This is a virtual Veeam Backup machine that backs up to local storage at B:\Veeam and my goal is to mirror B:\Veeam to an encrypted partition on, in this case, a Dell RD1000 disk-cartridge drive located at O: when mounted, but it could be any removable disk. This is on Server 2008 R2.
First, I installed TrueCrypt and created an encrypted partition on the removable disk using no password but using a keyfile instead, since it will be auto-mounted. The removable disk drive is at E: but is only used from O: which is the encrypted partition mounted by the script below, which is triggered by Veeam at the end of the last backup job (though it could be scheduled as a task or triggered by whatever method you desire).
The script is stored in C:\scripts as CopyToExternal.cmd. The robocopy log files are stored in C:\scripts\logs\CopyToExternal_[date].txt with one logfile created per day and if multiple runs are made in one day, the log from each run will be appended to that day's logfile. The volume has no password but is encrypted with the contents of the keyfile located at C:\scripts\KEYFILE.KEY which you can generate using the keyfile tool in TrueCrypt or create from any file however you prefer.
Note that you MUST BACKUP THE KEYFILE offsite in a secure manner, as you will need it to be able to mount the encrypted partition and retrieve your backups. If you don't backup the keyfile, you're going to be hosed if your Veeam server doing the backups goes away without a keyfile backup and you need to restore! The keyfile is your password. This should be obvious, but don't get lazy and forget to backup the keyfile. It should be stored somewhere safe but not with the backup disks or you might as well not encrypt anything. A company safe at a different location or a bank safety deposit box or something similar, preferably with two copies in case one gets corrupted, would be ideal, depending on how much security you need. The keyfile is tiny so you could save it on a floppy disk (but don't 'cause they're unreliable) or USB stick or if you make your own plaintext keyfile, you could print it out and store the paper securely (but you'll need to type it in fully intact with whitespace correctly to restore).
You'll need to specify the correct disk partition in place of \Device\Harddisk2\Partition1 for your encrypted partition as well (or you could easily modify to mount a file-based volume, though speed may take a hit). The script assumes TrueCrypt is assumed for all users on the server in the default installation folder.
Note there is no error checking to verify that the volume is mounted before running robocopy, it assumes everything went well and skips the robocopy completely if O: doesn't exist after the mount attempt. Feel free to improve the error checking and reporting :-)
Code: Select all
@echo off REM Prepare %date% variable with date in order to use date in logfile name REM (assumes system date is in mm/dd/yyyy format and turns it into YYYY-MM-DD format): FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET CDATE=%%B For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set date=%%c-%%a-%%b) REM Mount TrueCrypt volume on removable disk to drive O: "C:\Program Files\TrueCrypt\truecrypt.exe" /q /v \Device\Harddisk2\Partition1 /k C:\scripts\KEYFILE.KEY /p "" /l O /s REM Mirror backups with robocopy if encrypted volume O: mounted: IF EXIST O:\ robocopy B:\Veeam\ O:\Veeam\ /MIR /COPYALL /R:1 /W:1 /REG /NP /LOG+:C:\scripts\logs\CopyToExternal_%date%.txt /FP /NDL REM Unmount TrueCrypt volume O: "C:\Program Files\TrueCrypt\truecrypt.exe" /q /do