A feature that is not in Veeam is encrypted backups. The features is not one of the top requested features like tape but still, every now and then I get a mail asking on how you can store your backups in an encrypted way with Veeam. The short answer is, it is not possible. However with Linux repositories you can do some pretty neat stuff.
To put home volume offline, go to to the console and go to runlevel 1 so that all remote users and other users will be disconnected. This should clear all the file locks but will also disable networking so you really need to do this on the console and not via ssh. Afterwards we will switch back to runlevel 4
Now you can execute "mount -a" to mount the encrypted volume or just reboot the machine. During the boot, the machine will ask for a password to write and read from the encrypted volume:
Now that you have an encrypted home volume, you can create the user an add the repository to Veeam
Now you are able to write backups to your encrypted volume
This blog article continues on my previous article "Veeam and Linux Repository" . What I will show you in this article is how you encrypt the home volume so that all your backups are stored in an encrypted way. If someone would steal your server, the data would be worthless without the key thus protecting you from physical access.
So lets continue. Just after you have configured the firewall, you can create the repo group
groupadd repos;However just before you create the repo01 user, we will encrypt the home volume. To do this, you will need take the home volume offline. Also encrypting the volume will destroy all the data, so do this before you put the server in production or migrate the data first.
echo "%repos ALL=(root) NOPASSWD: ALL" >> /etc/sudoers.d/repos;
To put home volume offline, go to to the console and go to runlevel 1 so that all remote users and other users will be disconnected. This should clear all the file locks but will also disable networking so you really need to do this on the console and not via ssh. Afterwards we will switch back to runlevel 4
telinit 1Now check your /etc/fstab file and look for the logical volume that you want to encrypt. In my case it is /dev/mapper/vg_repo-lv_repository
umount /home
telinit 4
Then you can use shred to clear any existing data on the disk. If you are using thin provisioning in VMware this is not recommended
shred -v --iterations=1 /dev/mapper/vg_repo-lv_repository
Then you can encrypt the disk with cryptsetup and open it. This will create a new disk under /dev/mapper
cryptsetup --verbose --verify-passphrase luksFormat /dev/mapper/vg_repo-lv_repository;
cryptsetup luksOpen /dev/mapper/vg_repo-lv_repository encrypted_home;
You can check if the disk is properly mapped:
fdisk -l /dev/mapper/encrypted_homeNow that the disk is under /dev/mapper/encrypted_home, you can format the disk with ext4
mkfs.ext4 /dev/mapper/encrypted_homeFinally you will need to add some lines to crypttab and fstab so that the disk is mounted at boot
echo "encrypted_home /dev/mapper/vg_repo-lv_repository none" >> /etc/crypttab
echo "/dev/mapper/encrypted_home /home ext4 defaults 1 2" >> /etc/fstabYou will also have to comment out or remove the line in /etc/fstab that is responsible for mounting the old unencrypted volume /dev/mapper/vg_repo-lv_repository
Now you can execute "mount -a" to mount the encrypted volume or just reboot the machine. During the boot, the machine will ask for a password to write and read from the encrypted volume:
Now that you have an encrypted home volume, you can create the user an add the repository to Veeam
useradd -m -G repos repo01;
echo "repo01:repo01" | chpasswd;
Now you are able to write backups to your encrypted volume
In my test, the repository was not the bottleneck, however I only have a limited lab environment so there might be some overhead when you try instant vm recovery or while running the backups. If in doubt add more CPU and Memory :)
Reference: Redhat Encryption with LUKS
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.