8

The scenario:
- i have a SSD EVO 850 with several partitions, all of them with no encryption and running xubuntu 14.04.
- i have another identical disk, same model and size.

The question:
- is there a way to clone the disk with the system to the new one and enable hardware or software encryption?

Why?:
- protect data and installation
- avoid reinstalling the system and do a complete setup for all apps and services again.

Thanks

UPDATE:

I ended up using @Louis-Papaloizou solution

  • i installed xubuntu with a LVM on LUKS
  • Then i created the same partition scheme, with aproximate size, it doesn't have to be the same, just enough for data to be copied.
  • Then from a live cd i connected both disks and rsync from one other, this allows me tlko just copy over the dabatases without backup and restore.
  • The important thing, is that you need to edit /etc/fstab and update the approapiate UUIDs for each partition/disk. You can get the uuid with sudo blkid /dev/mapper/NAMEOFVOLGROUP-*

UPDATE 2 (2017/02/22) - I added a second hdd with same LVM on LUKS schema, in order to be mounted at boot, a line with the main encrypted partition should be added to /etc/crypttab and the decrypted partitions (on LVM) to /etc/fstab. At boot after decrypting the main drive, a second password for the aditional hdd will be requested, and from then everything work as usual.

TROUBLESHOTING:

  • i lost audio after moving over, this solved the problem on Xubuntu 14.04 (need to reboot) sudo apt-get install linux-sound-base alsa-base alsa-utils linux-image-$(uname -r) linux-image-extra-$(uname -r) libasound2
bistoco
  • 1,531
  • 15
  • 23
  • What encryption scheme do you want? Block level (e. g. dm-crypt/LUKS) or file level (e. g. ecryptfs)? Do you want to boot from one of the encrypted file systems? Which operating systems need to access the encrypted data? – David Foerster Feb 15 '17 at 16:19

4 Answers4

4

The mother of all cloning tools is rsync. I have used this solution before and it worked like a charm.

First of all you should start with a clean installation of the operating system on the new hard disk and setup encryption. Make sure you use the same partitioning scheme.

Mount your old hard disk to the system (via USB adapter or network) and use rsync to clone your old filesystem to your new encrypted hard disk like so:

rsync -aAXv --exclude={"/dev/","/proc/","/sys/","/tmp/","/run/","/mnt/","/media/*","/lost+found"} /path/to/old/hdd/mount/point /

rsync -av should really cut it, AX additional switches will make sure ACLs and extended file attributes will be preserved if they were used. The excluded folders are folders which do not contain regular files (/dev,/proc,/sys) and folders which do not contain useful data for your new system. If you are using /mnt for your additional partitions you should remove it from the exclusion brackets.

It goes with out say that if you are running any databases, transferring the files is not an ideal solution, you need to backup your databases on the old system and restore to the new system according to each database servers procedures.

And it actually works! You might have to troubleshoot a couple red spots in the syslog but generally all your installed packages should be there and your system should be working perfectly with the configuration you knew. By using this method I managed to pull down a cloud hosted VPS to a local physical machine and host it locally.

Good luck.

Louis Papaloizou
  • 316
  • rsync is a nice, file level, tool. However, it does not provide encryption - and it does not provide a block level copy. – vidarlo Feb 15 '17 at 20:15
  • Encryption must be provided by the operating system itself. You can also set it up after installation according to this post I doubt you will find a cloning tool which also encrypts the data for you. It's two different tasks. If there is a particular reason you need to do a block level and not file level copy you could go with dd and encrypt the hard disk later I guess, but I don't see why. – Louis Papaloizou Feb 15 '17 at 20:40
  • I ended up using this solution, i installed xubuntu with a LVM on LUKS, then i created the same partition scheme, with aproximate size, it doesn't have to be the same, just enough for data to be copied. Then from a live cd i connected both disks and rsync from one other, this allows me tlko just copy over the dabatases without backup and restore. The important thing, is that you need to edit /etc/fstab and update the approapiate UUIDs for each partition/disk. You can get the uuid with sudo blkid /dev/mapper/NAMEOFVOLGROUP-*. Thanks for the recomendation. – bistoco Feb 18 '17 at 09:42
2

TL;DR

Yes, use Clonezilla

Detailed answer

Clonezilla allows you to

  • clone the whole disk (the boot sector + all the partition + the soap) or some specific partition only.

  • encrypt it using ecryptfs, an enterprise-class cryptographic filesystem for linux, which support AES, Triple DES and among other encryption algorithm

  • compress it using gzip, bzip2, ..., and generate an MD5 checksum if you want

The requirements

you'll need

  • a flash or hard drive USB to create a bootable Clonezilla live USB (you can use CD/DVD instead)
  • an external HDD or SSD drive with enough free space to store the compressed cloned image into it

The process

  1. create a Clonezilla live USB, using iso file and Unetbootin, or by building the bootabl manually as explained here

  2. clone your entire disk-source in an external HDD or SDD divce by

    • follow clonezilla/01_Save_disk_image tutorial
    • but when you got this message about expert/beginner options, choose Expert mode, so that you can enable the encryption enter image description here

  3. restore the image of disk-source on disk-destination, following this tutorial clonezilla/02_Restore_disk_image

Aside

  • When creating a Clonezilla live USB the last time, the option that worked for me is creating it manually, using the zip file and a FAT32 USB, in a Ubuntu 16.04.1.
  • You don't have to format the destination drive since Clonezilla will create the file system, when restoring the source drive on it.
  • if you don't have enough free-space to store the cloned image of the whole source drive, before restoring it to the destination drive, then clone partition by partition.
yaitloutou
  • 145
0

If you have a computer that supports hardware encryption (like Lenovo Thinkpads) you may enable this. This is transparent to the OS, so once encryption is turned on and you can clone it using e.g. clonezilla.

If you want do use luks, it's a bit harder. You can make encrypted partitions, and copy everything over, and modify the files to fit, so that /boot is on a unencrypted partition, update initramfs to match and so on. This is a bit complicated, and it would generally be easier to just copy /home and reinstall Ubuntu on the encrypted partitions.

As all your user data is in /home, you should loose nothing. It's also fairly trivial to reinstall all packages you had previously, using dpkg --get-selections, which can then be reimported into the new install :)

vidarlo
  • 22,691
  • Thanks for your answer, i have 5 partitions on my main drive (the one that i want to have encrypted) so on /home i only have configs for the installed software under my account. Either way i will take a look at dpkg --get-selections – bistoco Feb 12 '17 at 20:16
  • I actually did something fairly similar a few days ago, after a drive crash.

    Installed base system (answer no to everything in tasksel).

    Had selection in backup, so dumped it back in using --set-selections, and installed the packages.

    I had a backup of /etc/ so I dumped the stuff I knew I had touched (apache2/, postfix/, defaults/, and a few more) back in.

    99% was back within a few hours, including mysql, apache, sabnzbd, couchpotato and so on. What was left was a DVB card that I was to stupid to make work - and that was entirely my own fault.

     – vidarlo Feb 12 '17 at 20:26
  • I ended up doing a base install with a LVM on LUKS, since my hardware encryption support wasn't the best on my machine ( bad documentation and possibly a custom bios was needed) and rsyncing transparently from one disk to the other one the ecncrypted one was properly open on the live session. Now that i know that i can rsync, i can make full encrypted disk images that later i can mount/decrypt and resync again. – bistoco Feb 18 '17 at 09:47
0

Typically rsync is used to copy all your data from one drive to another. However your question has been asked before (superuser.com - How to do rsync-like encrypted backup?) where they want to backup data to another server but have it encrypted so no one at the other server can "see" what is there.

The recommended solutions are duplicity and tartarus. Both support:

  • remote backup and local backup
  • full and incremental backups
  • encrypting backup files
  • installation via sudo apt-get install
  • have been around for many years

Duplicity is built into Ubuntu repository and has instructions on Ubuntu (help.ubuntu.com - Duplicity Backup). Tartarus requires extra step of adding signed keys before installation via apt-get. Additionally some Tartarus website instructions are in German and require google translate which isn't a big deal but might be inconvenient to some.

Community
  • 1
WinEunuuchs2Unix
  • 102,282
  • That's an answer to the wrong question. As far as I read it the OP wants to clone his excisting system onto a new, encrypted drive. – vidarlo Feb 12 '17 at 16:21
  • @vidarlo his question asks for hardware or software encryption. These packages provide software encryption. I think it suits the question but we'll have to wait and see what OP says. – WinEunuuchs2Unix Feb 12 '17 at 16:26
  • @vidarlo is right, the crucial part of it is not the encription part(which can be easily achieved by sofware or hardware), but the cloning of an existing system to and encrypted media (soft/hardware) and still be able to running. – bistoco Feb 12 '17 at 20:13
  • If it is something to be done on a regular basis (ie regular backups) then above with incremental abilities are better. If its a one-shot deal to reinstall clonezilla is best. – WinEunuuchs2Unix Feb 12 '17 at 21:13