0

I would like to be able to backup an encrypted disk without having to mount the disk. The purpose is to allow an insecure automated system to backup the data without it ever having access to the data it is archiving. I really like BTRFS snapshots send/receive functionality. BTRFS on top of LUKS does have the encrypted functionality desired. However (to my knowledge) the file system must be mounted to have snapshot functionality.

Consider this setup: A NAS has a drive that is shared as a Network Block Device (NBD). This device is mounted by a remote machine that does reading/writing. The drive is setup with LUKS. The NAS itself never sees plaintext data and never mounts the encrypted disk directly. The NAS will need to periodically backup the disk to a remote location.

The current system I use has a custom script that compares checksums of a 1 MiB chunks of a block device. If a chunks differs the remote chunk data is updated. While this is functional, it requires reading the entire encrypted disk each time synchronization is done.

Is there some other setup I can use? Perhaps a block device that supports snapshots? Another file system?

A. Que
  • 573
  • 1
  • 3
  • 14
  • FYI, ZFS supports encryption (without any need for LUKS), and you can `zfs send` snapshots of encrypted datasets, same as any other snapshot (so can be done mounted or unmounted). The receiving end doesn't need to have the encryption key. BTW, Ars Technica has a good article about [ZFS native encryption](https://arstechnica.com/gadgets/2021/06/a-quick-start-guide-to-openzfs-native-encryption/) – cas Nov 13 '22 at 00:59

0 Answers0