Re: [Clonezilla-live] Clonezilla Live, remote-dest and remote-source
A partition and disk imaging/cloning program
Brought to you by:
steven_shiau
Menu
▾
▴
Re: [Clonezilla-live] Clonezilla Live, remote-dest and remote-source
|
From: Robert K C. J. -I. F. D. Corp. <bco...@in...> - 2025-05-08 12:35:30
|
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Obviously, this doesn't apply if the image contains sensitive
information, but if it is just an OS install and some apps, run
the image over netcat and generate a hash on the result to confirm
it arrived ok.</p>
<p>It has been a while since I did SSH tunneling but it seems to me
that it would be simple to manually mount a remote NFS share.</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 5/7/2025 2:12:47 PM, James Epp
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJ...@ma...">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Honestly I hadn't thought too strictly in terms of
necessitating the encryption to occur within clonezilla but
seeing as we're on the *clonezilla* mailing list I suppose that
would be a fair restriction to apply (if nothing else for the
sake of refining a potential feature request).
<div><br>
</div>
<div>Again, SSH tunneling may be *an* approach here. I could've
sworn the live env has SSH built-in but whether that would
work I don't know. Just skimming the usage section of the code
you link to, my brain wanders towards some drop-in replacement
for netcat that would work for the -np option (or in a
different but similar vein, the --net-filter option).</div>
<div><br>
</div>
<div>I'm well outside my expertise at this point.</div>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Wed, May 7, 2025 at
11:17 AM michaelof--- via Clonezilla-live <<a
href="mailto:clo...@li..."
moz-do-not-send="true" class="moz-txt-link-freetext">clo...@li...</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">VPN
would be of course a good idea, but as we have two Clonezilla
Live instances here, means "including" operating system, not
"only" Clonezilla, the VPN must be included/prepared by
Clonzilla "within" e.g the ISO.<br>
<br>
BUT thinking about this I strongly assume that your first
remarks reg. auth/enc keys are the key to the answer of my
question :)<br>
<br>
I've looked into the source code, and if I got it right, this
file (<a
href="https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly</a>)
is the relevant script. Which uses netcat (<a
href="https://manpages.org/nc" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://manpages.org/nc</a>),
means UENCRYPTED.<br>
<br>
<br>
<br>
<br>
Am 07.05.25 um 14:43 schrieb James Epp:<br>
> I haven't done any testing (yet) but a couple more
thoughts on the subject:<br>
> <br>
> 1. I am not super skilled with network analysis. I will
not be able to tell just by looking at data streams whether
the data is compressed, encrypted, or both. Clonezilla almost
certainly compresses blocks in transit, so I probably won't be
able to tell much from that angle.<br>
> <br>
> 2. If you trust the LANs in both your source and target
networks/providers, you could consider doing something like a
VPN tunnel using any number of different
technologies/protocols. That would probably remove *most* of
the risk you're exposed to (because presumably you trust the
provider to not intercept/eavesdrop on your traffic as a
customer).<br>
> <br>
> 3. In terms of this evolving into a feature request,
maybe SSH tunneling is a method here but again we still face
the challenge of needing to authenticate the machines with one
another which is easier said than done (though one could argue
that's putting perfection before progress).<br>
> <br>
> On Tue, May 6, 2025 at 1:29 PM michaelof--- via
Clonezilla-live <<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>
<mailto:<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>>>
wrote:<br>
> <br>
> I assumed the same, but if this true and in case this
uncrypted communication is NOT documented - maybe I've just
not found it - it would IMHO be worth to add this to the docs.
E.g. with a warning "Use direct cloning only on LANs!" or
similar.<br>
> <br>
> <br>
> Just a remark: ** IF ** live cloning with sufficient
encryption would be possible, it would be IMHO a cool feature
and would be make the following use case for VPS possible:<br>
> <br>
> "Move" a "VPS old" to "VPS new", by using Clonezilla
Live in both VPS simultaneously. Needed from time to time, if.
e.g hosting company offers no "upgrade path" from VPS type A
to B, if you want to upgrade/modernize your VPS. Happens
frequently. Similar if hosting company increase prices etc.,
and you want to move to a different company.<br>
> - Very frequently VPS have only exactly one virtual
hdd<br>
> - Means, at least AFAIK, no chance to use a local
partimag, both on "old" or "new". I've tried to store the
image locally on "old", didn't work as I found no way to
"tell" Clonezilla to exclude the "partimag" Partition. LVM LV
in my case. Recursion errors by Clonezilla Live. Tried also to
use Clonezilla Live on "old", storing the image via SSH to
"new", "new" not Clonezilla Live, but "normal" Linux (mainly
hoster's default VPS images based). Imaging then (of course)
works fine, but NO IDEA how to tell Clonezilla Live in 2nd
step to "restore" from local partimag.. hen and egg :) Remark.
In my case I always had enough disk space available for all
these operations.<br>
> <br>
> I've solved this always by device to image, writing
via SSH to my PC @home, and afterwards restore to device,
reading via SSH from my PC @home. Works (of course, Clonezilla
is pretty stable :), but is naturally MUCH slower than data
center "old" to data center "new", or even within same data
center...<br>
> <br>
> <br>
> <br>
> Am 06.05.25 um 19:27 schrieb James Epp:<br>
> > I'm only responding to say that's an excellent
question I don't have an answer for but maybe I could try to
test that and inspect the traffic to see if there's a way to
tell. From a purely academic point of view though, I would
warn that unless you are manually typing in encryption keys on
both ends or some similar form of manual authentication
there's really no good way to prevent a MITM attack (at least
not from a modern "end to end" perspective).<br>
> ><br>
> > On Tue, May 6, 2025 at 10:40 AM michaelof---
via Clonezilla-live <<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>
<mailto:<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>>
<mailto:<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>
<mailto:<a
href="mailto:clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">clo...@li...</a>>>>
wrote:<br>
> ><br>
> > Hi all,<br>
> ><br>
> ><br>
> > haven't found anything in avail. docs and
mailing list archives:<br>
> ><br>
> > If I do a remote cloning via Clonezilla
live, one machine as remote-dest, one as remote-source, which
type of network communication is this using. Is there any
encryption between these two machines?<br>
> ><br>
> ><br>
> > Thanks,<br>
> > Michael<br>
> ><br>
> ><br>
> >
_______________________________________________<br>
> > Clonezilla-live mailing list<br>
> > <a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>
<mailto:<a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>>
<mailto:<a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>
<mailto:<a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>>><br>
> > <a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>
<<a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>>
<<a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>
<<a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>>><br>
> ><br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> Clonezilla-live mailing list<br>
> <a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>
<mailto:<a
href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a>><br>
> <a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>
<<a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>><br>
> <br>
<br>
<br>
<br>
_______________________________________________<br>
Clonezilla-live mailing list<br>
<a href="mailto:Clo...@li..."
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Clo...@li...</a><br>
<a
href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
Clonezilla-live mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Clo...@li...">Clo...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/clonezilla-live">https://lists.sourceforge.net/lists/listinfo/clonezilla-live</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Robert K Coffman Jr.
Info From Data Corp.
3307249000
<a class="moz-txt-link-abbreviated" href="mailto:su...@in...">su...@in...</a></pre>
</body>
</html>
|
