Hi, On 03/27/2016 01:53 AM, Hugh Bragg wrote: ... > I don't want to need a dedicated server to deliver a decrypted > filesystem because I don't want the decrypted data to be exposed to the > network. I understand I could use secure communications, but this is all > way too much overhead compared to what I'm trying to achieve. As Arno said, dm-crypt cannot be used this way - it is not designed to provide shared block device among servers. On top what already mentioned, probably some combination with mechanism to share active/active block device could work (maybe DRBD) but such solution is quite fragile. But there is another problem with your solution - you said that you do not want decrypted data on the wire. While accessing encrypted device (dmcrypt/LUKS) this simple way will put encrypted data over your network, this solution is NOT secure. Anyone can use reply attack and just replace old ciphertext content (some old already-seen data) in packets. (Imagine it is as a snapshot of the encrypted device in time.) You have to use encrypted network connection on top of this (SSH, VPN, ...) to provide secure transport layer here. Just sharing encrypted disk device over network (even if it is just through point-to-point using iSCSI, NBD whatever) is simply not secure! Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
