Clonezilla Imaging onto a LUKS Encrypted Filesystem

2025-09-27

This guide shows how to use Clonezilla to image a disk or partition and save the image onto a LUKS-encrypted ext4 filesystem. It covers creating the LUKS container, formatting it with ext4, manually mounting it to /home/partimag/ (required by Clonezilla for local-disk images), running Clonezilla, and safe teardown.

This will give maximum write performance and security for storing disk images. It is assumed you have basic familiarity with Linux command line, LUKS, and Clonezilla.

I have tested this to perform 180 MB/s writes to a LUKS ext4 target on a USB 3.0 external dock mounted WD Red 4TB CMR drive in dd mode. The source was a 2TB disk containing a Veracrypt encrypted system Windows partition, thus a sector-by-sector copy of ciphertext. When not using this method, and writing to a standard non-encrypted ntfs partition on the same drive, I've only seen 40-50 MB/s when using Clonezilla's built in ecryptfs encryption, with Clonezilla's "no compression" setting selected.

Prerequisites

  • A Clonezilla Live USB (or ISO) you can boot from.
  • Target device (the device that will hold images) e.g. /dev/sdb or /dev/sdb1. Back up any important data on that device if you need to. The commands in this guide will destroy data.
  • Source device/partition to image (e.g. /dev/sda or /dev/sda1).

Safety

  • Double-check device names with lsblk and blkid before running destructive commands. Make sure you are working on the correct disks/partitions.
  • These examples use /dev/sdb as the target partition. Replace with the correct device on your system.

Prepare target

Prepare the LUKS-encrypted ext4 filesystem

Boot the Clonezilla Live USB and open a root shell. Use Ctrl+Alt+T or drop to shell from the Clonezilla menu, or use Alt+F1 and Alt+F2 to switch between the Clonezilla menu and shell.

Switch to root. All the operations below require root, we'll assume you are root from here on.

sudo -i

Identify the target device:

lsblk -f

Create a partition on the target disk if needed. This example uses /dev/sdb directly without creating any partitions. Examples using parted or fdisk is omitted. Use your preferred partitioning tool.

Initialize LUKS on the target device or partition. Create a new LUKS container on the partition (will erase it)

cryptsetup luksFormat /dev/sdb

Open the LUKS container and map it to a name (here: partimag):

cryptsetup open /dev/sdb partimag

Create an ext4 filesystem inside the opened LUKS mapping:

mkfs.ext4 /dev/mapper/partimag

Clonezilla expects local image repositories to be mounted under /home/partimag when using the local_dev option. Manually mount the decrypted mapping there.

mkdir -p /home/partimag
mount /dev/mapper/partimag /home/partimag

Verify space and contents

df -h /home/partimag
ls -la /home/partimag

With Clonezilla, save the image to the LUKS filesystem at /home/partimag.

Run Clonezilla

Using the Clonezilla menus:

  • Choose device-image.
  • Choose local_dev as the destination.
  • When prompted to choose the directory, select /home/partimag as is, skip the part asking you mount it, as we have already performed this manually.
  • Choose savedisk (to save an entire disk) or saveparts (to save selected partitions).
  • Follow prompts: naming the image, compression method (gzip, zstd, etc.), and whether to check or skip bad sectors.
  • Start the image operation and monitor progress.

After imaging, unmount and close LUKS.

When imaging finishes, safely unmount and close the LUKS container. This is normally not required if you simply run reboot or poweroff. But if you plan on doing something else in the live environment, do this:

sync
umount /home/partimag
cryptsetup close partimag

Confirm the mapping is gone

ls /dev/mapper

Next time you want to use the LUKS container, repeat the open and mount steps in a console:

cryptsetup open /dev/sdb partimag
mount /dev/mapper/partimag /home/partimag

To restore images later, reverse the steps:

  • Boot Clonezilla Live.
  • In a console, unlock and mount the LUKS container to/home/partimag (as above). Do not format it again!
  • Run Clonezilla and choose restore (restoredisk or restoreparts).
  • After restore, unmount and close LUKS.

Tips and troubleshooting

  • If Clonezilla can't see /home/partimag, confirm the mountpoint path and that the ext4 filesystem is mounted at /home/partimag (not /home/partimag/whatever).
  • If you prefer an encrypted file store rather than an entire partition, you can create a loopback file on the target device, cryptsetup it, and format. The same mount rules apply.
  • For large image storage, choose zstd compression in Clonezilla for a good speed/size tradeoff. But don't do this for uncompressable data, e.g encrypted sources.
  • Keep the LUKS passphrase safe, without it, the images are inaccessible.

Summary

Example full command sequence (replace /dev/sdb appropriately), for preparing a new target drive for storing images:

lsblk -f
cryptsetup luksFormat /dev/sdb
cryptsetup open /dev/sdb partimag
mkfs.ext4 -L partimag /dev/mapper/partimag
mkdir -p /home/partimag
mount /dev/mapper/partimag /home/partimag
df -h /home/partimag
clonezilla # or switch to Clonezilla menu with Alt+F1

# After Clonezilla work:
umount /home/partimag
cryptsetup close partimag

If drive was already prepared, just:

cryptsetup open /dev/sdb partimag
mount /dev/mapper/partimag /home/partimag
clonezilla # or switch to Clonezilla menu with Alt+F1

# After Clonezilla work:
umount /home/partimag
cryptsetup close partimag

Conclusion

Saving Clonezilla images to a LUKS-encrypted ext4 filesystem is straightforward: create and open a LUKS container, format it, mount it at /home/partimag, and use Clonezilla's local_dev option. Always confirm device names before destructive operations and keep your LUKS passphrase backed up securely.