Backup and Restore of an encrypted Linux system
In this blog post I want to write a little bit about backup and restore of encrypted Linux servers with Veeam Agent for Linux.
Encrypting a Linux server with LUKS (Linux Unified Key Setup) is an effective method to safeguard sensitive data and prevent unauthorized access. However, it’s essential to recognize that when a LUKS encrypted server is backed up, the backup application may not recognize that the data is encrypted on disk. This is because the encryption container is typically opened during the system boot process, and the backup application runs afterward.
As a result, the backup file include all the data in an unencrypted format, which could pose a significant security risk if the backup file is accessed by unauthorized individuals. To maintain the same level of security as the original data, it’s crucial to ensure that the backups are also encrypted.
You can do this by activating the encryption in Veeam Agent for Linux job setting to prevent unauthorized access to your data.
When restoring a Linux system with no encrypted volumes, you just insert the Veeam Recovery Media, connect to your repository, restore e.g. the whole disk and reboot. Easy right? Yes it is and properly 99% of all systems can be recovered with this method. But the last 1% is more complicated because the data will be backuped from a virtual crypto device which is not available while the automatic restore . In our scenario it’s a little bit more complicated, but can be done with some manual steps.
Our test system is a virtual machine configured with EFI and Ubuntu 22.04 as operating system. While installing this operating system I’ve selected the whole system encryption via LUKS. On this system I’ve installed the Veeam Agent for Linux Free Edition. The used version was 6.0.
I’ve created one backup job, which backups the entire system to a SMB share. After this the system will then be stopped and a blank VM will be created. This VM is now booted with the recovery ISO.
We starts here after selecting the backup we want to restore. We see on the left side the empty disk and on the right side we see how the partitions was captured/discovered while creating the backup.
In our case we select the device “sda” with Enter. In the small menu which now opens we select “Restore from…” and press Enter.
Now we can select the device from the backup, which we want to restore. In our case we select the device sda, which was the boot disk of our test system.
As you can see the recovery wizard only adds the first two partitions sda1 and sda2 to this disk configuration. This both partitions will be needed to start the Linux Kernel to get to the point in boot process where you can enter the encryption key to continue the system boot.
For restoring the encrypted volumes we need to do additional steps. We select the remaining free space of the device sda and press “Enter”.
From the new menu which opens we select now “Create partition” and press “Enter”. This partition will be used to create the crypto container which stores our LVM.
Per Default the partition will have the remaining space. If you want to change the size to a smaller size, you can enter here the partition size and press “Enter”.
On the left side we now can select “sda3” and press “Enter”. In the small menu we select “Create a LUKS volume” and press “Enter”
Now we can enter a LUKS volume label and press “Enter”. Please note this label because we later need to use this in some commands.
In the next dialog we can set a LUKS volume password and press “Enter”. Volume password will shown in clear text. Please note this password because we need it later to boot our server.
On the right side you can see the LVM volume group object “ubuntu-vg” this name we should note for the next step.
After creating the LUKS volume we need to select the volume “test” and press “Enter” to use it for recreating the LVM.
In the menu we select “Create a new volume group” and press enter.
Now we can create the volume group with the name “ubuntu-vg” and press “Enter”.
After this we have on the left side a device “ubuntu-vg” and a new “free” node. We select this “free” node and press “Enter”.
From this menu we select “Restore from…” and press “Enter” to restore our logical LVM volume.
Now we can select the “ubuntu-lv” node and press “Enter”. After this we are ready to restore our system and can start the restore by pressing the letter “S”.
After pressing the letter “S” we get a little recovery summary, which shows us all steps which will be done while restoring the data.
Now we really start the restore via pressing “Enter”.
After a short while our restore is done and we can exit to the main menu via “Esc”
Because we had to recreate the LUKS volume, we need to change settings on the restored disk. Otherwise our system will not boot.
Please select “Exit to shell” and press “Enter”.
In my environment I got always a message from sudo, that the system name cannot be resolved. You can safely ignore this message.
The first manual step is to mount the restored filesystem inside of the LVM logical volume to /mnt.
veeamuser@veeam-recovery-iso:~$ sudo mount /dev/mapper/ubuntu--vg-ubuntu--lv /mnt
Because we created a new LUKS it has a new UUID. We have the problem that the system will not boot with this new UUID. Because of this we need to find the old UUID and change the UUID later. The UUID of the old LUKS is written to the (/mnt)/etc/crypttab.
veeamuser@veeam-recovery-iso:~$ sudo cat /mnt/etc/crypttab dm_crypt-0 UUID=1234a186-363f-48a4-a3ac-f3d264e4ebd3
To change the UUID we need to umount the filesystem and to deactivate the volume group.
veeamuser@veeam-recovery-iso:~$ sudo umount /dev/mapper/ubuntu--vg-ubuntu--lv veeamuser@veeam-recovery-iso:~$ sudo vgchange -a n 0 logical volume(s) in volume group "ubuntu-vg" now active
Now we can change the UUID for the crypto container on device /dev/sda3 to the UUID used before the restore and close the luks container.
veeamuser@veeam-recovery-iso:~$ sudo cryptsetup luksUUID --uuid 1234a186-363f-48a4-a3ac-f3d264e4ebd3 /dev/sda3 WARNING! ======== Do you really want to change UUID for devices? Are you sure? (Type uppercase yes): YES veeamuser@veeam-recovery-iso:~$ sudo cryptsetup luksClose /dev/mapper/test
After this we are done. We can start e.g. the veeam gui again in initiate a reboot of the system.
veeamuser@veeam-recovery-iso:~$ sudo veeam
We finished the restore of the data volumes back to an encrypted container and while starting the server we see a prompt for enter our passphrase to unlock the disk.
I hope you will like my blog post, if you ever need to make a bare metal recovery of your linux system.