Manual Backup Repository Encryption

Product version: 10.0

Last modified: 13 July 2020

Question

How do I manually encrypt a Backup Repository?

Background

If you still want to encrypt your Backup Repository manually, refer to the information below.

To keep VM backups in an encrypted form, you can set up an AES 256 encrypted volume on a Linux machine and then create a Backup Repository on the encrypted volume. Note that the volume should be unencrypted in order to write data to it. After a backup has completed, the Backup Repository can be detached in the product (to ensure that the data is consistent) and the volume can be unmounted (so it is encrypted again). Before the next job run, the volume should be decrypted and the Backup Repository should be attached to the product. These operations can be automated with scripts and by using NAKIVO Backup & Replication HTTPS APIs.

Answer

Follow the steps below to set up an encrypted volume on a Ubuntu machine.

Prerequisites

A Ubuntu 12.04 x64 machine with a Transporter installed on it or a Transporter Virtual Appliance.

Step 1: Prepare a Linux Machine

  1. Log in to the machine as root or switch to root using: 

    su

  2. Install the required packages:

    apt-get update

    apt-get install -y scsitools cryptsetup

  3. Add a new SCSI disk to the machine. The disk will be used to store the Backup Repository and should have enough space to keep your backups.

  4. Rescan the SCSI bus for new hardware by executing the following command:

    rescan-scsi-bus

  5. Identify the attached disk label – look for “sdX” in the output of the following command with the “sdd: unknown partition table”:

    dmesg | tail

Step 2: Set up and mount the encrypted filesystem

Let’s assume that the volume is recognized by your system as /dev/sdb.

  1. Set up the cryptographic device mapper (AES, 256-bit key, password hashing with sha256):

    cryptsetup -y -c aes -s 256 -h sha256 create CUSTOM_LABEL /dev/sdb

  2. Enter a password and confirm it.

  3. Format the created volume into a filsystem (ext3, ext4, xfs…). For example:

    mkfs.ext4 -m 0 /dev/mapper/CUSTOM_LABEL

  4. Create a directory for the unlocked repository (to be used by the product):

    mkdir /opt/nakivo/CUSTOM_LABEL

  5. Instruct the OS to mount the encrypted device on each boot:

    echo “crypt /dev/sdb none none” >> /etc/crypttab

    echo “/dev/mapper/CUSTOM_LABEL /opt/nakivo/CUSTOM_LABEL ext4 defaults 0 2″ >> /etc/fstab

  6. Mount the volume and configure permissions:

    mount /opt/nakivo/CUSTOM_LABEL

    chown bhsvc:bhsvc /opt/nakivo/CUSTOM_LABEL

    chmod 770 /opt/nakivo/CUSTOM_LABEL

The encrypted file system will be mounted to the folder /opt/nakivo/CUSTOM_LABEL on each system boot. Note that you need to enter the password each time the system boots. Otherwise, the data is not decrypted.

Step 3: Create a Backup Repository on the encrypted volume

  1. Go to Settings > Repositories in NAKIVO Backup & Replication.

  2. Click Add Backup Repository.

  3. Select Local folder on the Type page of the Create Backup Repository wizard and click Next.

  4. On the Name & Location page of the wizard, choose the Transporter installed on the Linux machine with the encrypted volume from the Assigned transporter menu.

  5. Enter /opt/nakivo/CUSTOM_LABEL for the path.

  6. Click Next and complete the wizard.

You have now created a Backup Repository on the encrypted volume.

Note
The size of the Backup Repository cannot be changed after the initial setup.