[dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device)

Milan Broz gmazyland at gmail.com
Thu Aug 1 12:41:34 CEST 2013


On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland at gmail.com> wrote:
>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
>>>
>>>      As said, I guess this can be obtained in two ways:
>>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
>>> not aware of;)
>>
>>
>> No, there is not.
>>
>> I hope I understand your use case correctly, bu if so, this mode
>> (transport over network) _cannot_ be secure.
> 
>     Indeed such a solution I'm after won't be "completely" secure (as
> a matter of fact nothing can be completely as that would imply
> perfection).  And in my particular use case I don't need it.

Well, you have been warned... and you can always shoot yourself in the foot ;-)

I think that quick hack to try it would be to write simple kernel
cipher module (or wrapper), where you only change cipher name
(so it will not mix up with normal implementation, name like reverse_aes or so)
and just switch encrypt/decrypt callbacks.

I am afraid you will need to avoid LUKS and IV where encryption
is used (ESSIV) (or at least you must analyze if encrypt/decrypt change
for the given cipher is safe for use there).

Then just use this reverse cipher for exported disk only.

IMHO configuring openVPN an just use iscsi over it is better, more secure
and you do not need to hack around it.
For saturating Gigabit network you need fast cpu anyway.

Milan



More information about the dm-crypt mailing list