Product Version: 6.0
Last Modified: 31 Dec 2015
How can I manually encrypt a Backup Repository?
Starting from version 5.7, you can create Backup Repositories with the encryption option.
If you still want to encrypt your Backup Repository manually, refer to the information below.
To keep VM backups in an encrypted form, you can set up AES 256 encrypted volume on a Linux machine and then create a Backup Repository on the encrypted volume. Note that the volume should be unencrypted in order to write data to it. After backup is complete, the Backup Repository can be detached in the product (to ensure that the data is consistent) and the volume can be unmounted (so it becomes encrypted again). Before the next job run, the volume should be decrypted and the Backup Repository should be attached to the product. These operations can be automated with scripts and using NAKIVO Backup & Replication HTTPS APIs.
Follow the steps below to set up an encrypted volume on a Ubuntu machine.
Step 1: Prepare a Linux Machine
- Log in to the machine as root or switch to root using:
- Install required packages:
apt-get install -y scsitools cryptsetup
- Add a new SCSI disk to the machine. The disk will be used to store the Backup Repository and should have enough space to keep your backups.
- Rescan the SCSI bus for a new hardware by executing the following command:
- Identify the attached disk label – look for “sdX” in the output of the following command with the “ sdd: unknown partition table”:
dmesg | tail
Step 2: Set up and mount the encrypted filesystem
Let’s assume the volume is recognized by your system as /dev/sdb.
- Set up the cryptographic device mapper (AES, 256-bit key, password hashing with sha256):
cryptsetup -y -c aes -s 256 -h sha256 create CUSTOM_LABEL /dev/sdb
- Enter a password and confirm it.
- Format the created volume into a filsystem (ext3, ext4, xfs…). For example:
mkfs.ext4 -m 0 /dev/mapper/CUSTOM_LABEL
- Create a directory for unlocked repository (to be used by the product):
- Instruct the OS to mount the encrypted device on each boot:
echo “crypt /dev/sdb none none” >> /etc/crypttab
echo “/dev/mapper/CUSTOM_LABEL /opt/nakivo/CUSTOM_LABEL ext4 defaults 0 2″ >> /etc/fstab
- Mount the volume and configure permissions:
chown bhsvc:bhsvc /opt/nakivo/CUSTOM_LABEL
chmod 770 /opt/nakivo/CUSTOM_LABEL
The encrypted filesystem will be mounted to the folder /opt/nakivo/CUSTOM_LABEL on each system boot. Note that you need to enter the password each time the system boots. Otherwise, the data won’t be decrypted.
Step 3: Create a backup repository on the encrypted volume
- Open Configuration > Repositories in NAKIVO Backup & Replication.
- Click Add Repository.
- Choose Local folder on the assigned transporter from the Type menu.
- In the Assigned transporter menu, choose the Transporter installed on the Linux machine with the encrypted volume.
- Enter /opt/nakivo/CUSTOM_LABEL for the path.
- Click Add.
You have now created a backup repository on the encrypted volume.
NOTE: The size of the backup repository cannot be changed after the initial setup.