Backup Encrypted Drive to Encrypted Drive

TL;DR

Backing up an encrypted drive to another encrypted drive requires careful planning and execution. This guide explains how to do it safely, covering preparation, the backup process itself (using tools like dd or dedicated backup software), verification, and security considerations.

Steps

1. Preparation: Identify Drives

• Clearly label your source encrypted drive (the one you’re backing up) and the destination encrypted drive (where the backup will go).
• Determine the filesystem type of both drives. They don’t *have* to be identical, but it simplifies things if they are (e.g., ext4, XFS, APFS). Use lsblk -f in Linux or Disk Utility on macOS to find this information.
• Ensure the destination drive has enough free space for a full backup of the source drive. It’s best to have *more* than enough – account for future data growth.

Unlock Both Drives

• Mount both encrypted drives. This usually involves providing passwords or using keyfiles. The exact method depends on the encryption software you’re using (e.g., LUKS, VeraCrypt, FileVault).
• Verify that both drives are successfully mounted and accessible before proceeding. Use df -h in Linux to check mount points and available space.

Choose a Backup Method

• Option 1: dd (Disk Dump) – For advanced users only! This creates an exact, bit-for-bit copy. It’s powerful but unforgiving; mistakes can easily overwrite data.

  sudo dd if=/dev/sdX of=/dev/sdY bs=4M status=progress

  Replace /dev/sdX with the source drive and /dev/sdY with the destination drive. Double-check these! Using the wrong device names will cause data loss.

• Option 2: Backup Software – Recommended for most users. Tools like Clonezilla, Veeam Agent (free version available), or even built-in tools on your operating system offer more user-friendly interfaces and features.
  • Clonezilla is a popular open-source disk cloning tool. Download the ISO image and boot from it to perform the backup.
  • Veeam Agent provides incremental backups, which save space and time.

Perform the Backup

• If using dd, run the command as shown above. This will take a long time depending on the size of the drive.
• If using backup software, follow the instructions provided by the software to select the source and destination drives and start the backup process.

Verify the Backup

• After the backup is complete, it’s crucial to verify its integrity.
  • For dd backups: Boot from a live environment and attempt to mount the backup drive. If it mounts successfully and you can access your files, the backup is likely good.
  • For software backups: Most backup software includes verification options. Use these to check for errors.

    Some tools create checksums (like MD5 or SHA256) of the backed-up data. Compare the checksums of the source and destination drives to ensure they match.

Security Considerations

• Key Management: Securely store the encryption keys for both drives. Losing these keys means losing access to your data.
• Physical Security: Protect both drives from physical theft or damage.
• Offsite Storage: Consider storing a copy of the backup offsite (e.g., in a different location) for disaster recovery purposes.
• Regular Testing: Periodically test your backups by restoring files to ensure they are working correctly.