Product Version: 10.0
Last Modified: 13 July 2020
How do I manually encrypt a Backup Repository?
If you still want to encrypt your Backup Repository manually, refer to the information below.
To keep VM backups in an encrypted form, you can set up an AES 256 encrypted volume on a Linux machine and then create a Backup Repository on the encrypted volume. Note that the volume should be unencrypted in order to write data to it. After a backup has completed, the Backup Repository can be detached in the product (to ensure that the data is consistent) and the volume can be unmounted (so it is encrypted again). Before the next job run, the volume should be decrypted and the Backup Repository should be attached to the product. These operations can be automated with scripts and by using NAKIVO Backup & Replication HTTPS APIs.
Follow the steps below to set up an encrypted volume on a Ubuntu machine.
Step 1: Prepare a Linux Machine
- Log in to the machine as root or switch to root using:
- Install the required packages:
apt-get install -y scsitools cryptsetup
- Add a new SCSI disk to the machine. The disk will be used to store the Backup Repository and should have enough space to keep your backups.
- Rescan the SCSI bus for new hardware by executing the following command:
- Identify the attached disk label – look for “sdX” in the output of the following command with the “ sdd: unknown partition table”:
dmesg | tail
Step 2: Set up and mount the encrypted filesystem
Let’s assume that the volume is recognized by your system as /dev/sdb.
- Set up the cryptographic device mapper (AES, 256-bit key, password hashing with sha256):
cryptsetup -y -c aes -s 256 -h sha256 create CUSTOM_LABEL /dev/sdb
- Enter a password and confirm it.
- Format the created volume into a filsystem (ext3, ext4, xfs…). For example:
mkfs.ext4 -m 0 /dev/mapper/CUSTOM_LABEL
- Create a directory for the unlocked repository (to be used by the product):
- Instruct the OS to mount the encrypted device on each boot:
echo “crypt /dev/sdb none none” >> /etc/crypttab
echo “/dev/mapper/CUSTOM_LABEL /opt/nakivo/CUSTOM_LABEL ext4 defaults 0 2″ >> /etc/fstab
- Mount the volume and configure permissions:
chown bhsvc:bhsvc /opt/nakivo/CUSTOM_LABEL
chmod 770 /opt/nakivo/CUSTOM_LABEL
The encrypted file system will be mounted to the folder /opt/nakivo/CUSTOM_LABEL on each system boot. Note that you need to enter the password each time the system boots. Otherwise, the data is not decrypted.
Step 3: Create a Backup Repository on the encrypted volume
- Go to Settings>Repositories in NAKIVO Backup & Replication.
- Click Add Backup Repository.
- Select Local folder on the Type page of the Create Backup Repository wizard and click Next.
- On the Name and Location of the wizard, choose the Transporter installed on the Linux machine with the encrypted volume from the Assigned transporter menu.
- Enter /opt/nakivo/CUSTOM_LABEL for the path.
- Click Next and complete the wizard.
You have now created a Backup Repository on the encrypted volume.
NOTE: The size of the Backup Repository cannot be changed after the initial setup.