[dm-crypt] dm-crypt "inverted" usage (i.e. exporting an "encrypted" image of a block device)

Erik Logtenberg erik at logtenberg.eu
Thu Aug 1 16:46:27 CEST 2013

Maybe I also don't understand your use case well enough, but it seems to
me that using dd over ssh would kinda do the trick, right?

If you just want all your files over the network safely, use rsync over
ssh. You say that you want to retain the native features of the
filesystem itself, so as far as rsync doesn't have support for the
specific features you're talking about (snapshots for example), just use
dd to copy over the entire filesystem.

On the sending machine you use something like:
# dd if=/dev/device | ssh root at receiving_system dd of=/dev/device

Or if your sending machine doesn't have access to your receiving system,
do something like this on your receiving system instead:

# ssh root at sending_system dd if=/dev/device | dd of=/dev/device

With regards to security, you now have everything that ssh offers, and I
think most would agree that ssh is secure enough for all practical purposes.



On 08/01/2013 03:34 PM, Arno Wagner wrote:
> On Thu, Aug 01, 2013 at 12:41:34PM +0200, Milan Broz wrote:
>> On 08/01/2013 11:49 AM, Ciprian Dorin Craciun wrote:
>>> On Thu, Aug 1, 2013 at 10:43 AM, Milan Broz <gmazyland at gmail.com> wrote:
>>>> On 1.8.2013 9:00, Ciprian Dorin Craciun wrote:
>>>>>      As said, I guess this can be obtained in two ways:
>>>>>      * either if there is a "backward" mode for dm-crypt;  (which I'm
>>>>> not aware of;)
>>>> No, there is not.
>>>> I hope I understand your use case correctly, bu if so, this mode
>>>> (transport over network) _cannot_ be secure.
>>>     Indeed such a solution I'm after won't be "completely" secure (as
>>> a matter of fact nothing can be completely as that would imply
>>> perfection).  And in my particular use case I don't need it.
>> Well, you have been warned... and you can always shoot yourself in the foot ;-)
> And you will. Even exporting the encrypted block device is 
> insecure (i.e. "doing it right"), as disk encryption
> has a different attacker mdoel than communication encryption
> and different limitations. If, at some time, you decide you 
> actually want to be secure, move to any VPN-tunnel like 
> solution.
> Arno 

More information about the dm-crypt mailing list