LUKS Encryption and Backup Images

I will have my motherboard replaced tomorrow. What with SSDs now soldered or glued onto the motherboard, I thought it best to clone my full SSD as backup.

My SSD has two partitions:

Cloning the full physical volume is straightforward (superuser privileges are understood for all the following operations):

  1. Boot from a live system so the source partitions are not mounted;
  2. Mount your destination volume, so you can store the clone as a disk image file and have the remainder of the device left for other storage;
  3. Run dd if=/dev/nvme0n1 conv=sync,noerror bs=64K status=progress of=/media/backupdrive/backup.img (where nvme0n1 is the physical volume, not a partition, and backupdrive your mount point).

I was able to leave my newly purchased USB HDD in standard formatting to do this. A 1TB mirror took about two hours I think. Remember though to use a destination drive that is at least as large as the source; unlike with the old 1.44MB disks, you cannot assume that a 1TB disk can be backed up onto a 1TB disk.

The puzzle was to mount the partitions below the image to verify that the mirror was successful. Here you’ll want to take the following steps:

  1. Mount the external HDD (ideally on a system that does not have the source partitions mounted, as their UUIDs will be identical);
  2. Run losetup -P /dev/loop0 /media/backupdrive/backup.img; this will automatically create loop devices /dev/loop0p1 and /dev/loop0p2 for your partitions on a recent system;
  3. To access the encrypted partition, run cryptsetup luksOpen /dev/loop0p2 imgroot, which will prompt for the passphrase and mount the partition under /dev/mapper/imgroot;
  4. Mount the mapper device as you would mount any regular partition: mount /dev/mapper/imageroot /media/imgroot.

Now you can inspect the integrity of your backup at your leisure. To unmount, remember to observe the proper sequence:

  1. Unmount the mapper device;
  2. cryptsetup luksClose the mapper device;
  3. losetup -d /dev/loop0
  4. Unmount the external HDD.

Now if the need should ever arise, I should be able to boot from archiso and simply dd if=/path/to/backup.img conv=sync,noerror bs=64K status=progress of=/dev/nvme0n1 to restore my partitions.

posted by paul on 13 june mmxix at 11:31 EST
blog comments powered by Disqus