Backing up/restoring a LUKS encrypted partition with clonezilla

I recently wanted to back up my LUKS-encrypted disk. However, clonezilla only offered the ability to clone with dd, rather than the faster partclone tool, which is understandable. It is, however, possible to clone the (decrypted) underlying extfs filesystem.
Note: if you make a backup of your decrypted data, it is as bad as if you’ve never encrypted it. Take good care of your backup and, for extra security, destroy it after you have restored it.

The first thing you need to do when you load Clonezilla, is to select “drop to shell” rather than running the normal clonezilla UI. You should now be in a root shell.

Map the device as you normally would (supposing your LUKS partition is /dev/sda5):

cryptsetup luksOpen /dev/sda5 crypt

You should now load some kernel modules:

modprobe dm-mod
vgchange -ay

You should now have /dev/mapper/yourdevice-vg–root or similar.
You can use the partclone tool now.

To back up:

partclone.ext4 -c -s /dev/mapper/yourdevice-vg--root -o /mnt/path-to-backup-disk/backup/image.img

This will clone the decrypted ext4 filesystem and save it to /mnt/path-to-backup-disk.

To restore:

partclone.ext4 -r -s /mnt/path-to-backup-disk/backup/image.img -o /dev/mapper/yourdevice-vg--root

Easier than you’d think! Once again, be extra careful with your backups, for without the encryption, your data will be compromised if they fall to the wrong hands.

27 thoughts on “Backing up/restoring a LUKS encrypted partition with clonezilla

  1. Great article! Clear and concise, and exactly what I needed. I ran into this issue while attempting to back up my laptop this weekend.

    Thanks for posting.

    • Thank you so very much. You’re awesome. With regards to the security concerns, it all depends on where you’re storing the backup.

      If you’re storing them on a different hard drive, you can always compress the backup into an encrypted archive. If you’re worried about it being cracked, you can input a passphrase that’s several hundred characters long and keep a copy of it on a USB stick and in your alreadty encrypted luks partion.

      You could also store a copy compress but not encrypted with your LUKS. Won’t help you if your disk crashes or PC gets stolen but useful to have an hand when the OS is fubar and you need to restore it.

  2. Is it possible to mount the image in order to recover or browse single files? I tried to do it with the usual mount command but it fails.

    $ sudo mount -t ext4 -o loop path/to/image/partclone.img /media/user/imagemount
    mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog – try
    dmesg | tail or so

    $ lnav
    Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453570] FAT-fs (loop0): invalid media value (0x00)
    Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453573] FAT-fs (loop0): Can’t find a valid FAT filesystem
    Apr 21 14:23:04 ubuntu-recovery kernel: [ 9645.230977] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem
    Apr 21 14:23:11 ubuntu-recovery kernel: [ 9651.747207] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem

    Any suggestions?

  3. Hi Errietta! Thanks for sharing this. I need to clone my whole system (RHEL6 encrypted with LUKS) from a conventional HDD with 500GB to a 256GB SSD. The idea is to save time instead of having to reinstall the whole system and programs after the disk upgrade. I have read some articles on the internet about the process, some with success.. others not. So I am not sure how feasible that is. Would the process above work to clone a whole system, like in my case? Thank you in advance. Greetings from Brazil!!

    • You really can’t do that easily. The problem you run into has to do with drive geometry. Cloning SSD to SSD works, but spinning disk->SSD becomes very hairy. I’ve read articles where some were claiming they did it, but it’s not worth the effort.

  4. After mounting the decrypted drive, you can also just enter “clonezilla” at the prompt and use Clonezilla nornally with the UI.

  5. Hello Errietta,

    Thanks for the tip! I used it to clone my encrypted Debian Jessie remote server and it worked like a charm!

    Just used fsarchiver instead of clonezilla but result is the same :)

    Thanks again and best regards.

    Kevin.

  6. Errietta,

    I am using Linux mint. During installation I choose LVM and Encryption. I now have my system exactly how I like it, and would like to make an image backup, in case something goes horribly wrong. My drive is a total 160GB. Used: Roughly 20GB.

    If I make a Clonezilla backup, will my image be 160GB, as the whole drive is encrypted? Or will it just be the 20GB of used?

    I would prefer to make the smallest backup possible. If clonezilla is not best for this, can I somehow make a ‘decrypted backup’, a just encrypt the final image?

    Thank you for any help. I am lost lost lost.

    • Using this tactic shown here it will be a small image (about as much as the used space as you said). If you try to do a CZ backup without following this tactic, it’ll back up the whole thing.

  7. Hi,
    how about piping everything through ccrypt or similar encryption software? That way you’ll never store plaintext data.
    I just created a clonezilla bootable usb disk and added manually in there a precompiled ccrypt binary.

    Then followed your guide…
    when taking the backup you just do:
    # partclone.ext4 -c -s /dev/mapper/yourdevice-vg–root | /path/to/ccrypt -e > /mnt/path-to-backup-disk/backup/image.img.encrypted

    ccrypt will ask you for a password (twice) and that’s it, your image will be stored encrypted.
    Then, to restore:
    cat /mnt/path-to-backup-disk/backup/image.img.encrypted | ccrypt -d | partclone.ext4 -r -s – -o /dev/mapper/yourdevice-vg–root

    Of course it’s not the same as backing up the whole encrypted partition. Pros: it will occupy only the used space, and it’s fast (inline encryption, no need to compress or to use temp files). Cons: not the same thing as LUKS, and the level of security of the backup will depend mostly on the password you use for encryption.

  8. It didn’t work for me, failed a the end, but:

    Once you are done with the backup you can enter: sudo clonezilla at the command line, then when it comes to asking you what you want to do, ‘savedisk’ ‘restoredisk’ and the like select ‘encrypt-img’ and encrypt your recently decrypted luks backup.

  9. Thank you very much. Fixed, thanks.
    http://cafe.daum.net/candan/HfuW/48

    clonezilla 터미널로 들어 가서.
    sudo -i
    #

    parted -l

    # (ext4 find )

    mount /dev/sdX /mnt
    # (D:\ HDD /dev/sdb or sdc?)

    cryptsetup luksOpen /dev/sdX crypt
    # me /dev/sda3

    modprobe dm-mod
    vgchange -ay
    lvscan

    # (me print= /dev/ubuntu-gnome-vg/root)

    #backup
    partclone.ext4 -c -s /dev/ubuntu-gnome-vg/root -o /mnt/test.img

    #restore
    partclone.ext4 -r -s /mnt/test.img -o /dev/ubuntu-gnome-vg/root

  10. Hi Errietta

    Thank you very much for this tip!
    I am new to Ubuntu 16.04 and probably missed a central point, because with the “clonezilla-live-20161121-yakkety-amd64.iso” I can’t start the cryptsetup command after I got the sudo permissions – it is just not active. Maybe there is a simple solution for this problem?

    Thanks again and all the best
    Andy

  11. Andy Mannhart 11:03 20 Jan 2017
    > cryptsetup [is] just not active.

    Not sure what you mean by “not active.” If you tried to run `cryptsetup` and got a message like `cryptsetup: command not found`, then you must install that package. At the same commandline, try something like `sudo apt-get install cryptsetup`. (And if you also need to work with LVM volumes, try `sudo apt-get install lvm2`)

  12. Using Kali Rolling Sana with a LVM encrypted install. Do you think the process will still work, or does the LVM install change the process?

Leave a Comment

Your email address will not be published. Required fields are marked *