Cloning Encrypted drives
- FOG Version: Fog 1.3
- Service Version:
- OS: CentOS 7
I need to clone encrypted disks that can be re-sizable. I am trying to avoid dd due to time constraints and the inability to resize. I need to be able to multicast - or at the very least image often, so that is why dd would be prohibitively slow and restrictive.
I can either create an image of an encrypted drive, or hopefully, I can use FOG to create the encrypted drive and clone into it. I thought I could run a preimage script with FOG to set up LUKS partitions and have FOG then unpack the image into this.
Is this possible?
You’re probably right in terms of the value for $129, considering what Casper Secure Drive offers is so unique. BTW, you’re right that the files are accessible in a Bitlocker drive, but when I open Bitlocker management in Windows, there’s an option for Bitlocker to be in a locked (active bitlocker) or unlocked (bitlocker turned off, but the disc is not decrypted). I.e., I’ve got a Bitlocker drive that’s encrypted, but when in Windows I have the option for Bitlocker management to have Bitlocker turned on or off (locked vs unlocked), even though the drive itself remains encrypted. Bottom line, no other software will do a proper clone of an encrypted drive when the Bitlocker management has it in a locked, active state, thereby producing a cloned and encrypted drive. Again, though, I couldn’t test its resizing function because it’s only the trial version. I also didn’t test that it works with PGP encryption (Opal 2.0), although it’s supposed to. I have communicated with the developers, and they are very prompt to respond, so my guess is that any problems will be addressed pretty quickly with this software. Any idea how something this unique is so “under the radar”? I never see it mentioned in reviews.
But I was running Windows 10 on my Bitlocker drive with Bitlocker in a ‘locked’ stated, and ran the cloning function.
Well, while you have Windows up and running the files in the encrypted partition are accessible (what I would call unlocked) because otherwise Windows wouldn’t come up at all. So it’s very smart to do the cloning in a running Windows environment. Still it’s quite a challenge to get this right and make it so that you can properly boot straight from the cloned disk. Therefore I agree with what Wayne just said: The money is definitely worth for what they offer! (… though it’s not at all black magic if you understand what I mean)
if I want to keep using it, it’s <gulp> $129.
This is a trivial amount of money for the functionality offered, honestly. Have your work pay for it.
I was surprised also at this. I didn’t think this Casper Secure Disc would work. But I was running Windows 10 on my Bitlocker drive with Bitlocker in a ‘locked’ stated, and ran the cloning function. I then shut down my computer, and booted up from the cloned disc. Because the cloned disc saw a change in the hardware, I had to initially enter the Registration Key, and then it booted up like my original encrypted disc. On a second reboot, the cloned disc just asked for PIN. I haven’t found any other software that can do this, and I’m not sure how Casper Secure Drive does it. I guess that explains their $129 price tag, vs the many free options out there. Further, it will let you resize the drive (in the paid version), although I didn’t test it since I only had the trial version.
It’s fast, done within windows, and you can keep working while it clones.
Well that’s a huge difference to what usual disk cloning does. While you are in a running windows environment you can access the files directly because the drive is unlocked (done when you enter the key on boot up). There is no way we can do something like this.
Marking this solved now as I don’t see this as something we should bother about from the FOG side of things.
Almost all cloning software (Macrium, Symantec, Easus, AOMEI, Acronis, etc) will clone a bitlocker drive IF it’s unlocked, with the resulting clone being bootable, but not bitlockered. You then need to encrypt it. A far faster option is to use Casper Secure Disc 4.2, which enables you to clone the Bitlocker drive while locked to another drive, and the result is a bootable clone that is encrypted with bitlocker and the same PIN and registration key. It’s fast, done within windows, and you can keep working while it clones. I’ve done it with Win10 x64 successfully. The problem: I used a trial version which does not allow resizing, and when my 30 days are up, if I want to keep using it, it’s <gulp> $129. Not sure if it’s worth the convenience of saving me to the time to simply clone and encrypt the target in two steps vs buying the software. Nonetheless, this is the only option I’ve seen that can fully clone a PGP or Bitlocker drive to another encrypted drive.
What you ask is definitely not impossible (see here for example: https://errietta.me/blog/luks-clonezilla/) but way beyond the scope of what most users are using. Therefore this feature has not been implemented yet. There is a lot that can go wrong with encrypted disks and it would be extremely hard to have this implemented in FOG - fail prove.
As I said, it is possible and you are most welcome to modify the scripts and make it work for you. I recommend starting here: https://wiki.fogproject.org/wiki/index.php?title=Modifying_the_Init_Image
Feel free to ask questions if you are stuck in the details!
@michael.golla Yes, it’s called postdownloadscripts. We don’t have any official documentation (maybe you can write it?), but we have some good threads on the topic - here are some of the better ones:
@Tom-Elliott To clarify, I assume there is a snap-in that would apply whole disk encryption after imaging? This is Linux, and so BitLocker would not apply. Would this be part of the finalization/optimization stage of the cloning process (forgive me if I have my terminology incorrect).
@Tom-Elliott He’s talking about linux encryption usning LUKS but your ideas still can apply.
Once the image is applied, (and presumably the partitions resized) you can schedule the disks to be encrypted. This would be the means I would take if I had to do this.
Heck, using the FOG Client you could use the snapins to install the encrypting agent, or spawn the start of the bit-locker processes. This would make the encrypted disk user dependent and allow you to capture the recovery keys incase the user leaves or forgets their encryption information while segmenting each system separately.
Encrypted partitions are encrypted. There’s no way to know anything about the data. The only way to capture encrypted data is all or none. There’s no way, that I’m aware of, to do this in a resizable format.
To image in a resizable means you would need the disk un-encrypted.
Even if you created the partitions beforehand, the fog.download scripts would wipe them out. You would need to modify the init itself to do what you need.
Make modifications to the source as you need, then build the inits, and put them onto your fog server for testing. https://wiki.fogproject.org/wiki/index.php?title=Build_FOG_file_system_with_BuildRoot