LUKS Backup – Best Practice to Backup a LUKS Encrypted Device

backupencryptionlinuxluksusb

What's the fastest method to backup and restore a luks encrypted device (e.g. a full encrypted usb-device to a image-file).

The usb-device can be decrypted/accessed. I'm looking for a solution to mount the backup image as a file (encryped). Can it be possible?

Keep it simple, stupid.

Best Answer

cryptsetup handles image files just as well as block devices, if that was your question. So if you make a dd image (which will be freaking huge) it will work. And if it didn't, you could just create the loop device yourself.

Best practice (if you want to keep the backup encrypted) is to encrypt the backup disk also, then open both containers, then run any backup solution of your choice as you would with unencrypted filesystems. It won't be the fastest method as it'd decrypt data from the source disk and then re-encrypt it for the backup disk. On the other hand it allows for incremental backup solutions, so it should still beat the dd-image-creation on average.

If you want to stick to dd, the only way to make something faster than dd would be a partimage of sorts which takes LUKS header and offset into account, so it would only store the encrypted data that is actually in use by the filesystem.

If the source disk is a SSD and you allow TRIM inside LUKS, and the SSD shows trimmed regions as zeroes, you get this behaviour for free with dd conv=sparse. It's still not something I'd recommend, though.

Related Solutions

LUKS Encryption – Storing Keyfile in Encrypted USB Drive

Your approach looks good. Some remarks though:

If you want to encrypt rootfs, you'll need to use initrd (to have some minimal unencrypted system that will process the encrypted partitions).

If the USB device is removable, both initrd and kernel can be stored on the USB to heighten tamper resistance (supposing you make sure the USB won't get into unauthorized hands) - which is usually why one encrypts rootfs. Once both kernel and initrd are on a removable media, you can ensure that nobody changes the kernel (or initrd) from the running system by simply removing the media.

This is of course not an option if you want to have it inside of a server, but then again the question stands whether it makes sense to have such a device at all and not to use a small partition on one of the hard-drives. If for example all drives in the machine are in RAID, one would probably want to put rootfs on the USB as well. An interesting alternative to an internally connected USB flash device could be a CompactFlash card attached to ATA interface through an adapter, by the way.

Some distributions offer prepared solutions for encrypted root, some don't - but mostly it's question of putting a couple of lines into initrd script before it tries to mount the "real" root (see for example man pages for pivot_root, usually in sections 2 (syscall) and 8 (bonary), if you're not familiar with the process).
remember to backup the keys and passphrases in case your USB drive dies. LUKS follows rather one-sided approach when it comes to damaging its header - once a single sector of its header (key-slot to be more precise) dies, you are unable to mount it. This is to make sure that erasing the header isn't effectively thwarted by block reallocation performed by the device itself (because that's what flash-memory based devices do a lot) - the key is spread over the whole key slot and one needs all of the data to reconstruct it - there is no redundancy. See Clemens Fruwirth's website for deeper discussion.

That said, maybe a simple encrypted device on the USB would be enough (check section PLAIN MODE in man cryptsetup). Or a file encrypted with e.g. openssl enc. The former might actually be an option even for the encrypted partitions themselves.

Linux LUKS – How to Resize a LUKS Device, Revisited

You still have to resize the filesystem using the resized block device. The precise method and possible limitations depend on each filesystem.

Here are two examples to resize the filesystems to the whole available size for EXT4 and XFS. An other filesystem will require an other specific command.

An EXT4 filesystem can be enlarged online or offline (and can also be shrunk, but only offline).
```
resize2fs /dev/mapper/cryptdevice
```
An XFS filesystem can only be enlarged, and online (can't be shrunk back once done).

The filesystem must be mounted to be grown. The command requires the mountpoint rather than the block device.
```
mount -t xfs /dev/mapper/cryptdevice /mnt

xfs_growfs /mnt
```

You actually missed this step twice from the links:

Resize LUKS Volume(s)

in the question:
```
# Step 5: Resize encrypted volume (Trying to give it some space)
> resize2fs -p /dev/CryptVolumeGroup/root 101G
```
but in the answer:

Enlarge the rootfs logical volume. No need to un-mount since ext4 and be enlarged while mounted: lvresize -r -L +100G archvg/home

lvresize -r resizes automatically the underlying filesystem, hence no specific command in the answer. Resizing the filesystem for your specific case not using LVM wasn't present in this answer.

Increase the size of a LUKS encrypted partition

As a final step, the file-system needs to be expanded to the new size. With the resize2fs(8) command the file-system is extended to the new size of the LUKS volume.
$ sudo resize2fs /dev/mapper/sdb1_crypt
resize2fs 1.42.13 (17-May-2015)
Filesystem at /dev/mapper/sdb1_crypt is mounted on /media/gerhard/Daten; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 4
The filesystem on /dev/mapper/sdb1_crypt is now 14647925 (4k) blocks long.

Resizing LVM-on-LUKS
Resizing the encrypted volume

Now we are going to resize the encrypted volume itself. By taking in account the total size of the logical volume minus some safety space:
```
# resize2fs -p /dev/CryptVolumeGroup/Home 208G
```

Best Answer

Related Solutions

LUKS Encryption – Storing Keyfile in Encrypted USB Drive

Linux LUKS – How to Resize a LUKS Device, Revisited

Related Question