Backup and restoration process of Debian 12 installation with automated partitioning option of LVM with Luks encryption.
Installed by default:
- cryptsetup
- lvm2
- rsync
- sfdisk (part of util-linux)
- mount, chroot, grub-install, etc.
| Program | Why |
|---|---|
| cryptsetup | Unlock, backup, and restore LUKS encrypted volumes |
| lvm2 | Manage LVM groups, backup and restore VG metadata |
| partclone | Efficient sparse filesystem cloning (ext4, etc.) |
| gdisk | Use sgdisk for GPT partition table backup/restore |
| parted | General partition management (optional but useful) |
| dosfstools | mkfs.vfat needed if restoring EFI system partitions |
| e2fsprogs | Needed for tune2fs, e2label, mke2fs for ext4 (usually preinstalled) |
sudo apt update && sudo apt install cryptsetup lvm2 partclone gdisk parted dosfstools e2fsprogs# -------------------------------------------
# STEP 1: BACK UP THE PARTITION LAYOUT
# -------------------------------------------
# Why?:
# - Your disk has a partition table (likely GPT).
# - To fully recreate the structure (boot partition, encrypted partition, etc.) you must save this.
# Command to backup partition layout using sfdisk (good for both MBR and GPT):
sudo sfdisk --dump /dev/sdX > sfdisk-backup.txt
# Alternative (BETTER for GPT-specific disks):
# sgdisk can backup all GPT metadata, including partition UUIDs:
# sudo sgdisk --backup=partition-table.gpt /dev/sdX
# sfdisk gives a human-readable text file. sgdisk gives a binary file.
# -------------------------------------------
# STEP 2: BACK UP THE LUKS ENCRYPTION HEADER
# -------------------------------------------
# Why?:
# - LUKS encrypted volumes store critical information (keys, cipher info) in the LUKS header.
# - If the LUKS header is corrupted (due to disk failure, accidental overwrite, etc.),
# you CANNOT recover your data, even if the encrypted data is intact.
# - So save the LUKS header separately and securely!
# Command:
sudo cryptsetup luksHeaderBackup /dev/sdXn --header-backup-file luks-header.img
# Replace /dev/sdXn with your LUKS partition (e.g., /dev/sda3).
# NOTE:
# - Keep this luks-header.img OFF the machine — copy it to another drive or cloud storage.
# - Without this, full recovery is impossible.
# -------------------------------------------
# STEP 3: UNLOCK (OPEN) THE ENCRYPTED LUKS VOLUME
# -------------------------------------------
# Why?:
# - To access the files inside the encrypted container,
# you need to unlock (decrypt) it temporarily.
# Command:
sudo cryptsetup luksOpen /dev/sdXn cryptroot
# After this, the decrypted device appears as /dev/mapper/cryptroot.
# -------------------------------------------
# STEP 4: BACK UP THE LVM METADATA (VOLUME GROUP INFO)
# -------------------------------------------
# Why?:
# - LVM stores metadata describing how physical volumes (PVs),
# volume groups (VGs), and logical volumes (LVs) are organized.
# - To recreate the same LVM structure later, you must backup this metadata.
# Command:
sudo vgcfgbackup -f vg-backup-file.vg <VGNAME>
# <VGNAME> is your Volume Group name (e.g., 'debian-vg').
# You can find it by running 'vgs' or 'lvs' to list existing groups.
# The '-f' flag allows you to specify the output file manually.
# -------------------------------------------
# STEP 5: BACK UP THE FILESYSTEM CONTENTS
# -------------------------------------------
# Now you need to backup the actual files (your OS, configs, user data).
# Two good options:
# ---- Option 1: PARTCLONE (preferred for "raw" efficient backup) ----
# Captures only used blocks, skips free space inside ext4 filesystem.
sudo partclone.ext4 -c -s /dev/mapper/<VGNAME>-root -o rootfs.img
# -c: clone mode (read from source)
# -s: source device (the logical volume)
# -o: output image file
# This creates a compressed filesystem image with minimal empty space.
# ---- Option 2: RSYNC (preferred for full file-level control) ----
# If you prefer to handle files individually (better for selective restores):
# Mount the logical volume:
# sudo mkdir /mnt/rootfs
# sudo mount /dev/mapper/<VGNAME>-root /mnt/rootfs
# Then use rsync to copy preserving permissions, ACLs, hardlinks, device nodes, etc.:
# sudo rsync -aAXHv --numeric-ids /mnt/rootfs/ /path/to/backup/rootfs/
# -a: archive (preserves almost everything)
# -A: preserve ACLs
# -X: preserve xattrs
# -H: preserve hard links
# -v: verbose
# --numeric-ids: preserve UID/GID without mapping them
# -------------------------------------------
# STEP 1: RESTORE THE PARTITION TABLE
# -------------------------------------------
# Why?:
# - You need to recreate the disk structure (EFI partition, encrypted root partition, etc.).
# If you backed up with sfdisk (text format):
sudo sfdisk /dev/sdX < sfdisk-backup.txt
# If you backed up with sgdisk (binary format):
# sudo sgdisk --load-backup=partition-table.gpt /dev/sdX
# After this, the partition layout on the disk will match the original.
# -------------------------------------------
# STEP 2: (OPTIONAL) RESTORE LUKS HEADER
# -------------------------------------------
# Why?:
# - Only necessary if your original LUKS header was lost or corrupted.
# Command:
sudo cryptsetup luksHeaderRestore /dev/sdXn --header-backup-file luks-header.img
# If the LUKS header on disk is fine, you can skip this.
# -------------------------------------------
# STEP 3: OPEN THE LUKS ENCRYPTED VOLUME
# -------------------------------------------
# Unlock the partition so you can access the encrypted data:
sudo cryptsetup luksOpen /dev/sdXn cryptroot
# Same as during backup — maps to /dev/mapper/cryptroot.
# -------------------------------------------
# STEP 4: PREPARE PHYSICAL VOLUME (PV) FOR LVM
# -------------------------------------------
# Why?:
# - LVM needs a physical volume label on the decrypted device.
# Command:
sudo pvcreate /dev/mapper/cryptroot
# (NOTE: If pvcreate complains about "already existing", you might need to wipe the partition first.)
# -------------------------------------------
# STEP 5: RESTORE LVM METADATA (VOLUME GROUP INFO)
# -------------------------------------------
# Restore the volume group configuration exactly as it was:
sudo vgcfgrestore <VGNAME>
# After this, your logical volumes (root, swap, etc.) will reappear inside /dev/mapper/.
# -------------------------------------------
# STEP 6: RESTORE FILESYSTEM CONTENTS
# -------------------------------------------
# Now you restore your actual filesystem data.
# ---- Option 1: Restore with partclone ----
sudo partclone.ext4 -r -s rootfs.img -o /dev/mapper/<VGNAME>-root
# -r: restore mode (write to device)
# -s: source image
# -o: destination device (logical volume)
# ---- Option 2: Restore with rsync ----
# If you used rsync, first create the ext4 filesystem again:
# sudo mkfs.ext4 /dev/mapper/<VGNAME>-root
# Mount it:
# sudo mount /dev/mapper/<VGNAME>-root /mnt/rootfs
# Then rsync the data back:
# sudo rsync -aAXHv --numeric-ids /path/to/backup/rootfs/ /mnt/rootfs/
# -------------------------------------------
# STEP 7: (OPTIONAL) RESTORE UUIDs
# -------------------------------------------
# Why?:
# - fstab, crypttab, and other config files may refer to filesystem UUIDs.
# - If you recreated the filesystem (mkfs.ext4), UUIDs changed.
# To manually set the UUID back:
# sudo tune2fs /dev/mapper/<VGNAME>-root -U <original-UUID>
# (You can get the original UUID from your backup notes, blkid outputs, or fstab.)
# -------------------------------------------
# STEP 8: REINSTALL THE BOOTLOADER (GRUB)
# -------------------------------------------
# Why?:
# - New disks don't have a bootloader installed.
# - After restoring rootfs, you must reinstall GRUB so the system can boot.
# Mount necessary system directories into the chroot:
sudo mount --bind /dev /mnt/rootfs/dev
sudo mount --bind /proc /mnt/rootfs/proc
sudo mount --bind /sys /mnt/rootfs/sys
# Enter the chroot:
sudo chroot /mnt/rootfs
# Install GRUB:
grub-install /dev/sdX
# Update the boot configuration:
update-grub
# Exit the chroot:
exit
# Unmount the bind mounts when done:
# sudo umount /mnt/rootfs/dev /mnt/rootfs/proc /mnt/rootfs/sys
# Done! Your restored system should now boot.