27

What's the fastest method to backup and restore a encrypted device (e.g. a full encrypted usb-device to a image-file).

The usb-device can be decrypted/accessed. I'm looking for a solution to mount the backup image as a file (encryped). Can it be possible?

Keep it simple, stupid.

mate64
  • 1,469
  • 5
  • 16
  • 24
  • Do you want to backup only the files or the whole device as an image? Should the backup be encrypted/compressed/... ? Where do you want to store the backup? – jofel Nov 20 '13 at 09:48
  • @jofel The usb-device can be *decrypted/accessed*. I'm looking for a solution to mount the backup image as a file (encryped). Can it be possible? – mate64 Nov 20 '13 at 10:49

3 Answers3

17

cryptsetup handles image files just as well as block devices, if that was your question. So if you make a dd image (which will be freaking huge) it will work. And if it didn't, you could just create the loop device yourself.

Best practice (if you want to keep the backup encrypted) is to encrypt the backup disk also, then open both containers, then run any backup solution of your choice as you would with unencrypted filesystems. It won't be the fastest method as it'd decrypt data from the source disk and then re-encrypt it for the backup disk. On the other hand it allows for incremental backup solutions, so it should still beat the dd-image-creation on average.

If you want to stick to dd, the only way to make something faster than dd would be a partimage of sorts which takes LUKS header and offset into account, so it would only store the encrypted data that is actually in use by the filesystem.

If the source disk is a SSD and you allow TRIM inside LUKS, and the SSD shows trimmed regions as zeroes, you get this behaviour for free with dd conv=sparse. It's still not something I'd recommend, though.

frostschutz
  • 47,228
  • 5
  • 112
  • 159
7

The simplest method is to make the backup system independent of the encryption system. Create an encrypted volume for the backup. Mount both the original volume and the backup volume, and run your favorite filesystem-level backup software.

Besides the simplicity, an advantage with this method is that the backup volume doesn't have to have the same size and content as the original. You can back up to a subdirectory, you can make incremental backups, etc.

There is also a very slight security advantage. If an attacker grabs your backup and finds your password, and the backup volume is a straight copy of the encrypted volume, you'll need to reencrypt the original volume. If the backup volume is independently-encrypted, it's enough to change the password on the original volume.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
5

What I did

cryptsetup luksOpen <device> <name>
fsarchiver -c - savefs <archive> <filesystem>
Eero Aaltonen
  • 621
  • 1
  • 5
  • 13
  • How do you then mount the backup image afterwards? – localhost Oct 24 '22 at 22:19
  • I'm not aware if there's any software to directly mount an archive. https://www.fsarchiver.org/quickstart/ shows how to list files. Other than that I would just restore the filesystem to a suitable large partition. – Eero Aaltonen Oct 25 '22 at 12:39