[dm-crypt] How to backup entire encrypted HDD?

[dm-crypt] How to backup entire encrypted HDD?

[John Gomez]

[-- Attachment #1: Type: text/plain, Size: 1309 bytes --]

Hello,
Can someone please add a section to the cryptsetup FAQ that explains how to backup a HDD with whole disk encryption?


I have a 500GB 
HD encrypted with LUKS, partitioned with LVM (I think) and formatted ext4. The /boot partition is on a USB stick. I want to make a backup of the HDD. Say my first drive is /sda and the backup drive is /sdx and I want the backup to go in /sdx3.

AFAIK, I have two choices;
1: Create an encrypted partition on /sdx say, /sdx3, mount and decrypt /sda, then use rsync to copy the filesystem from /sda to /sdx3. Not the worst choice but there are flaws.  What if I want to do this over a network?  What if I want to do this on /sdx that is already partitioned? (If /sdx is already partitioned I can not encrypt the partition /sdx3. Is this correct?)

2: Use dd (or GNU ddrescue or similar) using the parameters if=/sda of=/sdx3/backup.img.  Then the problems are: how do I view the files?  This post describes mounting an image of a partition: http://www.rebelzero.com/howto/backup-and-restore-files-tofrom-a-luks-encrypted-partition-image-file/189.  Does anyone know a better way to do this?  Will this work for an image of the entire drive?  Is there any other way to verify the integrity of the backup?

Any suggestions are appreciated.


Thank you
JG

[-- Attachment #2: Type: text/html, Size: 1968 bytes --]

Re: [dm-crypt] How to backup entire encrypted HDD?

[orinoco]

Hi,

On Wed, 10 Apr 2013 21:12:40 -0700 (PDT)
John Gomez <d0006@ymail.com> wrote:
> Hello,
> Can someone please add a section to the cryptsetup FAQ that explains
> how to backup a HDD with whole disk encryption?

I don't think this question belongs to the cryptsetup FAQs, as it is a
question on how to backup data in general.

[...]
> Any suggestions are appreciated.

rdiff-backup


regards

Orinoco

Re: [dm-crypt] How to backup entire encrypted HDD?

[Robert Nichols]

On 04/10/2013 11:12 PM, John Gomez wrote:
> I have a 500GB HD encrypted with LUKS, partitioned with LVM (I think) and
> formatted ext4. The /boot partition is on a USB stick. I want to make a backup
> of the HDD. Say my first drive is /sda and the backup drive is /sdx and I want
> the backup to go in /sdx3.
>
> AFAIK, I have two choices;
> 1: Create an encrypted partition on /sdx say, /sdx3, mount and decrypt /sda,
> then use rsync to copy the filesystem from /sda to /sdx3. Not the worst choice
> but there are flaws.  What if I want to do this over a network?

Why is that an issue?  rsync will, by default, use ssh for the communication.

>  What if I want
> to do this on /sdx that is already partitioned? (If /sdx is already partitioned
> I can not encrypt the partition /sdx3. Is this correct?)

Merely partitioned wouldn't be a problem, but if that partition already
contains a filesystem and data you want to preserve, then converting it
to encrypted would be a problem.  Recent versions of the cryptsetup
package do have the option to build an experimental cryptsetup-reencrypt
tool that can encrypt an existing partition, but it's a long and
delicate process.

> 2: Use dd (or GNU ddrescue or similar) using the parameters if=/sda
> of=/sdx3/backup.img.  Then the problems are: how do I view the files?  This post
> describes mounting an image of a partition:
> http://www.rebelzero.com/howto/backup-and-restore-files-tofrom-a-luks-encrypted-partition-image-file/189.
> Does anyone know a better way to do this?  Will this work for an image of the
> entire drive?

You can work with the whole drive image, but it's a bit complicated,
and the steps depend on exactly how the source drive was set up and
whether LVM is involved.  The basic tools are "losetup" to map a
loop device to a file and "kpartx" to create device maps for the
partitions within a device.  I can't comment on the steps needed if
LVM is involved.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

Re: [dm-crypt] How to backup entire encrypted HDD?

[Arno Wagner]

On Wed, Apr 10, 2013 at 09:12:40PM -0700, John Gomez wrote:
> Hello,

>
> Can someone please add a section to the cryptsetup FAQ that explains how
> to backup a HDD with whole disk encryption?
 
It is already there: Just replace "partition" with "disk" in
FAQ item 6.4. It is really not different, except possibly in
size. 
 
> I have a 500GB HD encrypted with LUKS, partitioned with LVM (I think) and
> formatted ext4.  The /boot partition is on a USB stick.  I want to make a
> backup of the HDD.  Say my first drive is /sda and the backup drive is
> /sdx and I want the backup to go in /sdx3.
>
> AFAIK, I have two choices;
>
> 1: Create an encrypted partition on /sdx say, /sdx3, mount and decrypt
> /sda, then use rsync to copy the filesystem from /sda to /sdx3.  Not the
> worst choice but there are flaws.  What if I want to do this over a
> network?  

That would be transfer security and is out-of-scope for 
cryptsetup. You can use the usual solutions, basically 
ssh-tunneling or some type of VPN.

> What if I want to do this on /sdx that is already partitioned? 
> (If /sdx is already partitioned I can not encrypt the partition /sdx3.  Is
> this correct?)

No. Why would you think that?
 
> 2: Use dd (or GNU ddrescue or similar) using the parameters if=/sda
> of=/sdx3/backup.img.  Then the problems are: how do I view the files? 

Via the loop-device? Or restoring the image?

> This post describes mounting an image of a partition:
> http://www.rebelzero.com/howto/backup-and-restore-files-tofrom-a-luks-encrypted-partition-image-file/189. 
> Does anyone know a better way to do this?  Will this work for an image of
> the entire drive?  Is there any other way to verify the integrity of the
> backup?
> 
> Any suggestions are appreciated.

I think your issue is not cryptsetup, but rather the 
complicated mess some modern distributions create using
LVM. My advice would be not to use LVM in the first place.
If you have to use it, just do whatever you did to the disk 
before to the image (possibly via loop-device) and you basically 
get the same thing you had with the raw disk. Now, doing
whatever your distro did with LVM might be complicated 
and a huge violationof KISS, but that has nothing to do with
cryptsetup.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare