[dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device)

Arno Wagner arno at wagner.name
Thu Aug 1 15:34:44 CEST 2013


On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote:
> 
> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
> > On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland at gmail.com> wrote:
> >> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
> >>>
> >>>      As said, I guess this can be obtained in two ways:
> >>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
> >>> not aware of;)
> >>
> >>
> >> No, there is not.
> >>
> >> I hope I understand your use case correctly, bu if so, this mode
> >> (transport over network) _cannot_ be secure.
> > 
> >     Indeed such a solution I'm after won't be "completely" secure (as
> > a matter of fact nothing can be completely as that would imply
> > perfection).  And in my particular use case I don't need it.
> 
> Well, you have been warned... and you can always shoot yourself in the foot ;-)

And you will. Even exporting the encrypted block device is 
insecure (i.e. "doing it right"), as disk encryption
has a different attacker mdoel than communication encryption
and different limitations. If, at some time, you decide you 
actually want to be secure, move to any VPN-tunnel like 
solution.

Arno 

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list