Backup & Recovery

By admin, 2 April, 2020

Boot & Encryption Backup

Cryptsetup Header Backup:

# cryptsetup luksHeaderBackup /dev/

Cryptsetup Header Restore:

# cryptsetup luksHeaderRestore /dev/

Check before restoring:

# cryptsetup -v --header /mnt/

# mount /dev/mapper/test /mnt/test && ls /mnt/test

# umount /mnt/test

# cryptsetup close test

Net Backup

FileZilla: full-featured FTP solution for both client and server with an easy-to-use GUI. It is written in C++ and uses the wxWidgets library.

Bare Metal Backup

Clonezilla: a free and open-source disk cloning, disk imaging, data recovery, and deployment computer program.

FSArchiver: a system tool that allows you to save the contents of a file system to a compressed archive file. The file system can be restored on a partition which has a different size and it can be restored on a different file system. Unlike tar/dar, FSArchiver also creates the file system when it extracts the data to partitions. Everything is checksummed in the archive in order to protect the data. If the archive is corrupt, you just lose the current file, not the whole archive.


fsarchiver [ options ] savefs archive filesystem ...

fsarchiver [ options ] restfs archive id=n,dest=filesystem[,mkfs=fstype,mkfsopt=options] ...

fsarchiver [ options ] savedir archive directory ...

fsarchiver [ options ] restdir archive destination

fsarchiver [ options ] archinfo archive

fsarchiver [ options ] probe [detailed]


savefs Save filesystems to archive.

restfs Restore filesystems from archive. This overwrites the existing data on filesystems. Zero-based index n indicates the part of the archive to restore. Optionally, a filesystem may be converted to fstype.

savedir Save directories to archive (similar to a compressed tarball).

restdir Restore data from archive which is not based on a filesystem to destination.

archinfo Show information about an existing archive file and its contents.

probe Show list of filesystems detected on the disks.


-h, --help Show help and information about how to use fsarchiver with examples.

-V, --version Show program version and exit.

-v, --verbose Verbose mode (can be used several times to increase the level of details). The details will be printed to the console.

-o, --overwrite Overwrite the archive if it already exists instead of failing.

-d, --debug Debug mode (can be used several times to increase the level of details). The details will be written in /var/log/fsarchiver.log.

-A, --allow-rw-mounted Allow to save a filesystem which is mounted in read-write (live backup). By default fsarchiver fails with an error if the partition if mounted in read-write mode which allows modifications to be done on the filesystem during the backup. Modifications can drive to inconsistencies in the backup. Using lvm snapshots is the recommended way to make backups since it will provide consistency, but it is only available for filesystems which are on LVM logical-volumes.

-a, --allow-no-acl-xattr Allow to run savefs when partition is mounted without the acl/xattr options. By default fsarchiver fails with an error if the partition is mounted in such a way that the ACL and Extended-Attributes are not readable. These attributes would not be saved and then such attributes could be lost. If you know what you don't need ACL and Extended-Attributes to be preserved then it's safe to run fsarchiver with that option.

-e pattern, --exclude=pattern Exclude files and directories that match that pattern. The pattern can contains shell asterisks such as * and ?, and the pattern may be either a simple file/dir name or an absolute file/dir path. You must use quotes around the pattern each time you use wildcards, else it would be interpreted by the shell. The wildcards must be interpreted by fsarchiver. See examples below for more details about this option.

-L label, --label=label Set the label of the archive: it's just a comment about the contents. It can be used to remember a particular thing about the archive or the state of the filesystem for instance.

-z level, --compress=level Valid compression levels are between 1 (very fast) and 9 (very good). The memory requirement increases a lot with the best compression levels, and it's multiplied by the number of compression threads (option -j). Level 9 is considered as an extreme compression level and requires an huge amount of memory to run. For more details please read this page:

-s mbsize, --split=mbsize Split the archive into several files of mbsize megabytes each.

-j count, --jobs=count Create more than one compression thread. Useful on multi-core CPUs. By default fsarchiver will only use one compression thread (-j 1) and then only one logical processor will be used for compression. You should use that option if you have a multi-core CPU or more than one physical CPU on your computer. The typical way to use this option is to specify the number of logical processors available so that all the processing power is used to compress the archive very quickly. You may also want to use all the logical processors but one for that task so that the system stays responsive for other applications.

-c password, --cryptpass=password Encrypt/decrypt data in archive. Password length: 6 to 64 chars. You can either provide a real password or a dash ("-c -") with this option if you do not want to provide the password in the command line and you want to be prompted for a password in the terminal instead.


save only one filesystem (/dev/sda1) to an archive:

fsarchiver savefs /data/myarchive1.fsa /dev/sda1

save two filesystems (/dev/sda1 and /dev/sdb1) to an archive:

fsarchiver savefs /data/myarchive2.fsa /dev/sda1 /dev/sdb1

restore the first filesystem from an archive (first = number 0):

fsarchiver restfs /data/myarchive2.fsa id=0,dest=/dev/sda1

restore the second filesystem from an archive (second = number 1):

fsarchiver restfs /data/myarchive2.fsa id=1,dest=/dev/sdb1

restore two filesystems from an archive (number 0 and 1):

fsarchiver restfs /data/arch2.fsa id=0,dest=/dev/sda1 id=1,dest=/dev/sdb1

restore a filesystem from an archive and convert it to reiserfs:

fsarchiver restfs /data/myarchive1.fsa id=0,dest=/dev/sda1,mkfs=reiserfs

restore a filesystem from an archive and specify extra mkfs options:

fsarchiver restfs /data/myarchive1.fsa id=0,dest=/dev/sda1,mkfs=ext4,mkfsopt="-I 256"

save the contents of /usr/src/linux to an archive (similar to tar):

fsarchiver savedir /data/linux-sources.fsa /usr/src/linux

save a /dev/sda1 to an archive split into volumes of 680MB:

fsarchiver savefs -s 680 /data/myarchive1.fsa /dev/sda1

save a filesystem and exclude all files/dirs called 'pagefile.*'

fsarchiver savefs /data/myarchive.fsa /dev/sda1 --exclude='pagefile.*'

exclude 'share' in both '/usr/share' and '/usr/local/share':

fsarchiver savefs /data/myarchive.fsa --exclude=share

absolute exclude valid for '/usr/share' but not '/usr/local/share'

fsarchiver savefs /data/myarchive.fsa --exclude=/usr/share

save a filesystem (/dev/sda1) to an encrypted archive:

fsarchiver savefs -c mypassword /data/myarchive1.fsa /dev/sda1

extract an archive made of simple files to /tmp/extract:

fsarchiver restdir /data/linux-sources.fsa /tmp/extract

show information about an archive and its file systems:

fsarchiver archinfo /data/myarchive2.fsa

Storage Check and Recovery

There are two powerful available rescue utilities from cgsecurity:

TestDisk: checks the partition and boot sectors of your disks. It is very useful in forensics, recovering lost partitions.

PhotoRec: a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

Secure Delete Right Click Menu

This option has ability in three different levels to wipe data to prevent others to recover deleted files after using the secure-delete command.

  1. Installing secure-delete with Administration Privilege
  2. Downloading Secure Delete Extension for Dolphin File Manager

What is zuluCrypt?

zuluCryptGUI: zulucrypt is a suite of applications for creating and managing volumes encrypted with luks, plain, truecrypt and veracrypt. zulucrypt-gui is a front end for zulucrypt-cli. This way all activities can be performed easily by the graphical interface.

zuluCrypt is currently Linux only and it does hard drives encryption and it can manage PLAIN dm-crypt volumes, LUKS encrypted volumes, TrueCrypt encrypted volumes, VeraCrypt encrypted volumes and Microsoft’s BitLocker volumes.

zuluCrypt can manage encrypted volumes that are hosted in image files, lvm, mdraid, hard drives, usb sticks or any other block device.

zuluCrypt can also encrypt stand alone files (zuluCrypt menu -> zC -> encrypt a file).

What is zuluMount?

zuluMountGUI: zulucrypt is a suite of applications for creating and managing volumes encrypted with luks, plain, truecrypt and veracrypt. zuluMount-gui is a front end for zuluMount-cli. This way all activities the zulumount-cli can be performed easily by the graphical interface. zuluMount-gui can unlock cryfs, encfs, gocryptfs and ecryptfs.

zuluMount is bundled with zuluCrypt and its meant to be used as a general purpose tool that mount and unmount zuluCrypt supported encrypted volumes as well as unencrypted volumes and it can be used as a substitute to udisks, pmount and related tools.

zuluMount-gui can also be used as a frontend to encfs, gocryptfs, securefs, ecryptfs and cryfs.

zuluMount-gui is ideal for use as a desktop environment/file manager independent tool for mounting/unmounting encrypted and unencrypted volumes.

Chkrootkit Scanner

The chkrootkit security scanner searches the local system for signs that it is infected with a 'rootkit'. Rootkits are set of programs and hacks designed to take control of a target machine by using known security flaws.

  • chkrootkit: a shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the network interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).

Rootkits, Worms and LKMs detected

For an updated list of rootkits, worms and LKMs detected by chkrootkit please visit: