From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZX9vg9QhSp9g for ; Thu, 1 Aug 2013 16:52:36 +0200 (CEST) Received: from mx.logtenberg.eu (mx.logtenberg.eu [IPv6:2a00:f60::1:229]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Thu, 1 Aug 2013 16:52:35 +0200 (CEST) Received: by mx.logtenberg.eu (Postfix) with ESMTPSA id 977BF717 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) for ; Thu, 1 Aug 2013 16:46:27 +0200 (CEST) Message-ID: <51FA74C3.8010208@logtenberg.eu> Date: Thu, 01 Aug 2013 16:46:27 +0200 From: Erik Logtenberg MIME-Version: 1.0 References: <20130801003458.GA1093@tansi.org> <51FA1198.6040406@gmail.com> <51FA3B5E.6030800@gmail.com> <20130801133442.GA10436@tansi.org> In-Reply-To: <20130801133442.GA10436@tansi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Maybe I also don't understand your use case well enough, but it seems to me that using dd over ssh would kinda do the trick, right? If you just want all your files over the network safely, use rsync over ssh. You say that you want to retain the native features of the filesystem itself, so as far as rsync doesn't have support for the specific features you're talking about (snapshots for example), just use dd to copy over the entire filesystem. On the sending machine you use something like: # dd if=/dev/device | ssh root@receiving_system dd of=/dev/device Or if your sending machine doesn't have access to your receiving system, do something like this on your receiving system instead: # ssh root@sending_system dd if=/dev/device | dd of=/dev/device With regards to security, you now have everything that ssh offers, and I think most would agree that ssh is secure enough for all practical purposes. Regards, Erik. On 08/01/2013 03:34 PM, Arno Wagner wrote: > On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote: >> >> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote: >>> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz wrote: >>>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote: >>>>> >>>>> As said, I guess this can be obtained in two ways: >>>>> * either if there is a "backward" mode for dm-crypt; (which I'm >>>>> not aware of;) >>>> >>>> >>>> No, there is not. >>>> >>>> I hope I understand your use case correctly, bu if so, this mode >>>> (transport over network) _cannot_ be secure. >>> >>> Indeed such a solution I'm after won't be "completely" secure (as >>> a matter of fact nothing can be completely as that would imply >>> perfection). And in my particular use case I don't need it. >> >> Well, you have been warned... and you can always shoot yourself in the foot ;-) > > And you will. Even exporting the encrypted block device is > insecure (i.e. "doing it right"), as disk encryption > has a different attacker mdoel than communication encryption > and different limitations. If, at some time, you decide you > actually want to be secure, move to any VPN-tunnel like > solution. > > Arno >