Back up the part of Linux that uses Luks encryption

Some of us, for security reasons, encrypt the hard drive through the Linux Unified Key Configuration (Luks) at home or on the VPS, and these drives will quickly grow to dozens of or hundreds of GB. So while we enjoy the security of Luks devices, it's time to start thinking about a possible remote backup scenario. For secure off-site backups, we will need something that can be manipulated at a block level on luks encrypted devices. So, in the end, we find that we need to transfer the entire Luks device (such as 200GB) that we want to back up every time. Obviously, this is not feasible. How are we going to deal with this problem?

One solution: Bdsync

At this time, a remarkable open source tool to save us, it is called Bdsync (thanks to Rolf Fokkens). As the name suggests, Bdsync can sync "block devices" over the network. For fast synchronization, Bdsync generates and contrasts the MD5 checksum of blocks of local/remote block devices, synchronizing only the differences. What rsync can do at the file system level, Bdsync can be done at the block device level. Naturally, it works well for luks encrypted devices. Quite dexterous!

With Bdsync, the first backup copies the entire Luks block device to the remote host, which takes a lot of time to complete. However, after the initial backup, if we create some new files on the Luks device, the backup will be done quickly because we only need to copy the modified blocks. The classic incremental backup is working!

Install Bdsync to Linux

Bdsync is not included in the standard warehouse of the Linux distribution, so you need to build it from the source code. Use the following specific version of instructions to install Bdsync and its man pages into your system.

Debian,ubuntu or Linux Mint

The code is as follows:

$ sudo apt-get install git gcc libssl-dev

$ git clone https://github.com/TargetHolding/bdsync.git

$ CD Bdsync

$ make

$ sudo cp bdsync/usr/local/sbin

$ sudo mkdir-p/usr/local/man/man1

$ sudo sh-c ' gzip-c bdsync.1 >/usr/local/man/man1/bdsync.1.gz '

Fedora or Centos/rhel

The code is as follows:

$ sudo yum install git gcc openssl-devel

$ git clone https://github.com/TargetHolding/bdsync.git

$ CD Bdsync

$ make

$ sudo cp bdsync/usr/local/sbin

$ sudo mkdir-p/usr/local/man/man1

$ sudo sh-c ' gzip-c bdsync.1 >/usr/local/man/man1/bdsync.1.gz '

Perform offsite incremental backups of Luks-encrypted devices

I assume you're ready. A Luks encrypted block device is used as a backup source (for example,/dev/locdev). Also, I assume that you also have a remote host that serves as the backup point for the source device (e.g.,/dev/remdev).

You need to have root account access on both systems, and set up remote access without password ssh from the local user. Finally, you need to install Bdsync to both hosts.

To initialize a remote backup process on the local host, we need to execute the following command with Root:

The code is as follows:

# bdsync "ssh root@remote_host bdsync--server"/dev/locdev/dev/remdev | gzip >/some_local_path/dev.bdsync.gz

Here are some instructions to make. The Bdsync client will open an SSH connection to the remote host with root and execute the Bdsync client with the--server option. Specifically,/dev/locdev is the source Luks block device on our local host, and/dev/remdev is the target block device on the remote host. They can be/DEV/SDA (as an entire disk), or/dev/sda2 (as a single partition). The output of the local Bdsync client is then piped to gzip to create the DEV.bdsync.gz (the so-called binary patch file) in the local host.

The first time you run the above command, it will take a long time, depending on your Internet/LAN speed and the size of the/dev/locdev. Remember, you must have two blocks of the same size (/dev/locdev and/dev/remdev).

The next step is to copy the patch files from the local host to the remote host. One way is to use the SCP:

The code is as follows:

# scp/some_local_path/dev.bdsync.gz Root@remote_host:/remote_path

The final step is to execute the following command on the remote host that will apply the patch file to/dev/remdev:

The code is as follows:

# gzip-d </remote_path/dev.bdsync.gz | Bdsync--patch=/dev/dstdev

I recommend using some small partitions (without any important data) to do these tests before using real data to deploy Bdsync. After you have fully understood how the entire setup works, you can start backing up the real data.

End

Summary, we demonstrated how to use Bdsync to implement an incremental backup of the Luks device. As with rsync, only a small fraction of the data per backup, rather than the entire Luks device, needs to be pushed to offsite backup points, which saves bandwidth and backup time. For the rest, it is necessary to secure all data transmission through SSH or SCP, in fact the device itself is encrypted by Luks. You can also improve the configuration by using a dedicated user that can run Bdsync, rather than root. We can also use Bdsync for any block device, such as an LVM volume or a RAID disk, or you can easily set up a Bdsync backup local disk to a USB drive. As you can see, it has infinite possibilities!