Re: dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Maybe I also don't understand your use case well enough, but it seems to
me that using dd over ssh would kinda do the trick, right?

If you just want all your files over the network safely, use rsync over
ssh. You say that you want to retain the native features of the
filesystem itself, so as far as rsync doesn't have support for the
specific features you're talking about (snapshots for example), just use
dd to copy over the entire filesystem.

On the sending machine you use something like:
# dd if=/dev/device | ssh root@receiving_system dd of=/dev/device

Or if your sending machine doesn't have access to your receiving system,
do something like this on your receiving system instead:

# ssh root@sending_system dd if=/dev/device | dd of=/dev/device

With regards to security, you now have everything that ssh offers, and I
think most would agree that ssh is secure enough for all practical purposes.

Regards,

Erik.




On 08/01/2013 03:34 PM, Arno Wagner wrote:
> On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote:
>>
>> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
>>> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland@xxxxxxxxx> wrote:
>>>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
>>>>>
>>>>>      As said, I guess this can be obtained in two ways:
>>>>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
>>>>> not aware of;)
>>>>
>>>>
>>>> No, there is not.
>>>>
>>>> I hope I understand your use case correctly, bu if so, this mode
>>>> (transport over network) _cannot_ be secure.
>>>
>>>     Indeed such a solution I'm after won't be "completely" secure (as
>>> a matter of fact nothing can be completely as that would imply
>>> perfection).  And in my particular use case I don't need it.
>>
>> Well, you have been warned... and you can always shoot yourself in the foot ;-)
> 
> And you will. Even exporting the encrypted block device is 
> insecure (i.e. "doing it right"), as disk encryption
> has a different attacker mdoel than communication encryption
> and different limitations. If, at some time, you decide you 
> actually want to be secure, move to any VPN-tunnel like 
> solution.
> 
> Arno 
> 

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux