Page 1 of 1

Recommended way of cloning an encrypted installation

Posted: 2020/07/03 14:08:48
by dmichael
Hello,

I have a notebook with CentOS 8.2 with an encrypted root and data partition. After the installation, I have continued working on it, and the current state should serve as a base for other notebooks, in order not to have to do the whole procedure again. Our past approach was to just copy and compress the whole hard drive image onto an external drive, which does not seem as straight-forward with an encrypted drive. Here's the output of lsblk:

Code: Select all

NAME                                          FSTYPE      LABEL MOUNTPOINT
nvme0n1                                                         
├─nvme0n1p1                                   vfat              /boot/efi
├─nvme0n1p2                                   ext4              /boot
└─nvme0n1p3                                   crypto_LUKS       
  └─luks-378e7d72-a2bd-4553-9e3d-194b32607345 LVM2_member       
    ├─cl_centos82-root                        xfs               /
    ├─cl_centos82-swap                        swap              [SWAP]
    └─cl_centos82-data                        xfs               /data
Here are a few possible approaches, but they all have some considerable drawbacks:
  • Just copy and compress the whole disk. The sectors which have not been written to (i.e. are zeroes) can be compressed very well, but the sectors which have had at least one write access are encrypted, and make compression inefficient. It is also discouraged by the cryptsetup FAQ. However, sharing the same master key is not an issue for our case.
  • Copy the image of the boot partitions and the decrypted LUKS partition separately. The unwritten sectors on the LUKS partition are garbled this way and can not be compressed efficiently. I would like to avoid filling the free space of the encrypted drive with zeroes, as it seems like a waste of resources and can not be reversed easily.
  • Copy the contents at file system level. Using rsync or xfs_copy or xfsdump/xfsrestore. This however would require to partition everything first. Either by copying the partition table with sfdisk, or doing everything manually. But for the manual process, I am not sure what Anaconda has done during the installation process, and the logs are very verbose. Furthermore, I would need to adjust the partition UUIDs everywhere, but I think this is manageable.
  • Using Kickstart. I could write everything I have done afterwards into the post script, but I can't remember everything, and the bash history only reaches so far. Furthermore, I have not worked through the whole Kickstart documentation yet, so I don't know what is possible and what isn't.
What do you think would be the best, or even better approach? The effort should be focused on setting up the backup of the current system, and restoring should be as simple as possible.

Thanks in advance!