How do I perform remote Incremental backup for LUKS encrypted disks/Partitions?

How do I perform remote Incremental backup for LUKS encrypted disks/Partitions?

For security reasons, some of us use Linux unified key settings (LUKS) to encrypt hard disks at home or on virtual private servers (VPS; the capacity of these hard disks will soon increase to dozens or hundreds of GB. Therefore, while enjoying the security of the LUKS device, we may begin to consider a feasible remote backup solution. For secure remote backup, we need solutions to operate at the data block level of the encrypted LUKS device, rather than at the unencrypted file system level. In the end, we realized that we were in this situation: whenever we wanted to back up, we had to transmit the data in the entire LUKS device (for example, suppose 200 GB ). This is obviously not feasible. So how should we deal with this problem?

Solution: Bdsync

At this time, an outstanding open-source tool called Bdysnc (thanks to Rolf Fokkens) can be used. As the name suggests, Bdsync can synchronize "Block devices" over the network ". For fast synchronization, Bdsync can generate and compare MD5 checks on local/remote Block devices, and only synchronize different data. Rsync can complete tasks at the file system level, while Bdsync can complete tasks at the block device level. It can also work with encrypted LUKS devices. Pretty good!

With Bdsync, the first backup copies the data in the entire LUKS block device to the remote host, so it takes a long time to complete. However, after the initial backup is complete, if we build some new files on the LUKS device, the second backup will be completed quickly, because we only need to copy the changed data blocks. At this time, the classic Incremental Backup has played a role!

Install Bdsync on Linux

Bdsync is not included in the standard software library of the Linux release. Therefore, you need to build it from the source code. Use the following commands for specific releases to install Bdsync and reference manual pages on your system.

On Debian, Ubuntu, or Linux Mint

$ sudo apt-get install git gcc libssl-dev$ git clone https://github.com/TargetHolding/bdsync.git $ cd bdsync$ make$ sudo cp bdsync /usr/local/sbin$ sudo mkdir -p /usr/local/man/man1$ sudo sh -c 'gzip -c bdsync.1 > /usr/local/man/man1/bdsync.1.gz'

On Fedora or CentOS/RHEL

$ sudo yum install git gcc openssl-devel$ git clone https://github.com/TargetHolding/bdsync.git $ cd bdsync$ make$ sudo cp bdsync /usr/local/sbin$ sudo mkdir -p /usr/local/man/man1$ sudo sh -c 'gzip -c bdsync.1 > /usr/local/man/man1/bdsync.1.gz'

Perform remote Incremental backup for LUKS-encrypted devices

Assume that you have configured the LUKS-encrypted block device as a backup source (for example,/dev/LOCDEV) and that you have a remote host, the content of the source device is backed up on the host (for example,/dev/REMDEV ).

You need to access the root accounts on both systems and set up SSH access without a password to access the remote host from the local host. Finally, you need to install Bdsync on two hosts.

To start the remote backup process on the local host, run the following command as the root account:

# Bdsync "ssh root @ remote_host bdsync -- server"/dev/LOCDEV/dev/REMDEV | gzip>/some_local_path/DEV.bdsync.gz

Here we need some explanation. The Bdsync client establishes an SSH connection with the remote host as the root account and runs the Bdsync client software using the -- server option. Note:/dev/LOCDEV is the source LUKS block device on the local host, while/dev/REMDEV is the target block device on the remote host. They should be/dev/sda (for the entire disk) or/dev/sda2 (for one partition ). The output result of the bdsyncclient is then output to gzip, and gzipcreates dev.bdsync.gz (so-called binary patch file) in the kernel ).

After you run the preceding command for the first time, it takes a long time, depending on your Internet/Ethernet speed and the size of/dev/LOCDEV. Remember: The size of your two block devices (/dev/LOCDEV and/dev/REMDEV) must be the same.

The next step is to copy the generated patch file from the local host to the remote host. Using scp is one way:

# Scp/some_local_path/DEV.bdsync.gz root @ remote_host:/remote_path

The final step is to execute the following command on the remote host, which will apply the patch file to/dev/REMDEV:

# Gzip-d </remote_path/DEV.bdsync.gz | bdsync -- patch =/dev/DSTDEV

I suggest using a small partition that does not contain any important data for a test, and then using Bdsync to process the actual data. Only when you fully understand the entire process can you back up the actual data.

Conclusion

In short, we introduced how to use Bdsync to perform Incremental backup for the LUKS device. Like rsync, when backing up data, you only need to copy a small amount of data instead of the entire LUKS device to the remote backup site, which saves bandwidth and backup time. Rest assured that all data transmission is protected by SSH or SCP, and the device itself is encrypted by LUKS. This solution may also be improved by using dedicated users (rather than root users) who can run bdsync ). We can also use bdsync for any block device, such as an LVM volume or RAID disk, and also easily set Bdsync to back up the local disk to a USB drive. As you can see, its application prospects are infinite!

You are welcome to leave a message.

Remote incremental backup luks encrypted disk partition

This article permanently updates the link address: