Best way to securely backup LVM on LUKS encrypted system

trillian · 2014-12-13 17:02:30

I'm upgrading harddisks and would like to backup my system to external storage and restore it on the new disk

This is the high level plan:
1. use ecryptfs to create an encrypted directory on a mounted external stroage device
2. mount ecryptfs directory
3. use rsync to make a backup into the ecryptfs directory
4. swap harddisks
5. use an arch live usb to encrypt and partition new disk (LVM on LUKS)
6. mount external storage and mount encrypted ecryptfs on the storage
7. restore system with rsync

Is this the way to do it?
After reading a little on ecryptfs, it seems like the passphrase and keys I create work only for the current kernel using ecryptfs (adds to the kernel key ring). So my understanding is that if I try to decrypt and mount the ecryptfs using a live arch usb, I won't be able to.

Any clarification of the process would be of great help! Thank you

clfarron4 · 2014-12-13 17:52:11

Any particular reason you're planning to use eCryptfs for the backup and LUKS for the actual system when you could use LUKS for both?

trillian wrote:

After reading a little on ecryptfs, it seems like the passphrase and keys I create work only for the current kernel using ecryptfs (adds to the kernel key ring). So my understanding is that if I try to decrypt and mount the ecryptfs using a live arch usb, I won't be able to.

I'm not sure whether this is how it works. Could you show us the documentation which led you to this conclusion please?

trillian · 2014-12-13 19:43:41

clfarron4 wrote:

Any particular reason you're planning to use eCryptfs for the backup and LUKS for the actual system when you could use LUKS for both?

No particular reason for ecryptfs. I believe my two options are ecryptfs and encfs as described in the disk encryption comparison table: https://wiki.archlinux.org/index.php/Di … ison_table

clfarron4 wrote:

trillian wrote:
After reading a little on ecryptfs, it seems like the passphrase and keys I create work only for the current kernel using ecryptfs (adds to the kernel key ring). So my understanding is that if I try to decrypt and mount the ecryptfs using a live arch usb, I won't be able to.
I'm not sure whether this is how it works. Could you show us the documentation which led you to this conclusion please?

I'm also not very familiar with keyrings and how the kernel manages it, or whether it's possible to do what I want with ecryptfs.
http://manpages.ubuntu.com/manpages/uto … ase.1.html

clfarron4 · 2014-12-13 20:36:14

Hmm... Have you read the ArchWiki about eCryptfs?

What you proposed should be doable, probably with the ecryptfs-simple package,

Last edited by clfarron4 (2014-12-13 20:40:07)

trillian · 2014-12-13 22:51:56

clfarron4 wrote:

Hmm... Have you read the ArchWiki about eCryptfs?
What you proposed should be doable, probably with the ecryptfs-simple package,

Yes I have read it, but I seemed to gloss over the ecryptfs-simple section. I believe that's what I want. Thanks for pointing it out!

There's a warning by the ecryptfs-simple maintainer recommending encfs over ecryptfs saying that ecryptfs has had data loss. Encfs has some security vulnerabilities from a recent audit: https://defuse.ca/audits/encfs.htm. Although, I don't believe it will affect my one-time use of it.

I will use ecryptfs-simple.

Arch Linux

#1 2014-12-13 17:02:30

Best way to securely backup LVM on LUKS encrypted system

#2 2014-12-13 17:52:11

Re: Best way to securely backup LVM on LUKS encrypted system

#3 2014-12-13 19:43:41

Re: Best way to securely backup LVM on LUKS encrypted system

#4 2014-12-13 20:36:14

Re: Best way to securely backup LVM on LUKS encrypted system

#5 2014-12-13 22:51:56

Re: Best way to securely backup LVM on LUKS encrypted system

Board footer