VPN would be of course a good idea, but as we have two Clonezilla Live instances here, means "including" operating system, not "only" Clonezilla, the VPN must be included/prepared by Clonzilla "within" e.g the ISO.
BUT thinking about this I strongly assume that your first remarks reg. auth/enc keys are the key to the answer of my question :) I've looked into the source code, and if I got it right, this file (https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly) is the relevant script. Which uses netcat (https://manpages.org/nc), means UENCRYPTED. Am 07.05.25 um 14:43 schrieb James Epp:
I haven't done any testing (yet) but a couple more thoughts on the subject: 1. I am not super skilled with network analysis. I will not be able to tell just by looking at data streams whether the data is compressed, encrypted, or both. Clonezilla almost certainly compresses blocks in transit, so I probably won't be able to tell much from that angle. 2. If you trust the LANs in both your source and target networks/providers, you could consider doing something like a VPN tunnel using any number of different technologies/protocols. That would probably remove *most* of the risk you're exposed to (because presumably you trust the provider to not intercept/eavesdrop on your traffic as a customer). 3. In terms of this evolving into a feature request, maybe SSH tunneling is a method here but again we still face the challenge of needing to authenticate the machines with one another which is easier said than done (though one could argue that's putting perfection before progress). On Tue, May 6, 2025 at 1:29 PM michaelof--- via Clonezilla-live <clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>> wrote: I assumed the same, but if this true and in case this uncrypted communication is NOT documented - maybe I've just not found it - it would IMHO be worth to add this to the docs. E.g. with a warning "Use direct cloning only on LANs!" or similar. Just a remark: ** IF ** live cloning with sufficient encryption would be possible, it would be IMHO a cool feature and would be make the following use case for VPS possible: "Move" a "VPS old" to "VPS new", by using Clonezilla Live in both VPS simultaneously. Needed from time to time, if. e.g hosting company offers no "upgrade path" from VPS type A to B, if you want to upgrade/modernize your VPS. Happens frequently. Similar if hosting company increase prices etc., and you want to move to a different company. - Very frequently VPS have only exactly one virtual hdd - Means, at least AFAIK, no chance to use a local partimag, both on "old" or "new". I've tried to store the image locally on "old", didn't work as I found no way to "tell" Clonezilla to exclude the "partimag" Partition. LVM LV in my case. Recursion errors by Clonezilla Live. Tried also to use Clonezilla Live on "old", storing the image via SSH to "new", "new" not Clonezilla Live, but "normal" Linux (mainly hoster's default VPS images based). Imaging then (of course) works fine, but NO IDEA how to tell Clonezilla Live in 2nd step to "restore" from local partimag.. hen and egg :) Remark. In my case I always had enough disk space available for all these operations. I've solved this always by device to image, writing via SSH to my PC @home, and afterwards restore to device, reading via SSH from my PC @home. Works (of course, Clonezilla is pretty stable :), but is naturally MUCH slower than data center "old" to data center "new", or even within same data center... Am 06.05.25 um 19:27 schrieb James Epp: > I'm only responding to say that's an excellent question I don't have an answer for but maybe I could try to test that and inspect the traffic to see if there's a way to tell. From a purely academic point of view though, I would warn that unless you are manually typing in encryption keys on both ends or some similar form of manual authentication there's really no good way to prevent a MITM attack (at least not from a modern "end to end" perspective). > > On Tue, May 6, 2025 at 10:40 AM michaelof--- via Clonezilla-live <clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net> <mailto:clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>>> wrote: > > Hi all, > > > haven't found anything in avail. docs and mailing list archives: > > If I do a remote cloning via Clonezilla live, one machine as remote-dest, one as remote-source, which type of network communication is this using. Is there any encryption between these two machines? > > > Thanks, > Michael > > > _______________________________________________ > Clonezilla-live mailing list > Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> <mailto:Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net>> > https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live> <https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>> > _______________________________________________ Clonezilla-live mailing list Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>
_______________________________________________ Clonezilla-live mailing list Clonezilla-live@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clonezilla-live
