From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0Sa6HXMZ8tHN for <dm-crypt@saout.de>;
 Thu,  1 Aug 2013 15:34:45 +0200 (CEST)
Received: from v6.tansi.org (unknown [87.118.116.4])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Thu,  1 Aug 2013 15:34:45 +0200 (CEST)
Received: from gatewagner.dyndns.org (77-56-214-138.dclient.hispeed.ch
 [77.56.214.138])
 by v6.tansi.org (Postfix) with ESMTPA id 38F1120DC66B
 for <dm-crypt@saout.de>; Thu,  1 Aug 2013 15:34:45 +0200 (CEST)
Date: Thu, 1 Aug 2013 15:34:44 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20130801133442.GA10436@tansi.org>
References: <CA+Tk8fx_Xh-Ou8MZq1MDO+XkCOi3BwaqU0GY2Vd8_Vt5cqdnLg@mail.gmail.com>
 <20130801003458.GA1093@tansi.org>
 <CA+Tk8fxDaNhu9WY+KvUdWbPZDciDdYZ+ivLNbc-z2mP77GTYRQ@mail.gmail.com>
 <CAFnMBaQpO8UPmuDbv9VOS0=gGRk6u8SbhL=974G+jUk3USx2kQ@mail.gmail.com>
 <CA+Tk8fyTJYSdBp-kceKeXM0e4_5D0utuW-H3tGzdLefr4CF80w@mail.gmail.com>
 <51FA1198.6040406@gmail.com>
 <CA+Tk8fwmr7FaetvfFkoydiLY2KMpNCmxTStCd8VgrCnHr7gRqA@mail.gmail.com>
 <51FA3B5E.6030800@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <51FA3B5E.6030800@gmail.com>
Subject: Re: [dm-crypt] dm-crypt "inverted" usage (i.e. exporting an
 "encrypted" image of a block device)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote:
> 
> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
> > On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland@gmail.com> wrote:
> >> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
> >>>
> >>>      As said, I guess this can be obtained in two ways:
> >>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
> >>> not aware of;)
> >>
> >>
> >> No, there is not.
> >>
> >> I hope I understand your use case correctly, bu if so, this mode
> >> (transport over network) _cannot_ be secure.
> > 
> >     Indeed such a solution I'm after won't be "completely" secure (as
> > a matter of fact nothing can be completely as that would imply
> > perfection).  And in my particular use case I don't need it.
> 
> Well, you have been warned... and you can always shoot yourself in the foot ;-)

And you will. Even exporting the encrypted block device is 
insecure (i.e. "doing it right"), as disk encryption
has a different attacker mdoel than communication encryption
and different limitations. If, at some time, you decide you 
actually want to be secure, move to any VPN-tunnel like 
solution.

Arno 

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare