Serious backup options for linux disk (dmcrypt, luks, ext4, ext3, btrfs) normal and encrypted system

Question

Disk/Partition Backup

What are the backup options and good practice to make a solid and easy to use full system backup?

With the following requirement:

• Live backup
• Image backup
• Encrypted backup
• Incremental backups
• Mount/access the backup disk/files easily
• Full system backup, restorable in one shot
• Can be scheduled automatically (with cron or else)
• Encrypted or classic backup source (luks, dm-crypt, ext3/ext4/btrfs).

Answer 1

Linux system backup

When targeting a true full system backup, disk image backup (as asked) offer substantial advantage (detailed bellow) compared to files based backup.

With files based backup disk/partition structure is not saved; Most of the time for a full restore, the process is a huge time consumer in fact many time consuming steps (like system reinstall) are required; and finally backing up installed applications can be tricky; Image disk backup avoid all these cons and restore process is a one shot step.

Tools like clonezilla, fsarchiver are not suitable for this question because they are missing one or multiple requested features.

As a reminder, luks encrypted partition are not dependent on the used file system (ext3/ext4/etc.) keep in mind that the performance are not the same depending on the chosen file system (details), also note that btrfs (video-1, video-2) may be a very good option because of its snapshot feature and data structure. This is just an additional protection layer because btrfs snapshot are not true backups! (classic snapshots reside on the same partition).

As a side note, in addition to disk image backup we may want to do a simple file sync backup for some particular locations, to achieve this, tools like rsync/grsync (or btrfs-send in case of btrfs) can be used in combinaison with cron (if required) and an encrypted backup destination (like luks-partition/vault/truecrypt). Files based backup tools can be: rsync/grsync, rsnapshot, cronopete, dump/restore, timeshift, deja-dup, systemback, freefilesync, realtimesync, luckybackup, vembu.

---

Annotations

lsblk --fs output:

• sda is the main disk
• sda1/sda2 are the encrypted partitions
• crypt_sda1/crypt_sda2 virtual (mapped) un-encrypted partitions

    sda
    ├─sda1           crypto_LUKS        f3df6579-UUID... 
    │ └─crypt_sda1   ext4               bc324232-UUID... /mount-location-1
    └─sda2           crypto_LUKS        c3423434-UUID...
      └─crypt_sda2   ext4               a6546765-UUID... /mount-location-2

---

Method #1

Backup the original luks disk/partition (sda or sda1) encrypted as it is to any location

• bdsync/bdsync-manager is an amazing tool that can do image backup (full/incremental) by fast block device syncing; This can be used along with luks directly on the encrypted partition, incremental backups works very well in this case as well. This tool support mounting/compression/network/etc.
• dd: classic method for disk imaging, can be used with command similar to dd if=/dev/sda1 of=/backup/location/crypted.img bs=128K status=progress but note that imaging a mounted partition with dd may lead data corruption for the used files while the backup is done, like sql databases, x config files, or documents being edited, to guarantee data integrity with such backup closing all running application and data base is recommended, we can also mount the image after its creation and check its integrity with fsck.

Cons for #1: backup size, compression, and incremental backups can be tricky

Method #2

This method is for disk without encryption or to backup the mapped luks un-encrypted partition crypt_sda1/crypt_sda2... An encrypted backup destination location (like luks-partition/vault/truecrypt) or an encrypted archive/image if the backup tool support such feature is recommended.

• Veeam: free/paid professional backup solution (on linux only command line and TUI), kernel module is opensource, this tool can not be used for the fist method, backup can be encrypted, incremental and mounting backups are supported.
• bdsync/bdsync-manager same as in the first method but the backup is made from the un-encrypted mapped partition (crypt_sda1/crypt_sda2).
• dd: classic method for disk imaging, can be used with command similar to dd if=/dev/mapper/crypt_sda1 of=/backup/location/un-encrypted-sda1.img bs=128K status=progress but note that imaging a mounted partition with dd may lead data corruption for the used files while the backup is done, like sql databases, x config files, or documents being edited, to guarantee data integrity with such backup closing all running application and data base is recommended, we can also mount the image after its creation and check its integrity with fsck.

Cons for #2: disk headers, mbr, partitions structure, uid etc. are not saved additional backup steps (detailed bellow) are required for a full backup

• Backup luks headers: cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file /backup/location/sda1_luks_heanders_backup
• Backup mbr: dd if=/dev/sda of=/backup/location/backup-sda.mbr bs=512 count=1
• Backup partitions structure: sfdisk -d /dev/sda > /location/backup-sda.sfdisk
• Backup disk uuid

---

Note:

• Images done with dd can be mounted with commands similar to: fdisk -l -u /location/image.img kpartx -l -v /location/image.img kpartx -a -v /location/image.img cryptsetup luksOpen /dev/mapper/loop0p1 imgroot mount /dev/mapper/imgroot /mnt/backup/

---

Alternatives:

• Bareos: open source backup solution (demo-video)
• Bacula: open source backup solution (demo-video)
• Weresync: disk image solution with incremental feature.
• Other tools can be found here, here, here or here
• There is a Wikipedia page comparing disk cloning software
• An analyse by Gartner of some professional backup solutions is available here

---

Other tools

• Acronis backup may be used for both methods but their kernel module is always updated very lately (not working with current/recent kernel version) plus mounting backups is not working as of 02/2020.
• Partclone: used by clonezilla, this tool only backup disk used blocks, it support image mounting but does not support live/hot backup nor encryption/luks.
• Partimage: dd alternative with a TUI, it support live/hot backups but images can not be mounted and it does not support luks (but ext4/btrfs).
• Doclone: very nice live/hot backup imaging solution, supporting many systems (but not lucks...) ext4 etc. support network, mounting is not possible.
• Rsnapshot: snapshot file backup system using rsync. used in many distro (like mageia) the backup jobs are scheduled with cron, when running in background the backup status is not automatically visible.
• Rsync/Grsync: sync folders with rsync command, grsync is the gui...
• Cronopete: file backup alternative to rsync (the application is limited on how it work compared to modern solution)
• Simple-backup: file backup solution with tray icon and incremental feature, backup are made to tars archives
• Backintime: python backup app for file based backup (the app have many unsolved issues)
• Shadowprotect: acronis alternative with mount feature... luks support is not obvious.
• Datto: professional backup solution, luks support is not obvious, linux agent need to be networked to a backup server... kernel module is opensource on github... the interface is web based without using a modern design.
• FSArchiver: live/hot image backup solution, backup can not be mounted.
• Dump: image backup system, mount is not supported.

Answer 2

I'll just add these as I was surprized to see that @intika's answer didn't include my favorites. Using his terminology:

Method #1: In the case of btrfs, look at btrbk, which automates taking snapshots, copying them and encrypting them.

Method #2: restic, borg or duplicacy. These can all do incremental backups, encryption and mounting. (Though the latter has just gotten the ability for mounts - it should be in the next release.) Duplicacy has a nice deduplication feature, and doesn't need anything on the remote other than standard filesystem commands.