Backing up encrypted disk partition

LIsLinuxIsSogood · Veteran Joined: 13 Feb 2016 Posts: 1175

I have some encrypted disk partitions on other linux operating systems using luks/dm-crypt that I would like to know how I can backup on my local gentoo box, but I don't want to encrypt my entire Gentoo disk as it would be a lot of work to do that. So far, I have wiped a 1TB space on a backup drive. I am at the stage of being ready to proceed with creating the encrypted file system. I am primarily interested in trying to have this:
1. Backing up should open/unlock the partition for writing and write to it
2. Recovering backups need to open it for reading as well.
3. Possibly some NFS sharing of the drive once it is open in order to view and interact with the backup files in their locations on the encrypted disk.

So in terms of having the partition be "locked" or ecnrypted most of the time, and then opened at times or closed at times, also because I am backing up from dm-crypt does it make sense to also backup TO dm-crypt or does that not really matter?

What is easiest to setup? That's what I want to try.[/topic]

Hu · Moderator Joined: 06 Mar 2007 Posts: 16460

The easiest would be to leave the encrypted volumes open all the time, and then treat them like regular filesystems. You probably don't want that. Second easiest would be to have the backup process open the drive beforehand, and close it afterward. Whether it makes sense to encrypt the backup depends on why you encrypt the primary data drive. Is the primary encrypted because:

It contains data you are contractually obligated to encrypt at rest? If yes, the contract probably requires you to keep all backups at least as secure as the primary.
You want to prevent others who have hardware access from manipulating the data on the primary? If yes, you might instead arrange that those people have no physical access to the backups, after which it doesn't matter if you encrypt the backups.
You are defending against a future loss of physical control of the device to theft or to RMA. If yes, then ask whether the backup is also at risk of such future loss of control. If it is, then encrypt it too.

pa4wdh · Guru Joined: 16 Dec 2005 Posts: 417

I'm not sure if i fully understand your question, so please correct me if my answer doesn't fit your question.

The way I backup my partitions (encrypted or not) is to tar/gz them onto an external drive which itself is encrypted with dmcrypt. When not in use the disk is not connected to any system, it is only connected when i make or restore backups.