Some questions regarding the support of LUKS and BitLocker
A partition and disk imaging/cloning program
Brought to you by:
steven_shiau
Menu
▾
▴
Hi, Clonezilla discussion forum,
I noticed a reply Steven made:
https://sourceforge.net/p/clonezilla/discussion/Open_discussion/thread/bb217dad16/#7116
and was surprised to learn that Clonezilla can now backup encrypted LUKS partitions by asking for the passphrase.
I have a few questions related to Clonezilla's support of LUKS:
What exactly is backed up when Clonezilla backs up an unlocked LUKS partition/disk? Is the LUKS partition/disk layout backed up, as well as the layout of partitions/filesystems inside the LUKS? Or better yet, how a restored LUKS backup would differ from the original? (Aside from the LUKS-encrypted part on the partition/disk being different since the data is re-encrypted on a backup restore)
It the mentioned reply, Steven says that Clonezilla would ask the user for a passphrase when backing up a LUKS partition, but what if one uses a keyfile instead of a passphrase? How is that accommodated in Clonezilla?
For example, does Clonezilla allow a user to drop into the shell to provide a keyfile at /home/LUKS.keyfile (or a crypttab), which Clonezilla would then use to unlock the partition/disk?
Does Clonezilla *have* to be the one to unlock a LUKS partition/disk, or will Clonezilla also pick up partitions/disks that the user has manually unlocked?
For example, I could unlock LUKS partitions/disks that I want to backup when dropping in the shell to mount the backup destination directory /home/partimag.
Does Clonezilla support backing up LUKS partitions/disks when the LUKS header is detached? If so, are there any differences in how Clonezilla backups such a LUKS partition/disk in comparison to one with an attached header?
A LUKS-encrypted partition/disk without the header should be indistinguishable from an uninitialized partitions/disks, so it's expected that Clonezilla wouldn't be able to recognize those. A user could provide something like crypttab, listing where the header file is, at what offset in the file the header starts, etc., for Clonezilla to unlock those LUKS-encrypted partitions/disks. Alternatively, instead of Clonezilla doing the unlocking, a user could drop into the shell and manually unlock those LUKS partitions/disks (implies that (3) is supported), allowing Clonezilla to a lot more easily recognize the LUKS partitions/disks.
With crypsetup supporting BitLocker since v1.3.0, does Clonezilla support backing up BitLocker partitions/disks too?
Last edit: nurupo 2023-08-01
As for your questions,
1. "Is the LUKS partition/disk layout backed up, as well as the layout of partitions/filesystems inside the LUKS?" -> Yes. You can have a bare metal recovery if you have an image of that.
2. You can copy the key file, then use that key to open the LUKS device. Clonezilla will find the LUKS device and save it, I believe.
3. Yes, I believe.
4. Not sure actually. You can give it a try and let us know.
5. We will try to make that in the future.
If you can, find a virtual machine and install GNU/Linux with LUKS enabled. Then give it a try, and let us know the results, and tell us where to improve. Of course, if you develop software, patches are welcome.
Steven
Thanks for the reply! Didn't think of testing this in a VM, will have to play with it at some point.
Last edit: nurupo 2023-08-01