LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-06-2019, 08:32 AM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Rep: Reputation: 157Reputation: 157
Software solution for backing up encrypted Linux installation ?


For many years I have used the following approach to install and backup my Linux OS. First I partition my drive in this way:

/ - 16 GB
/home - 4 GB
/data - rest of drive space

After completing the installation and configuration of the OS I make a cold backup image of the entire drive with Clonezilla. This will allow me to recover in the event of a complete failure of the drive.

/data is hot backed up on a daily basis.

On a montly basis I take a cold backup of the / and /home partitions with Clonezilla. This will allow recovery in the event of minor issues such as a bad upgrade, installing a conflicting driver, file corruption etc. This process has served me very well.

I am considering doing an encrypted install. I will of course have to create a non-encrypted /boot partition. / and /home will be encrypted as part of the install process and decrypted at boot by a pass phrase. /data will be encrypted/decrypted after bootup. This brings me to the backup question...

Clonezilla backs up file by file and compresses the result. A typical monthly backup of / and /home takes up about 3.5 GB. Clonezilla will backup an encrypted partition. However, the entire file system will be included in the backup - even the "empty" space. This would be OK for my initial cold iron restore backup of the whole drive. However, my monthly backups would take ~ 20GB each.

Clonezilla will NOT backup a mounted partition so decrypting the partitons and then backing up is not an option. I could roll my own process - decrypting, mounting and then using tar or rsync etc. But, not to reinvent the wheel...

Does anyone have any suggestions for an off the shelf solution?

TIA,

Ken
 
Old 07-06-2019, 11:08 AM   #2
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Original Poster
Rep: Reputation: 157Reputation: 157
I may have asked too soon. I just built a test machine as described and backed up the disk with Clonezilla. The Clonezilla backups are significantly smaller than the encrypted partitions. My prior experience with Clonezilla and encrypted partitions involved partitions which had consider able "use." Writing and deleting from the encrypted partitions apparently filled the "empty" space with uncompressible data in place of the compressible empty (null) space. At least that is my guess. I am doing some more testing.

Ken
 
Old 07-06-2019, 01:54 PM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Original Poster
Rep: Reputation: 157Reputation: 157
Another update... I copied a 4 GB file to the / file system, deleted the file and then did another Clonezilla backup. The size of the backup image increased by 3.2 GB. I suspect that over time the size of the image would approach the nominal size of the two encrypted file systems.

Ken
 
Old 07-06-2019, 02:54 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,091

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Notes,

I think (pretty sure) clonezilla will back up a mounted drive. It tries to copy file by file and if it can't then it falls back to bit by bit.

You really ought to edit posts instead of adding to them. Makes members think someone is working on the thread.
 
Old 07-06-2019, 05:05 PM   #5
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Original Poster
Rep: Reputation: 157Reputation: 157
Thanks jefro,

Sorry about the talking to myself. Usually I add a p.s. and then a p.p.s to the original post. Must have been a Saturday brain malfunction.

The Clonezilla page lists the following limitation
Quote:
Online imaging/cloning is not implemented yet. The partition to be imaged or cloned has to be unmounted
Upon further consideration I guess an image up to 20 GB would not be that bad. The initial one which lets me restore the entire drive (no files in /data) was 8.5 GB. I only keep one or two monthly images. I do have sufficient storage to handle that.

I just need to get motivated to rebuild my entire system. Perhaps when I get a new, larger M.2 PCIe drive.

Ken
 
Old 07-06-2019, 08:56 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,091

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
This guy has your solution but really clonezilla would clone by dd if it can't read drive. The link shows how one might establish a file by file method. https://www.errietta.me/blog/luks-clonezilla/
 
1 members found this post helpful.
Old 07-08-2019, 06:56 AM   #7
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Original Poster
Rep: Reputation: 157Reputation: 157
Thanks again jefro!

That looks like a very useful approach.

Ken
 
Old 07-08-2019, 11:43 PM   #8
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 17,994

Rep: Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871Reputation: 2871
What's the point if the backup(s) are unencrypted ?. This looks like a much better option.
 
Old 07-09-2019, 09:51 AM   #9
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,900

Original Poster
Rep: Reputation: 157Reputation: 157
Thanks syg00,

The backups are not necessarily unencrypted. It all depends on the target to which the backups are written. The page you link to is an excellent reference. I am already using a similar approach for some applications. Here is my new approach (once I test out my process for rebuilding my system from scratch - I am targeting less than 2 hours down time to get everything installed and configured.)

Here is the drive/file system layout

240 GB M.2 PCiE boot drive
--------------------------
/boot 512 MB
/ 16 GB (encrypted at install - unlocked a boot by a passphrase)
/home 4 GB (encrypted at install - unlocked a boot by a passphrase)
/data the rest of the disk - important data and virtual machine images - encrypted after installation dm-crypt/LUKS and unlocked with /etc/crypttab using a key file and mounted with /etc/fstab

240 GB SATA SSD
---------------
/quitelarge - same encryption scheme as /data

1 TB SATA drive
---------------
/xtra - - same encryption scheme as /data

2 TB SATA drive
---------------
/Clonezilla 24 GB - not encrypted, not mounted
/2TB - encrypted with dm-crypt/LUKS - not automatically decrypted/mounted

The backup strategy is as follows:

Cold backup of OS and /home will be done periodically with Clonezilla and written to /Clonezilla on the 2 TB drive. This will only be the /boot, / and /home partitions. The image will be of the encrypted partitions so no need to write it to an encrypted target. When the machine is back on-line I will manually mount /Clonezilla and copy the image to a server for archive purposes. I will delete the image from /Clonezilla before taking my next normal monthly snapshot of the OS.

Backup of my important data from /data and the "production" VM images will be done with cp and rsync to the /2TB encrypted file system on the 2 TB drive. This will be unlocked with a key file, mounted and unmounted by my backup script. My volatile data (e.g. Firefox and Thunderbird profiles, spreadsheets which I frequently update etc.) will be backed up to 30 rolling backups on the 2 TB drive. I am doing this now to the currently unencrypted 1 TB drive.

I am rethinking my usage of the 240 GB SSD and the 1 TB drive. I will probably use the SSD for testing and development VMs etc. I may decide to add some selected directories on this drive to my nightly backup. As to the 1 TB drive... It is currently an archive, backup and stuff storage drive. As backup will now go to the 2 TB drive... might not have much on it to go on the nightly backup process.

I currently backup selected files to one of two external USB drives - rotated for odd and even days. I will encrypt these also.

My reason for perhaps overdoing this is a concern that a system crash might cause more damage to an encrypted file system than to an unencrypted one. Yes, I do backup my LUKS headers. My recovery process would take one of two paths:

Loss of some files or a non-OS file system... manually restore from the 2TB drive. It will not normally unlocked/mounted so I think it would be less susceptible to a system malfunction.

Loss of an OS partition or the whole boot device - brute force recovery with Clonezilla and then a manual recovery of data files.

That is my story and I am sticking with it

Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I have an encrypted HD and a non-encrypted HD in the same computer? grumpyskeptic Linux Mint 1 02-15-2017 05:21 PM
LXer: Two Tips to Keep Your Phone's Encrypted Messages Encrypted LXer Syndicated Linux News 0 05-02-2016 11:21 PM
Shrink partition (LVM encrypted PVs + encrypted LVs) gedaj Linux - Newbie 2 05-22-2013 03:44 AM
Resizable encrypted LVM requiring just one password on boot (encrypted volume group)? Nyyr Linux - Software 9 01-24-2013 05:52 AM
Why use an enterprise software solution vesus a diy (home made) solution checkmate3001 Linux - Server 1 12-16-2007 02:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration