From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id KPBS1eWuLz_b for <dm-crypt@saout.de>;
 Thu,  1 Aug 2013 12:41:38 +0200 (CEST)
Received: from mail-ea0-x22e.google.com (mail-ea0-x22e.google.com
 [IPv6:2a00:1450:4013:c01::22e])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Thu,  1 Aug 2013 12:41:38 +0200 (CEST)
Received: by mail-ea0-f174.google.com with SMTP id z15so906944ead.5
 for <dm-crypt@saout.de>; Thu, 01 Aug 2013 03:41:37 -0700 (PDT)
Message-ID: <51FA3B5E.6030800@gmail.com>
Date: Thu, 01 Aug 2013 12:41:34 +0200
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <CA+Tk8fx_Xh-Ou8MZq1MDO+XkCOi3BwaqU0GY2Vd8_Vt5cqdnLg@mail.gmail.com>
 <20130801003458.GA1093@tansi.org>
 <CA+Tk8fxDaNhu9WY+KvUdWbPZDciDdYZ+ivLNbc-z2mP77GTYRQ@mail.gmail.com>
 <CAFnMBaQpO8UPmuDbv9VOS0=gGRk6u8SbhL=974G+jUk3USx2kQ@mail.gmail.com>
 <CA+Tk8fyTJYSdBp-kceKeXM0e4_5D0utuW-H3tGzdLefr4CF80w@mail.gmail.com>
 <51FA1198.6040406@gmail.com>
 <CA+Tk8fwmr7FaetvfFkoydiLY2KMpNCmxTStCd8VgrCnHr7gRqA@mail.gmail.com>
In-Reply-To: <CA+Tk8fwmr7FaetvfFkoydiLY2KMpNCmxTStCd8VgrCnHr7gRqA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] dm-crypt "inverted" usage (i.e. exporting an
 "encrypted" image of a block device)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Ciprian Dorin Craciun <ciprian.craciun@gmail.com>
Cc: dm-crypt@saout.de, ".. ink .." <mhogomchungu@gmail.com>, Milan Broz <gmazyland@gmail.com>


On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland@gmail.com> wrote:
>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
>>>
>>>      As said, I guess this can be obtained in two ways:
>>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
>>> not aware of;)
>>
>>
>> No, there is not.
>>
>> I hope I understand your use case correctly, bu if so, this mode
>> (transport over network) _cannot_ be secure.
> 
>     Indeed such a solution I'm after won't be "completely" secure (as
> a matter of fact nothing can be completely as that would imply
> perfection).  And in my particular use case I don't need it.

Well, you have been warned... and you can always shoot yourself in the foot ;-)

I think that quick hack to try it would be to write simple kernel
cipher module (or wrapper), where you only change cipher name
(so it will not mix up with normal implementation, name like reverse_aes or so)
and just switch encrypt/decrypt callbacks.

I am afraid you will need to avoid LUKS and IV where encryption
is used (ESSIV) (or at least you must analyze if encrypt/decrypt change
for the given cipher is safe for use there).

Then just use this reverse cipher for exported disk only.

IMHO configuring openVPN an just use iscsi over it is better, more secure
and you do not need to hack around it.
For saturating Gigabit network you need fast cpu anyway.

Milan