From: Erik Logtenberg <erik@logtenberg.eu>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device)
Date: Thu, 01 Aug 2013 16:46:27 +0200 [thread overview]
Message-ID: <51FA74C3.8010208@logtenberg.eu> (raw)
In-Reply-To: <20130801133442.GA10436@tansi.org>
Maybe I also don't understand your use case well enough, but it seems to
me that using dd over ssh would kinda do the trick, right?
If you just want all your files over the network safely, use rsync over
ssh. You say that you want to retain the native features of the
filesystem itself, so as far as rsync doesn't have support for the
specific features you're talking about (snapshots for example), just use
dd to copy over the entire filesystem.
On the sending machine you use something like:
# dd if=/dev/device | ssh root@receiving_system dd of=/dev/device
Or if your sending machine doesn't have access to your receiving system,
do something like this on your receiving system instead:
# ssh root@sending_system dd if=/dev/device | dd of=/dev/device
With regards to security, you now have everything that ssh offers, and I
think most would agree that ssh is secure enough for all practical purposes.
Regards,
Erik.
On 08/01/2013 03:34 PM, Arno Wagner wrote:
> On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote:
>>
>> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
>>> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland@gmail.com> wrote:
>>>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
>>>>>
>>>>> As said, I guess this can be obtained in two ways:
>>>>> * either if there is a "backward" mode for dm-crypt; (which I'm
>>>>> not aware of;)
>>>>
>>>>
>>>> No, there is not.
>>>>
>>>> I hope I understand your use case correctly, bu if so, this mode
>>>> (transport over network) _cannot_ be secure.
>>>
>>> Indeed such a solution I'm after won't be "completely" secure (as
>>> a matter of fact nothing can be completely as that would imply
>>> perfection). And in my particular use case I don't need it.
>>
>> Well, you have been warned... and you can always shoot yourself in the foot ;-)
>
> And you will. Even exporting the encrypted block device is
> insecure (i.e. "doing it right"), as disk encryption
> has a different attacker mdoel than communication encryption
> and different limitations. If, at some time, you decide you
> actually want to be secure, move to any VPN-tunnel like
> solution.
>
> Arno
>
next prev parent reply other threads:[~2013-08-01 14:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-31 19:28 [dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device) Ciprian Dorin Craciun
2013-08-01 0:35 ` Arno Wagner
2013-08-01 4:38 ` Ciprian Dorin Craciun
2013-08-01 6:02 ` .. ink ..
2013-08-01 7:00 ` Ciprian Dorin Craciun
2013-08-01 7:43 ` Milan Broz
2013-08-01 9:49 ` Ciprian Dorin Craciun
2013-08-01 10:41 ` Milan Broz
2013-08-01 13:34 ` Arno Wagner
2013-08-01 14:46 ` Erik Logtenberg [this message]
2013-08-01 16:17 ` Ciprian Dorin Craciun
2013-08-01 20:36 ` infrabit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51FA74C3.8010208@logtenberg.eu \
--to=erik@logtenberg.eu \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.