Cloning Encrypted drives
- FOG Version: Fog 1.3
- Service Version:
- OS: CentOS 7
I need to clone encrypted disks that can be re-sizable. I am trying to avoid dd due to time constraints and the inability to resize. I need to be able to multicast - or at the very least image often, so that is why dd would be prohibitively slow and restrictive.
I can either create an image of an encrypted drive, or hopefully, I can use FOG to create the encrypted drive and clone into it. I thought I could run a preimage script with FOG to set up LUKS partitions and have FOG then unpack the image into this.
Is this possible?
What you ask is definitely not impossible (see here for example: https://errietta.me/blog/luks-clonezilla/) but way beyond the scope of what most users are using. Therefore this feature has not been implemented yet. There is a lot that can go wrong with encrypted disks and it would be extremely hard to have this implemented in FOG - fail prove.
As I said, it is possible and you are most welcome to modify the scripts and make it work for you. I recommend starting here: https://wiki.fogproject.org/wiki/index.php?title=Modifying_the_Init_Image
Feel free to ask questions if you are stuck in the details!
@michael.golla Yes, it’s called postdownloadscripts. We don’t have any official documentation (maybe you can write it?), but we have some good threads on the topic - here are some of the better ones:
@Tom-Elliott To clarify, I assume there is a snap-in that would apply whole disk encryption after imaging? This is Linux, and so BitLocker would not apply. Would this be part of the finalization/optimization stage of the cloning process (forgive me if I have my terminology incorrect).
@Tom-Elliott He’s talking about linux encryption usning LUKS but your ideas still can apply.
Once the image is applied, (and presumably the partitions resized) you can schedule the disks to be encrypted. This would be the means I would take if I had to do this.
Heck, using the FOG Client you could use the snapins to install the encrypting agent, or spawn the start of the bit-locker processes. This would make the encrypted disk user dependent and allow you to capture the recovery keys incase the user leaves or forgets their encryption information while segmenting each system separately.
Encrypted partitions are encrypted. There’s no way to know anything about the data. The only way to capture encrypted data is all or none. There’s no way, that I’m aware of, to do this in a resizable format.
To image in a resizable means you would need the disk un-encrypted.
Even if you created the partitions beforehand, the fog.download scripts would wipe them out. You would need to modify the init itself to do what you need.
Make modifications to the source as you need, then build the inits, and put them onto your fog server for testing. https://wiki.fogproject.org/wiki/index.php?title=Build_FOG_file_system_with_BuildRoot