Thanks syg00,
The backups are not necessarily unencrypted. It all depends on the target to which the backups are written. The page you link to is an excellent reference. I am already using a similar approach for some applications. Here is my new approach (once I test out my process for rebuilding my system from scratch - I am targeting less than 2 hours down time to get everything installed and configured.)
Here is the drive/file system layout
240 GB M.2 PCiE boot drive
--------------------------
/boot 512 MB
/ 16 GB (encrypted at install - unlocked a boot by a passphrase)
/home 4 GB (encrypted at install - unlocked a boot by a passphrase)
/data the rest of the disk - important data and virtual machine images - encrypted after installation dm-crypt/LUKS and unlocked with /etc/crypttab using a key file and mounted with /etc/fstab
240 GB SATA SSD
---------------
/quitelarge - same encryption scheme as /data
1 TB SATA drive
---------------
/xtra - - same encryption scheme as /data
2 TB SATA drive
---------------
/Clonezilla 24 GB - not encrypted, not mounted
/2TB - encrypted with dm-crypt/LUKS - not automatically decrypted/mounted
The backup strategy is as follows:
Cold backup of OS and /home will be done periodically with Clonezilla and written to /Clonezilla on the 2 TB drive. This will only be the /boot, / and /home partitions. The image will be of the encrypted partitions so no need to write it to an encrypted target. When the machine is back on-line I will manually mount /Clonezilla and copy the image to a server for archive purposes. I will delete the image from /Clonezilla before taking my next normal monthly snapshot of the OS.
Backup of my important data from /data and the "production" VM images will be done with cp and rsync to the /2TB encrypted file system on the 2 TB drive. This will be unlocked with a key file, mounted and unmounted by my backup script. My volatile data (e.g. Firefox and Thunderbird profiles, spreadsheets which I frequently update etc.) will be backed up to 30 rolling backups on the 2 TB drive. I am doing this now to the currently unencrypted 1 TB drive.
I am rethinking my usage of the 240 GB SSD and the 1 TB drive. I will probably use the SSD for testing and development VMs etc. I may decide to add some selected directories on this drive to my nightly backup. As to the 1 TB drive... It is currently an archive, backup and stuff storage drive. As backup will now go to the 2 TB drive... might not have much on it to go on the nightly backup process.
I currently backup selected files to one of two external USB drives - rotated for odd and even days. I will encrypt these also.
My reason for perhaps overdoing this is a concern that a system crash might cause more damage to an encrypted file system than to an unencrypted one. Yes, I do backup my LUKS headers. My recovery process would take one of two paths:
Loss of some files or a non-OS file system... manually restore from the 2TB drive. It will not normally unlocked/mounted so I think it would be less susceptible to a system malfunction.
Loss of an OS partition or the whole boot device - brute force recovery with Clonezilla and then a manual recovery of data files.
That is my story and I am sticking with it
Ken