Protect your Veeam backups from physical access to your repository

A feature that is not in Veeam is encrypted backups. The features is not one of the top requested features like tape but still, every now and then I get a mail asking on how you can store your backups in an encrypted way with Veeam. The short answer is, it is not possible. However with Linux repositories you can do some pretty neat stuff.

This blog article continues on my previous article "Veeam and Linux Repository" . What I will show you in this article is how you encrypt the home volume so that all your backups are stored in an encrypted way. If someone would steal your server, the data would be worthless without the key thus protecting you from physical access.

So lets continue. Just after you have configured the firewall, you can create the repo group
groupadd repos;
echo "%repos ALL=(root) NOPASSWD: ALL" >> /etc/sudoers.d/repos;
However just before you create the repo01 user, we will encrypt the home volume. To do this, you will need take the home volume offline. Also encrypting the volume will destroy all the data, so do this before you put the server in production or migrate the data first.

To put home volume offline, go to to the console and go to runlevel 1 so that all remote users and other users will be disconnected. This should clear all the file locks but will also disable networking so you really need to do this on the console and not via ssh. Afterwards we will switch back to runlevel 4
telinit 1
umount /home
telinit 4
Now check your /etc/fstab file and look for the logical volume that you want to encrypt. In my case it is  /dev/mapper/vg_repo-lv_repository

Then you can use shred to clear any existing data on the disk. If you are using thin provisioning in VMware this is not recommended
shred -v --iterations=1 /dev/mapper/vg_repo-lv_repository
Then you can encrypt the disk with cryptsetup and open it. This will create a new disk under /dev/mapper
cryptsetup --verbose --verify-passphrase luksFormat /dev/mapper/vg_repo-lv_repository;
cryptsetup luksOpen /dev/mapper/vg_repo-lv_repository encrypted_home;

You can check if the disk is properly mapped:
fdisk -l /dev/mapper/encrypted_home
Now that the disk is under /dev/mapper/encrypted_home, you can format the disk with ext4
mkfs.ext4 /dev/mapper/encrypted_home
Finally you will need to add some lines to crypttab and fstab so that the disk is mounted at boot
echo "encrypted_home /dev/mapper/vg_repo-lv_repository none" >> /etc/crypttab 
echo "/dev/mapper/encrypted_home /home                   ext4    defaults        1 2" >> /etc/fstab
You will also have to comment out or remove the line in /etc/fstab that is responsible for mounting the old unencrypted volume /dev/mapper/vg_repo-lv_repository

Now you can execute "mount -a" to mount the encrypted volume or just reboot the machine. During the boot, the machine will ask for a password to write and read from the encrypted volume:

Now that you have an encrypted home volume, you can create the user an add the repository to Veeam
useradd -m -G repos repo01;
echo "repo01:repo01" | chpasswd;

Now you are able to write backups to your encrypted volume

In my test, the repository was not the bottleneck, however I only have a limited lab environment so there might be some overhead when you try instant vm recovery or while running the backups. If in doubt add more CPU and Memory :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.