Best practice to backup a LUKS encrypted device

cryptsetup handles image files just as well as block devices, if that was your question. So if you make a dd image (which will be freaking huge) it will work. And if it didn't, you could just create the loop device yourself.

Best practice (if you want to keep the backup encrypted) is to encrypt the backup disk also, then open both containers, then run any backup solution of your choice as you would with unencrypted filesystems. It won't be the fastest method as it'd decrypt data from the source disk and then re-encrypt it for the backup disk. On the other hand it allows for incremental backup solutions, so it should still beat the dd-image-creation on average.

If you want to stick to dd, the only way to make something faster than dd would be a partimage of sorts which takes LUKS header and offset into account, so it would only store the encrypted data that is actually in use by the filesystem.

If the source disk is a SSD and you allow TRIM inside LUKS, and the SSD shows trimmed regions as zeroes, you get this behaviour for free with dd conv=sparse. It's still not something I'd recommend, though.

The simplest method is to make the backup system independent of the encryption system. Create an encrypted volume for the backup. Mount both the original volume and the backup volume, and run your favorite filesystem-level backup software.

Besides the simplicity, an advantage with this method is that the backup volume doesn't have to have the same size and content as the original. You can back up to a subdirectory, you can make incremental backups, etc.

There is also a very slight security advantage. If an attacker grabs your backup and finds your password, and the backup volume is a straight copy of the encrypted volume, you'll need to reencrypt the original volume. If the backup volume is independently-encrypted, it's enough to change the password on the original volume.

What I did

cryptsetup luksOpen <device> <name>
fsarchiver -c - savefs <archive> <filesystem>