[dm-crypt] How to backup entire encrypted HDD?

Arno Wagner arno at wagner.name
Thu Apr 11 17:16:39 CEST 2013

On Wed, Apr 10, 2013 at 09:12:40PM -0700, John Gomez wrote:
> Hello,

> Can someone please add a section to the cryptsetup FAQ that explains how
> to backup a HDD with whole disk encryption?
It is already there: Just replace "partition" with "disk" in
FAQ item 6.4. It is really not different, except possibly in
> I have a 500GB HD encrypted with LUKS, partitioned with LVM (I think) and
> formatted ext4.  The /boot partition is on a USB stick.  I want to make a
> backup of the HDD.  Say my first drive is /sda and the backup drive is
> /sdx and I want the backup to go in /sdx3.
> AFAIK, I have two choices;
> 1: Create an encrypted partition on /sdx say, /sdx3, mount and decrypt
> /sda, then use rsync to copy the filesystem from /sda to /sdx3.  Not the
> worst choice but there are flaws.  What if I want to do this over a
> network?  

That would be transfer security and is out-of-scope for 
cryptsetup. You can use the usual solutions, basically 
ssh-tunneling or some type of VPN.

> What if I want to do this on /sdx that is already partitioned? 
> (If /sdx is already partitioned I can not encrypt the partition /sdx3.  Is
> this correct?)

No. Why would you think that?
> 2: Use dd (or GNU ddrescue or similar) using the parameters if=/sda
> of=/sdx3/backup.img.  Then the problems are: how do I view the files? 

Via the loop-device? Or restoring the image?

> This post describes mounting an image of a partition:
> http://www.rebelzero.com/howto/backup-and-restore-files-tofrom-a-luks-encrypted-partition-image-file/189. 
> Does anyone know a better way to do this?  Will this work for an image of
> the entire drive?  Is there any other way to verify the integrity of the
> backup?
> Any suggestions are appreciated.

I think your issue is not cryptsetup, but rather the 
complicated mess some modern distributions create using
LVM. My advice would be not to use LVM in the first place.
If you have to use it, just do whatever you did to the disk 
before to the image (possibly via loop-device) and you basically 
get the same thing you had with the raw disk. Now, doing
whatever your distro did with LVM might be complicated 
and a huge violationof KISS, but that has nothing to do with

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list