[SOLVED] Backup and dedupe a VM with LUKS

[Daniel-Doggy]

Hello everyone,

I am current planning on adding LUKS to a VM that I also use as a desktop to access my internal VMs.
I would think/asume that dedupe for the VM on PBS would still work with LUKS encryption apart from that it can only dedupe with its own data from its own disk.
But does anyone know if this is a correct assumption or is dedupe of a VM completely lost when adding LUKS to a VM?

 

[UdoB]

But does anyone know if this is a correct assumption

Well..., I did not verify this actively, but: yes.

or is dedupe of a VM completely lost when adding LUKS to a VM?

The backup process will copy the content of the virtual harddisk into the backup system. Whether the raw disk is encrypted or not should be completely irrelevant. At the end the virtual disk is allowed to contain any theoretically possible data.

The most part of the encrypted content will stay the same today, tomorrow, next week. Correct? (Except of the small amount of data which is modified during normal usage, of course.)

You've mentioned the only drawback already: "...apart from that it can only dedupe with its own data".

 

[Daniel-Doggy]

Thanks for the info.

I would indeed assume that only my first backup is as big as the disk itself. (Since debian by default writes garbage to the disk before adding LUKS to prevent old data leaking.)
And after that just small updates as things change on the disk.
I would also think that PBS would not care about the disk being a LUKS but given that it not common to do LUKS on a VM, it never hurts to ask.
And besides that we also have single file restore but that would 100% not work with LUKS. (But also here a clear difference between will not work and it breaks your backup as the feature creating compatibilty issues.)

 

[Daniel-Doggy]

After some testing it seems like LUKS on a VM with PBS work fine with a couple of (expected) limitation.

1. Dedupe work fine but backup differentials are still 200% to 300% bigger then without LUKS. (There are way more chunk diffs compared to without LUKS.)
2. FIle restore will work for non LUKS partitions but LUKS partitions with just throw errors that it cannnot read the disk.
3. Backup restore is way slower then without LUKS. This is expected as it is not really "slower" but given that (at least on debian installers) it first write random data to the disk before adding LUKS, as fair as PBS and/or PVE know there are no empty/unused chunks.

 

[MarkusKo]

 (at least on debian installers) it first write random data to the disk before adding LUKS

As far as i know you can disable this with a checkbox - LUKS encryption without overwriting the whole disk.

 

[Daniel-Doggy]

As far as I know, yes you can skip this step, I however do not know if it would actually help with disk usage and chunk changes. (I would assume that regardless of if you write random data to disk before adding LUKS or not you would eventually run into this.)
Since as far as I know when something gets "deleted" from a disk its not really deleted but rather marked to be overwritten with new data later. (Same reason as why you can still recover files form a disk even after you have permanently deleted them.)
And given that all the data on the VM disk is encrypted by LUKS, PVE / PBS does not know which chunks are marked as "deleted" and thus cannot exclude them from the backup chunks. (But if I am wrong feel free to correctly me on it.)