I recently wanted to back up my LUKS-encrypted disk. However, clonezilla only offered the ability to clone with dd, rather than the faster partclone tool, which is understandable. It is, however, possible to clone the (decrypted) underlying extfs filesystem.
Note: if you make a backup of your decrypted data, it is as bad as if you’ve never encrypted it. Take good care of your backup and, for extra security, destroy it after you have restored it.
The first thing you need to do when you load Clonezilla, is to select “drop to shell” rather than running the normal clonezilla UI. You should now be in a root shell.
Map the device as you normally would (supposing your LUKS partition is /dev/sda5):
cryptsetup luksOpen /dev/sda5 crypt
You should now load some kernel modules:
modprobe dm-mod vgchange -ay
You should now have /dev/mapper/yourdevice-vg–root or similar.
You can use the
partclone tool now.
To back up:
partclone.ext4 -c -s /dev/mapper/yourdevice-vg--root -o /mnt/path-to-backup-disk/backup/image.img
This will clone the decrypted ext4 filesystem and save it to /mnt/path-to-backup-disk.
partclone.ext4 -r -s /mnt/path-to-backup-disk/backup/image.img -o /dev/mapper/yourdevice-vg--root
Easier than you’d think! Once again, be extra careful with your backups, for without the encryption, your data will be compromised if they fall to the wrong hands.
Great article! Clear and concise, and exactly what I needed. I ran into this issue while attempting to back up my laptop this weekend.
Thanks for posting.
Glat it helps 🙂
Thank you so very much. You’re awesome. With regards to the security concerns, it all depends on where you’re storing the backup.
If you’re storing them on a different hard drive, you can always compress the backup into an encrypted archive. If you’re worried about it being cracked, you can input a passphrase that’s several hundred characters long and keep a copy of it on a USB stick and in your alreadty encrypted luks partion.
You could also store a copy compress but not encrypted with your LUKS. Won’t help you if your disk crashes or PC gets stolen but useful to have an hand when the OS is fubar and you need to restore it.
Is it possible to mount the image in order to recover or browse single files? I tried to do it with the usual mount command but it fails.
$ sudo mount -t ext4 -o loop path/to/image/partclone.img /media/user/imagemount
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog – try
dmesg | tail or so
Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453570] FAT-fs (loop0): invalid media value (0x00)
Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453573] FAT-fs (loop0): Can’t find a valid FAT filesystem
Apr 21 14:23:04 ubuntu-recovery kernel: [ 9645.230977] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem
Apr 21 14:23:11 ubuntu-recovery kernel: [ 9651.747207] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem
Clonezilla uses a special image format, so you have to do more of a trick. See if http://ubuntuforums.org/showthread.php?t=872832 helps.
Hi Errietta! Thanks for sharing this. I need to clone my whole system (RHEL6 encrypted with LUKS) from a conventional HDD with 500GB to a 256GB SSD. The idea is to save time instead of having to reinstall the whole system and programs after the disk upgrade. I have read some articles on the internet about the process, some with success.. others not. So I am not sure how feasible that is. Would the process above work to clone a whole system, like in my case? Thank you in advance. Greetings from Brazil!!
Possibly. If you’ve used less than 256GB, clonezilla’s clone method may be able to copy data on to the smaller disk.
You really can’t do that easily. The problem you run into has to do with drive geometry. Cloning SSD to SSD works, but spinning disk->SSD becomes very hairy. I’ve read articles where some were claiming they did it, but it’s not worth the effort.
Thanks Errietta – very helpful.
After mounting the decrypted drive, you can also just enter “clonezilla” at the prompt and use Clonezilla nornally with the UI.
weird, it unmounted it for me, but I might have manually gone back to the menu instead of doing that (don’t recall)
Thanks for the tip! I used it to clone my encrypted Debian Jessie remote server and it worked like a charm!
Just used fsarchiver instead of clonezilla but result is the same 🙂
Thanks again and best regards.
I am using Linux mint. During installation I choose LVM and Encryption. I now have my system exactly how I like it, and would like to make an image backup, in case something goes horribly wrong. My drive is a total 160GB. Used: Roughly 20GB.
If I make a Clonezilla backup, will my image be 160GB, as the whole drive is encrypted? Or will it just be the 20GB of used?
I would prefer to make the smallest backup possible. If clonezilla is not best for this, can I somehow make a ‘decrypted backup’, a just encrypt the final image?
Thank you for any help. I am lost lost lost.
Using this tactic shown here it will be a small image (about as much as the used space as you said). If you try to do a CZ backup without following this tactic, it’ll back up the whole thing.
If the source disk had zeros to start (or if source disk is decrypted and mounted and dd is used to copy /dev/zero to a file zeros.txt inside the source disk — till this copy command errors out because it runs out of disk space, then file zeros.txt is deleted and system rebooted using live USB with internal source disk remaining encrypted), and dd is used to clone the encrypted disk to a compressed file, will the compressed file be not much over 20 G? Or does encrypted zeros on the drive not compress well?
thanks for publishing that helpful article! Helped me a lot,
Does dd command can be used to backup a LUKS encrypted partition?
Yes, but the only gotcha is that unlike filezilla it backs up the whole partition. That means if your partition is 1TB you’ll have a 1TB back up.
You just saved my life, thanks!! ! !!
how about piping everything through ccrypt or similar encryption software? That way you’ll never store plaintext data.
I just created a clonezilla bootable usb disk and added manually in there a precompiled ccrypt binary.
Then followed your guide…
when taking the backup you just do:
# partclone.ext4 -c -s /dev/mapper/yourdevice-vg–root | /path/to/ccrypt -e > /mnt/path-to-backup-disk/backup/image.img.encrypted
ccrypt will ask you for a password (twice) and that’s it, your image will be stored encrypted.
Then, to restore:
cat /mnt/path-to-backup-disk/backup/image.img.encrypted | ccrypt -d | partclone.ext4 -r -s – -o /dev/mapper/yourdevice-vg–root
Of course it’s not the same as backing up the whole encrypted partition. Pros: it will occupy only the used space, and it’s fast (inline encryption, no need to compress or to use temp files). Cons: not the same thing as LUKS, and the level of security of the backup will depend mostly on the password you use for encryption.
Thanks! This was useful in figuring out my next steps with my new larger SSD
Glad it helped 🙂
It didn’t work for me, failed a the end, but:
Once you are done with the backup you can enter: sudo clonezilla at the command line, then when it comes to asking you what you want to do, ‘savedisk’ ‘restoredisk’ and the like select ‘encrypt-img’ and encrypt your recently decrypted luks backup.
Thank you very much. Fixed, thanks.
clonezilla 터미널로 들어 가서.
# (ext4 find )
mount /dev/sdX /mnt
# (D:\ HDD /dev/sdb or sdc?)
cryptsetup luksOpen /dev/sdX crypt
# me /dev/sda3
# (me print= /dev/ubuntu-gnome-vg/root)
partclone.ext4 -c -s /dev/ubuntu-gnome-vg/root -o /mnt/test.img
partclone.ext4 -r -s /mnt/test.img -o /dev/ubuntu-gnome-vg/root
Thank you very much for this tip!
I am new to Ubuntu 16.04 and probably missed a central point, because with the “clonezilla-live-20161121-yakkety-amd64.iso” I can’t start the cryptsetup command after I got the sudo permissions – it is just not active. Maybe there is a simple solution for this problem?
Thanks again and all the best
Andy Mannhart 11:03 20 Jan 2017
> cryptsetup [is] just not active.
Not sure what you mean by “not active.” If you tried to run `cryptsetup` and got a message like `cryptsetup: command not found`, then you must install that package. At the same commandline, try something like `sudo apt-get install cryptsetup`. (And if you also need to work with LVM volumes, try `sudo apt-get install lvm2`)
Using Kali Rolling Sana with a LVM encrypted install. Do you think the process will still work, or does the LVM install change the process?
It should work
Nope.. At least this does not work with Kali Sana Rolling and dm-crypt (luks) encrypted persistence setup.
But what can be done is just use `clonezilla` command to enter ncurses interface instead of using `partclone` and follow the wizard.. works fine. It even has image encryption feature which requires `ecryptfs-utils` though… It’s pretty cool. Just do not forget to do LuksOpen before running clonezilla 😉
Thanks for your input. What is it that doesn’t work and needs this alternative?
The partclone.ext4 returns file system related errors.
Interesting. Glad you found the alternative anyway and thanks for mentioning here
Any idea how to make Clonezilla to mount encrypted with VeraCrypt partition?
read the man page for cryptsetup. It has the ‘–type’ option, default for luks2 (if I remember correctly). Search for the word ‘vera’ etc. in the man page itself.
This is what I found, but didn’t read it thoroughly:
TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION
cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt (with –veracrypt option)
so you simply need to follow instructions from this article, except that you need to run the first command (cryptsetup open) with necessary options to open your veracrypt volume