[dm-crypt] How to backup entire encrypted HDD?

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Apr 11 15:47:25 CEST 2013

On 04/10/2013 11:12 PM, John Gomez wrote:
> I have a 500GB HD encrypted with LUKS, partitioned with LVM (I think) and
> formatted ext4. The /boot partition is on a USB stick. I want to make a backup
> of the HDD. Say my first drive is /sda and the backup drive is /sdx and I want
> the backup to go in /sdx3.
> AFAIK, I have two choices;
> 1: Create an encrypted partition on /sdx say, /sdx3, mount and decrypt /sda,
> then use rsync to copy the filesystem from /sda to /sdx3. Not the worst choice
> but there are flaws.  What if I want to do this over a network?

Why is that an issue?  rsync will, by default, use ssh for the communication.

>  What if I want
> to do this on /sdx that is already partitioned? (If /sdx is already partitioned
> I can not encrypt the partition /sdx3. Is this correct?)

Merely partitioned wouldn't be a problem, but if that partition already
contains a filesystem and data you want to preserve, then converting it
to encrypted would be a problem.  Recent versions of the cryptsetup
package do have the option to build an experimental cryptsetup-reencrypt
tool that can encrypt an existing partition, but it's a long and
delicate process.

> 2: Use dd (or GNU ddrescue or similar) using the parameters if=/sda
> of=/sdx3/backup.img.  Then the problems are: how do I view the files?  This post
> describes mounting an image of a partition:
> http://www.rebelzero.com/howto/backup-and-restore-files-tofrom-a-luks-encrypted-partition-image-file/189.
> Does anyone know a better way to do this?  Will this work for an image of the
> entire drive?

You can work with the whole drive image, but it's a bit complicated,
and the steps depend on exactly how the source drive was set up and
whether LVM is involved.  The basic tools are "losetup" to map a
loop device to a file and "kpartx" to create device maps for the
partitions within a device.  I can't comment on the steps needed if
LVM is involved.

Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the dm-crypt mailing list