Backing up/restoring a LUKS encrypted partition with clonezilla

I recently wanted to back up my LUKS-encrypted disk. However, clonezilla only offered the ability to clone with dd, rather than the faster partclone tool, which is understandable. It is, however, possible to clone the (decrypted) underlying extfs filesystem.
Note: if you make a backup of your decrypted data, it is as bad as if you’ve never encrypted it. Take good care of your backup and, for extra security, destroy it after you have restored it.

The first thing you need to do when you load Clonezilla, is to select “drop to shell” rather than running the normal clonezilla UI. You should now be in a root shell.

Map the device as you normally would (supposing your LUKS partition is /dev/sda5):

cryptsetup luksOpen /dev/sda5 crypt

You should now load some kernel modules:

modprobe dm-mod
vgchange -ay

You should now have /dev/mapper/yourdevice-vg–root or similar.
You can use the partclone tool now.

To back up:

partclone.ext4 -c -s /dev/mapper/yourdevice-vg--root -o /mnt/path-to-backup-disk/backup/image.img

This will clone the decrypted ext4 filesystem and save it to /mnt/path-to-backup-disk.

To restore:

partclone.ext4 -r -s /mnt/path-to-backup-disk/backup/image.img -o /dev/mapper/yourdevice-vg--root

Easier than you’d think! Once again, be extra careful with your backups, for without the encryption, your data will be compromised if they fall to the wrong hands.


  1. Great article! Clear and concise, and exactly what I needed. I ran into this issue while attempting to back up my laptop this weekend.

    Thanks for posting.

    1. Thank you so very much. You’re awesome. With regards to the security concerns, it all depends on where you’re storing the backup.

      If you’re storing them on a different hard drive, you can always compress the backup into an encrypted archive. If you’re worried about it being cracked, you can input a passphrase that’s several hundred characters long and keep a copy of it on a USB stick and in your alreadty encrypted luks partion.

      You could also store a copy compress but not encrypted with your LUKS. Won’t help you if your disk crashes or PC gets stolen but useful to have an hand when the OS is fubar and you need to restore it.

  2. Is it possible to mount the image in order to recover or browse single files? I tried to do it with the usual mount command but it fails.

    $ sudo mount -t ext4 -o loop path/to/image/partclone.img /media/user/imagemount
    mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog – try
    dmesg | tail or so

    $ lnav
    Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453570] FAT-fs (loop0): invalid media value (0x00)
    Apr 21 14:16:57 ubuntu-recovery kernel: [ 9277.453573] FAT-fs (loop0): Can’t find a valid FAT filesystem
    Apr 21 14:23:04 ubuntu-recovery kernel: [ 9645.230977] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem
    Apr 21 14:23:11 ubuntu-recovery kernel: [ 9651.747207] EXT4-fs (loop0): VFS: Can’t find ext4 filesystem

    Any suggestions?

  3. Hi Errietta! Thanks for sharing this. I need to clone my whole system (RHEL6 encrypted with LUKS) from a conventional HDD with 500GB to a 256GB SSD. The idea is to save time instead of having to reinstall the whole system and programs after the disk upgrade. I have read some articles on the internet about the process, some with success.. others not. So I am not sure how feasible that is. Would the process above work to clone a whole system, like in my case? Thank you in advance. Greetings from Brazil!!

    1. You really can’t do that easily. The problem you run into has to do with drive geometry. Cloning SSD to SSD works, but spinning disk->SSD becomes very hairy. I’ve read articles where some were claiming they did it, but it’s not worth the effort.

  4. After mounting the decrypted drive, you can also just enter “clonezilla” at the prompt and use Clonezilla nornally with the UI.

  5. Hello Errietta,

    Thanks for the tip! I used it to clone my encrypted Debian Jessie remote server and it worked like a charm!

    Just used fsarchiver instead of clonezilla but result is the same 🙂

    Thanks again and best regards.


  6. Errietta,

    I am using Linux mint. During installation I choose LVM and Encryption. I now have my system exactly how I like it, and would like to make an image backup, in case something goes horribly wrong. My drive is a total 160GB. Used: Roughly 20GB.

    If I make a Clonezilla backup, will my image be 160GB, as the whole drive is encrypted? Or will it just be the 20GB of used?

    I would prefer to make the smallest backup possible. If clonezilla is not best for this, can I somehow make a ‘decrypted backup’, a just encrypt the final image?

    Thank you for any help. I am lost lost lost.

    1. Using this tactic shown here it will be a small image (about as much as the used space as you said). If you try to do a CZ backup without following this tactic, it’ll back up the whole thing.

      1. If the source disk had zeros to start (or if source disk is decrypted and mounted and dd is used to copy /dev/zero to a file zeros.txt inside the source disk — till this copy command errors out because it runs out of disk space, then file zeros.txt is deleted and system rebooted using live USB with internal source disk remaining encrypted), and dd is used to clone the encrypted disk to a compressed file, will the compressed file be not much over 20 G? Or does encrypted zeros on the drive not compress well?

  7. Hi,
    how about piping everything through ccrypt or similar encryption software? That way you’ll never store plaintext data.
    I just created a clonezilla bootable usb disk and added manually in there a precompiled ccrypt binary.

    Then followed your guide…
    when taking the backup you just do:
    # partclone.ext4 -c -s /dev/mapper/yourdevice-vg–root | /path/to/ccrypt -e > /mnt/path-to-backup-disk/backup/image.img.encrypted

    ccrypt will ask you for a password (twice) and that’s it, your image will be stored encrypted.
    Then, to restore:
    cat /mnt/path-to-backup-disk/backup/image.img.encrypted | ccrypt -d | partclone.ext4 -r -s – -o /dev/mapper/yourdevice-vg–root

    Of course it’s not the same as backing up the whole encrypted partition. Pros: it will occupy only the used space, and it’s fast (inline encryption, no need to compress or to use temp files). Cons: not the same thing as LUKS, and the level of security of the backup will depend mostly on the password you use for encryption.

  8. It didn’t work for me, failed a the end, but:

    Once you are done with the backup you can enter: sudo clonezilla at the command line, then when it comes to asking you what you want to do, ‘savedisk’ ‘restoredisk’ and the like select ‘encrypt-img’ and encrypt your recently decrypted luks backup.

  9. Thank you very much. Fixed, thanks.

    clonezilla 터미널로 들어 가서.
    sudo -i

    parted -l

    # (ext4 find )

    mount /dev/sdX /mnt
    # (D:\ HDD /dev/sdb or sdc?)

    cryptsetup luksOpen /dev/sdX crypt
    # me /dev/sda3

    modprobe dm-mod
    vgchange -ay

    # (me print= /dev/ubuntu-gnome-vg/root)

    partclone.ext4 -c -s /dev/ubuntu-gnome-vg/root -o /mnt/test.img

    partclone.ext4 -r -s /mnt/test.img -o /dev/ubuntu-gnome-vg/root

  10. Hi Errietta

    Thank you very much for this tip!
    I am new to Ubuntu 16.04 and probably missed a central point, because with the “clonezilla-live-20161121-yakkety-amd64.iso” I can’t start the cryptsetup command after I got the sudo permissions – it is just not active. Maybe there is a simple solution for this problem?

    Thanks again and all the best

  11. Andy Mannhart 11:03 20 Jan 2017
    > cryptsetup [is] just not active.

    Not sure what you mean by “not active.” If you tried to run `cryptsetup` and got a message like `cryptsetup: command not found`, then you must install that package. At the same commandline, try something like `sudo apt-get install cryptsetup`. (And if you also need to work with LVM volumes, try `sudo apt-get install lvm2`)

  12. Using Kali Rolling Sana with a LVM encrypted install. Do you think the process will still work, or does the LVM install change the process?

      1. But what can be done is just use `clonezilla` command to enter ncurses interface instead of using `partclone` and follow the wizard.. works fine. It even has image encryption feature which requires `ecryptfs-utils` though… It’s pretty cool. Just do not forget to do LuksOpen before running clonezilla 😉

    1. read the man page for cryptsetup. It has the ‘–type’ option, default for luks2 (if I remember correctly). Search for the word ‘vera’ etc. in the man page itself.

      This is what I found, but didn’t read it thoroughly:

      TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION
      cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt (with –veracrypt option)

    2. so you simply need to follow instructions from this article, except that you need to run the first command (cryptsetup open) with necessary options to open your veracrypt volume

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.