LUKS Cloning Risks: What You Need To Know

G5 Cyber Security

2 weeks ago

TL;DR

Cloning a LUKS encrypted partition can be done safely, but it’s not as simple as copying files. If you don’t do it correctly, you risk data loss or exposing your encryption key. This guide explains how to clone securely using the correct tools and methods.

Understanding the Risks

LUKS (Linux Unified Key Setup) encrypts entire partitions. A simple copy won’t work because:

Metadata: LUKS stores important encryption information (headers) on the partition itself, not just in files.
Key Binding: The encryption key is often tied to a specific device UUID. Cloning creates a new UUID.
Random Data: Some cloning methods might copy unused space which could contain remnants of old data.

Secure Cloning Methods

Here are two main approaches, ranked by safety and complexity:

1. Using `ddrescue` (Recommended)

ddrescue is designed for copying failing drives but works perfectly for cloning LUKS partitions safely. It handles bad sectors gracefully and can skip over errors.

Identify Source & Destination: Use lsblk to find the correct device names (e.g., /dev/sda1, /dev/sdb1). Be absolutely sure you have these right!
Unmount the Partition: Ensure the source partition is unmounted:
```
sudo umount /dev/sda1
```
Clone with ddrescue: This command clones, skipping errors and logging progress. Replace /dev/sda1 (source) and /dev/sdb1 (destination). The map file keeps track of copied blocks:
```
sudo ddrescue /dev/sda1 /dev/sdb1 /path/to/rescue.map
```
Resize the Destination Partition: After cloning, the destination partition might be smaller than the source. Use parted or gparted to resize it if needed.
```
sudo parted /dev/sdb -s
```
(Then use ‘resizepart’ within parted)
Check Filesystem: Run a filesystem check on the destination partition:
```
sudo fsck -f /dev/sdb1
```

2. Using `cryptsetup luksClone`

This is a more direct method, but requires careful attention to UUID handling.

Identify Source & Destination: As with ddrescue, use lsblk to confirm device names.
Unmount the Partition: Unmount the source partition:
```
sudo umount /dev/sda1
```
Clone with luksClone: This command copies the LUKS header and data.
```
sudo cryptsetup luksClone /dev/sda1 /dev/sdb1
```
Update UUID (Important!): Cloning creates a new UUID on the destination. You need to update your system’s configuration files (e.g., /etc/crypttab, /etc/fstab) to use the *new* UUID of the cloned partition. Use blkid to find the new UUID:
```
sudo blkid /dev/sdb1
```
Check Filesystem: Run a filesystem check on the destination partition:
```
sudo fsck -f /dev/sdb1
```

Important Considerations

Backups: Always have a backup of your data before attempting any cloning operation.
Device Names: Double-check device names! Using the wrong devices can lead to irreversible data loss.
Space Requirements: The destination partition must be at least as large as the source partition.
Filesystem Support: Ensure both partitions use compatible filesystems (e.g., ext4, XFS).