For many years I have used the following approach to install and backup my Linux OS. First I partition my drive in this way:

/ - 16 GB
/home - 4 GB
/data - rest of drive space

After completing the installation and configuration of the OS I make a cold backup image of the entire drive with Clonezilla. This will allow me to recover in the event of a complete failure of the drive.

/data is hot backed up on a daily basis.

On a montly basis I take a cold backup of the / and /home partitions with Clonezilla. This will allow recovery in the event of minor issues such as a bad upgrade, installing a conflicting driver, file corruption etc. This process has served me very well.

I am considering doing an encrypted install. I will of course have to create a non-encrypted /boot partition. / and /home will be encrypted as part of the install process and decrypted at boot by a pass phrase. /data will be encrypted/decrypted after bootup. This brings me to the backup question...

Clonezilla backs up file by file and compresses the result. A typical monthly backup of / and /home takes up about 3.5 GB. Clonezilla will backup an encrypted partition. However, the entire file system will be included in the backup - even the "empty" space. This would be OK for my initial cold iron restore backup of the whole drive. However, my monthly backups would take ~ 20GB each.

Clonezilla will NOT backup a mounted partition so decrypting the partitons and then backing up is not an option. I could roll my own process - decrypting, mounting and then using tar or rsync etc. But, not to reinvent the wheel...

Does anyone have any suggestions for an off the shelf solution?

TIA,

Ken

I may have asked too soon. I just built a test machine as described and backed up the disk with Clonezilla. The Clonezilla backups are significantly smaller than the encrypted partitions. My prior experience with Clonezilla and encrypted partitions involved partitions which had consider able "use." Writing and deleting from the encrypted partitions apparently filled the "empty" space with uncompressible data in place of the compressible empty (null) space. At least that is my guess. I am doing some more testing.

Ken

Another update... I copied a 4 GB file to the / file system, deleted the file and then did another Clonezilla backup. The size of the backup image increased by 3.2 GB. I suspect that over time the size of the image would approach the nominal size of the two encrypted file systems.

Ken

Notes,

I think (pretty sure) clonezilla will back up a mounted drive. It tries to copy file by file and if it can't then it falls back to bit by bit.

You really ought to edit posts instead of adding to them. Makes members think someone is working on the thread.

Thanks jefro,

Sorry about the talking to myself. Usually I add a p.s. and then a p.p.s to the original post. Must have been a Saturday brain malfunction.

The Clonezilla page lists the following limitation Upon further consideration I guess an image up to 20 GB would not be that bad. The initial one which lets me restore the entire drive (no files in /data) was 8.5 GB. I only keep one or two monthly images. I do have sufficient storage to handle that.

I just need to get motivated to rebuild my entire system. Perhaps when I get a new, larger M.2 PCIe drive.

Ken

This guy has your solution but really clonezilla would clone by dd if it can't read drive. The link shows how one might establish a file by file method. https://www.errietta.me/blog/luks-clonezilla/

1 members found this post helpful.

Thanks again jefro!

That looks like a very useful approach.

Ken

What's the point if the backup(s) are unencrypted ?. This looks like a much better option.

Thanks syg00,

The backups are not necessarily unencrypted. It all depends on the target to which the backups are written. The page you link to is an excellent reference. I am already using a similar approach for some applications. Here is my new approach (once I test out my process for rebuilding my system from scratch - I am targeting less than 2 hours down time to get everything installed and configured.)

Here is the drive/file system layout

240 GB M.2 PCiE boot drive
--------------------------
/boot 512 MB
/ 16 GB (encrypted at install - unlocked a boot by a passphrase)
/home 4 GB (encrypted at install - unlocked a boot by a passphrase)
/data the rest of the disk - important data and virtual machine images - encrypted after installation dm-crypt/LUKS and unlocked with /etc/crypttab using a key file and mounted with /etc/fstab

240 GB SATA SSD
---------------
/quitelarge - same encryption scheme as /data

1 TB SATA drive
---------------
/xtra - - same encryption scheme as /data

2 TB SATA drive
---------------
/Clonezilla 24 GB - not encrypted, not mounted
/2TB - encrypted with dm-crypt/LUKS - not automatically decrypted/mounted

The backup strategy is as follows:

Cold backup of OS and /home will be done periodically with Clonezilla and written to /Clonezilla on the 2 TB drive. This will only be the /boot, / and /home partitions. The image will be of the encrypted partitions so no need to write it to an encrypted target. When the machine is back on-line I will manually mount /Clonezilla and copy the image to a server for archive purposes. I will delete the image from /Clonezilla before taking my next normal monthly snapshot of the OS.

Backup of my important data from /data and the "production" VM images will be done with cp and rsync to the /2TB encrypted file system on the 2 TB drive. This will be unlocked with a key file, mounted and unmounted by my backup script. My volatile data (e.g. Firefox and Thunderbird profiles, spreadsheets which I frequently update etc.) will be backed up to 30 rolling backups on the 2 TB drive. I am doing this now to the currently unencrypted 1 TB drive.

I am rethinking my usage of the 240 GB SSD and the 1 TB drive. I will probably use the SSD for testing and development VMs etc. I may decide to add some selected directories on this drive to my nightly backup. As to the 1 TB drive... It is currently an archive, backup and stuff storage drive. As backup will now go to the 2 TB drive... might not have much on it to go on the nightly backup process.

I currently backup selected files to one of two external USB drives - rotated for odd and even days. I will encrypt these also.

My reason for perhaps overdoing this is a concern that a system crash might cause more damage to an encrypted file system than to an unencrypted one. Yes, I do backup my LUKS headers. My recovery process would take one of two paths:

Loss of some files or a non-OS file system... manually restore from the 2TB drive. It will not normally unlocked/mounted so I think it would be less susceptible to a system malfunction.

Loss of an OS partition or the whole boot device - brute force recovery with Clonezilla and then a manual recovery of data files.

That is my story and I am sticking with it

Ken