Backup And Restore Files To/From A LUKS Encrypted Partition Image File
I purchased a hard drive caddy for my Thinkpad T61p to convert the optical drive bay into a second hard drive bay. It pains me to say it, but I wanted to put Windows Vista back on the laptop. There are too many reasons to list why, but that meant having to give up more hard drive space than I was willing to share between Vista and Ubuntu.
My desired layout was to have Vista inhabit a 320GB drive occupying the main bay while Ubuntu would live on its own 320GB drive in the caddy. Dual-booting would be done through the Bios in order to avoid, among other things, having grub issues.
The biggest concern was the encrypted partition that contains separate root and home logical volumes. I wanted to make an exact image copy with dd but retain its encrypted state. However, I was unsure how I could access the data from the image without restoring it. I knew you could mount ISOs through a loop device, but an encrypted image was a lot different. Here’s how I did it.
I booted the machine with an Ubuntu 9.04 LiveCD from an external CD-ROM, opened a terminal window, and gained a root prompt. Doing everything as root is dangerous and contrary to the Ubuntu sudo-only policy, but this went a lot easier without the extra typing. Just don’t say I didn’t warn you.
The first step was to get a list of the partitions. At this point I have both hard drives installed in order to move some shared media files from the Ubuntu drive onto the Vista drive. They are listed as /dev/sda for Vista and /dev/sdb for Ubuntu. Using fdisk to get my list, I have:
root@ubuntu:~# fdisk -l /dev/sdb
Disk /dev/sdb: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0×05b304beDevice Boot Start End Blocks Id System
/dev/sdb1 1 12158 97659103+ 83 Linux
/dev/sdb2 12159 38913 214909537+ 5 Extended
/dev/sdb5 * 12159 12188 240943+ 83 Linux
/dev/sdb6 12189 38913 214668531 83 Linux
I have /dev/sdb1 as the encrypted partition and /dev/sdb5 as the /boot partition, which I also want to back up. Of course, this listing doesn’t explicitly describe what each partition is. I know what they are from the installation process when I set them up. After plugging in my external drive, Ubuntu happily mounted it at /media/disk. The first step was to create the backup images.
root@ubuntu:~# dd if=/dev/sdb5 of=/media/disk/sdb5_boot.img
481887+0 records in
481887+0 records out
246726144 bytes (247 MB) copied, 11.3419 s, 21.8 MB/sroot@ubuntu:~# dd if=/dev/sdb1 of=/media/disk/sdb1_root_home.img
195318207+0 records in
195318207+0 records out
100002921984 bytes (100 GB) copied, 6447.54 s, 15.5 MB/s
It took a while to back up the /dev/sdb1 partition giving me plenty of time to catch up on my emails and rss feeds. The next step was to make sure I could still access the data contained within the backups. For the boot partition, this was as easy as mounting it to a temporary location and listing the directory.
root@ubuntu:~# mkdir /mnt/ob_boot
root@ubuntu:~# mount /media/disk/sdb5_boot.img /mnt/ob_root -o loop
root@ubuntu:~# ls /mnt/ob_root/
abi-2.6.28-11-generic memtest86+.bin
abi-2.6.28-13-generic System.map-2.6.28-11-generic
abi-2.6.28-14-generic System.map-2.6.28-13-generic
abi-2.6.28-15-generic System.map-2.6.28-14-generic
config-2.6.28-11-generic System.map-2.6.28-15-generic
config-2.6.28-13-generic vmcoreinfo-2.6.28-11-generic
config-2.6.28-14-generic vmcoreinfo-2.6.28-13-generic
config-2.6.28-15-generic vmcoreinfo-2.6.28-14-generic
grub vmcoreinfo-2.6.28-15-generic
initrd.img-2.6.28-11-generic vmlinuz-2.6.28-11-generic
initrd.img-2.6.28-13-generic vmlinuz-2.6.28-13-generic
initrd.img-2.6.28-14-generic vmlinuz-2.6.28-14-generic
initrd.img-2.6.28-15-generic vmlinuz-2.6.28-15-generic
lost+found
That was simple enough, but this is where it gets complicated. I needed to install cryptsetup and lvm2, and then load the dm-crypt kernel module.
root@ubuntu:~# apt-get install cryptsetup lvm2
[..snip..]
root@ubuntu:~# modprobe dm-crypt
I thought you could mount the encrypted backup through a loop in the same way I just did the boot backup, but mount complains about the filesystem type.
root@ubuntu:~# mkdir /mnt/ob_root_home
root@ubuntu:~# mount /media/disk/sdb1_root_home.img /mnt/ob_root_home -o loop
mount: unknown filesystem type ‘crypto_LUKS’
After a quick googling, I landed at an Ubuntu Forums post concerning something a little different but contained the steps I needed. They included the use of /dev/loop0 which I couldn’t use in the LiveCD environment as the LiveCD was currently using it, so I needed to adapt.
Mount the encrypted backup on a loop device.
root@ubuntu:~# losetup /dev/loop1 /media/disk/sdb1_root_home.img
Decrypt the new loop device. At this point it helps to remember the passphrase. I tried and failed three times before I smacked my forehead with the heavy hand of common sense.
root@ubuntu:~# cryptsetup luksOpen /dev/loop1 ob_enc
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
Now to activate the volume groups, which is done rather automagically, with vgchange.
root@ubuntu:~# vgchange -ay
2 logical volume(s) in volume group “obsidian” now active
Now my /dev/mapper directory had entries for the decrypted device, ob_enc, and the two logical volumes, obsidian-home and obsidian-root.
root@ubuntu:~# ls /dev/mapper/
control ob_enc obsidian-home obsidian-root
At this point, I could mount the logical volumes anywhere I needed to access the files contained in each and do with them what I pleased.
root@ubuntu:~# mkdir /mnt/ob_home/
root@ubuntu:~# mount /dev/mapper/obsidian-home /mnt/ob_home/
root@ubuntu:~# ls /mnt/ob_home/
adam adam_original stovicek
From here on out, I re-partitioned the drive for better layout, re-installed the core Ubuntu system, mounted the backups as outlined above, and restored /home and any other necessary files to their new partitions.
Leave a Reply