Using LUKS Encryption with Image for Linux
Introduction
Image for Linux contains the cryptsetup utility, which is the standard Linux command line utility to access (mount) LUKS containers. Methods of backing up LUKS encrypted partitions for several common scenarios are covered in this article. For all methods, the file system on the LUKS partition should not be mounted when the backup is created. General knowledge of using LUKS and LVM (if applicable) is assumed.
Method A: Normal LUKS encrypted partitions
For the purpose of this article, a normal LUKS encrypted partition is one that is accessible by Image for Linux in both its encrypted and decrypted states and, as such, can be backed up in either state.
To back up in the encrypted state, perform a normal backup of the encrypted partition (or volume). This type of backup will be the same size as the partition (encrypted data will not compress) and will not be accessible using TBIView.
To back up in the decrypted stated, the partition must be opened first using the cryptsetup utility. For example, if the the LUKS partition is on /dev/sdb1 and you want the decrypted device name to be Ext4LUKS you would run the following command from a Terminal or Command Prompt:
cryptsetup luksOpen /dev/sdb1 Ext4LUKS
Enter the password when prompted. The device will now be available as /dev/mapper/Ext4LUKS in Image for Linux to back up decrypted.
Method B: LVM volumes on a LUKS encrypted partition
If the LVM volumes to back up are located on a LUKS encrypted partition you can run the luks-lvm script from a Terminal or Command Prompt. This menu driven utility will create symlinks in /dev/mapper that should make the LUKS LVM volumes visible in Image for Linux. Each LUKS LVM volume name appearing in Image for Linux will begin with a prefix of "lvm_pv_" followed by the actual volume name. These volumes can then be backed up normally.
Method C: LUKS encrypted LVM volume
Backing up in the encrypted state
To back up a LUKS encrypted LVM volume in its encrypted state the following steps are required:
- From a Terminal or Command Prompt, start LVM by running the following script:
start-lvm
- Run Image for Linux and select the desired LVM volume. It will only be available as an entire drive type of backup (the partition can't be seen due to the encryption).
- In Backup Options, select the Backup Unused Sectors option. If this option is not selected Image for Linux will not find anything to back up.
Backing up in the decrypted state
To back up a LUKS encrypted LVM volume in its decrypted state, several steps are required to make it accessible. First, LVM needs to be started. Second, the LUKS partition needs to be opened with a name that includes "lvm_pv_" (the partition will not be visible to Image for Linux without this). An example is shown below:
- From a Terminal or Command Prompt, start LVM by running the following script:
start-lvm
- Run lvdisplay, "fdisk -l" or your preferred command to determine the LVM name of the desired partition. In this example /dev/ubuntu-mate-vg-vol_LUKS will be used.
- Open the volume, making sure sure to use a name that includes "lvm_pv_" (e.g. use it as a prefix).
cryptsetup luksOpen /dev/ubuntu-mate-vg-vol_LUKS lvm_pv_Ext4LUKS
- Enter the password when prompted. The device will now be available as /dev/mapper/lvm_pv_Ext4LUKS in Image for Windows to back up decrypted.
Restoring a LUKS encrypted partition
LUKS partitions can be restored back to their original locations or to alternate locations. When restoring to the original location it will need to be available as it was when the backup image was created. For example, if you used Method C to back up a decrypted LUKS LVM volume you would need to follow the same steps to make the destination available for the restore.
For more information on using LVM with Image for Linux, refer to the lvm.txt help file included in the Image for Linux download.