Comprehensive data protection for all workloads
Post Reply
DavidSzp
Novice
Posts: 4
Liked: 1 time
Joined: Oct 15, 2009 5:28 pm
Full Name: David Szpunar
Contact:

Backing up to removable device with TrueCrypt Encryption

Post by DavidSzp » 1 person likes this post

Pulling together my previous knowledge of TrueCrypt, plus their docs, plus some forums posts here, I figured I'd post the batch script I came up with to encrypt offsite backups.

This is a virtual Veeam Backup machine that backs up to local storage at B:\Veeam and my goal is to mirror B:\Veeam to an encrypted partition on, in this case, a Dell RD1000 disk-cartridge drive located at O: when mounted, but it could be any removable disk. This is on Server 2008 R2.

First, I installed TrueCrypt and created an encrypted partition on the removable disk using no password but using a keyfile instead, since it will be auto-mounted. The removable disk drive is at E: but is only used from O: which is the encrypted partition mounted by the script below, which is triggered by Veeam at the end of the last backup job (though it could be scheduled as a task or triggered by whatever method you desire).

The script is stored in C:\scripts as CopyToExternal.cmd. The robocopy log files are stored in C:\scripts\logs\CopyToExternal_[date].txt with one logfile created per day and if multiple runs are made in one day, the log from each run will be appended to that day's logfile. The volume has no password but is encrypted with the contents of the keyfile located at C:\scripts\KEYFILE.KEY which you can generate using the keyfile tool in TrueCrypt or create from any file however you prefer.

Note that you MUST BACKUP THE KEYFILE offsite in a secure manner, as you will need it to be able to mount the encrypted partition and retrieve your backups. If you don't backup the keyfile, you're going to be hosed if your Veeam server doing the backups goes away without a keyfile backup and you need to restore! The keyfile is your password. This should be obvious, but don't get lazy and forget to backup the keyfile. It should be stored somewhere safe but not with the backup disks or you might as well not encrypt anything. A company safe at a different location or a bank safety deposit box or something similar, preferably with two copies in case one gets corrupted, would be ideal, depending on how much security you need. The keyfile is tiny so you could save it on a floppy disk (but don't 'cause they're unreliable) or USB stick or if you make your own plaintext keyfile, you could print it out and store the paper securely (but you'll need to type it in fully intact with whitespace correctly to restore).

You'll need to specify the correct disk partition in place of \Device\Harddisk2\Partition1 for your encrypted partition as well (or you could easily modify to mount a file-based volume, though speed may take a hit). The script assumes TrueCrypt is assumed for all users on the server in the default installation folder.

Note there is no error checking to verify that the volume is mounted before running robocopy, it assumes everything went well and skips the robocopy completely if O: doesn't exist after the mount attempt. Feel free to improve the error checking and reporting :-)

CopyToExternal.cmd:

Code: Select all

@echo off

REM Prepare %date% variable with date in order to use date in logfile name
REM  (assumes system date is in mm/dd/yyyy format and turns it into YYYY-MM-DD format):
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET CDATE=%%B 
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set date=%%c-%%a-%%b)

REM Mount TrueCrypt volume on removable disk to drive O:
"C:\Program Files\TrueCrypt\truecrypt.exe" /q /v \Device\Harddisk2\Partition1 /k C:\scripts\KEYFILE.KEY /p "" /l O /s

REM Mirror backups with robocopy if encrypted volume O: mounted:
IF EXIST O:\ robocopy B:\Veeam\ O:\Veeam\ /MIR /COPYALL /R:1 /W:1 /REG /NP /LOG+:C:\scripts\logs\CopyToExternal_%date%.txt /FP /NDL

REM Unmount TrueCrypt volume O:
"C:\Program Files\TrueCrypt\truecrypt.exe" /q /do
Don't forget to change your paths and variables and test! The script is simple enough I hardcoded everything. You can locate documentation on the TrueCrypt command line options at http://www.truecrypt.org/docs/command-line-usage.
David Szpunar
Lead Engineer
PC Help Services
Vitaliy S.
VP, Product Management
Posts: 27364
Liked: 2794 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Backing up to removable device with TrueCrypt Encryption

Post by Vitaliy S. »

David, thank you for sharing this with the community, much appreciated.
Xaneth
Influencer
Posts: 12
Liked: never
Joined: Nov 11, 2010 7:50 pm
Full Name: Jason Knight
Contact:

Re: Backing up to removable device with TrueCrypt Encryption

Post by Xaneth »

Yes, thanks very much for this. We have a SEC requirement that our backups must be encrypted at rest, and in fact I had already ordered the RD1000 prior to running into this post. Awesome script, works great!
awex
Novice
Posts: 9
Liked: never
Joined: May 05, 2011 11:05 pm
Full Name: Nigel Stewart
Contact:

[MERGED] Offsite Encryption

Post by awex »

We are using Robocopy to copy our Veeam backups to external Western Digital USB drives and then we have these taken offsite. We have done some research and looked through this forum looking for a way to encrypt the data so the company that we use to store the drives offsite with will not be able to access the backup files but we have not found a suitable solution yet. It would be greatly appreciated if anyone could share a solution that works for them to encrypt their data.

Thanks, Nigel.
awex
Novice
Posts: 9
Liked: never
Joined: May 05, 2011 11:05 pm
Full Name: Nigel Stewart
Contact:

Re: Backing up to removable device with TrueCrypt Encryption

Post by awex »

Thanks for the Merge, I missed this post. I have had a look at TrueCrypt and it looks good however people here are nervous using an Open Source product to encrypt our backups as if there are any problems we would not have a support contract in place. Are there any comparable supported/paid products available that anyone knows of?

Thanks, Nigel.
y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

[MERGED] Backup Copy Jobs TrueCrypt

Post by y1008946 »

Hi, we would like to use TrueCrypt to encrypt our backups which are stored offsite.

Our backups are stored in E:\Backups at the moment. I thought the best way for us to do this would be to (let me know if I am wrong):

- move the backups folder to a temporary location

- encrypt the partition

- move the backups folder to this new encrypted partition

What general settings do people use when setting up TrueCrypt?

Are there any settings we should change in the backup copy jobs?

Would we see a big difference in performance of the backup copy jobs if we encrypted the partition?

Thanks v much
y1008946
Enthusiast
Posts: 93
Liked: never
Joined: Sep 23, 2013 3:56 pm
Contact:

Re: Backing up to removable device with TrueCrypt Encryption

Post by y1008946 »

Hi, we don't have a removable device, its a Dell server which is stored in another location. Backup copy jobs send the backups over the WAN. Although the first post above will be useful for people.

What I am interested to know is what general settings do people use when setting up TrueCrypt to store backups created by Veeam?

Are there any settings we should change in the backup copy jobs, to make sure that it backs up correctly?

Thanks
Gostev
Chief Product Officer
Posts: 31780
Liked: 7280 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backing up to removable device with TrueCrypt Encryption

Post by Gostev »

Hi Daniel, I am not aware how TrueCrypt works, so let's see if some users can respond to your questions. Thanks!
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 84 guests