2. Click Add Repository.
  3. Choose Local folder on the assigned transporter from the Type menu.
  4. In the Assigned transporter menu, choose the Transporter installed on the Linux machine with the encrypted volume.
  5. Enter /opt/nakivo/CUSTOM_LABEL for the path.
  6. Click Add.

You have now created a backup repository on the encrypted volume.

NOTE: The size of the backup repository cannot be changed after the initial setup.



  • No labels