Honestly I hadn't thought too strictly in terms of necessitating the encryption to occur within clonezilla but seeing as we're on the *clonezilla* mailing list I suppose that would be a fair restriction to apply (if nothing else for the sake of refining a potential feature request).
Again, SSH tunneling may be *an* approach here. I could've sworn the live env has SSH built-in but whether that would work I don't know. Just skimming the usage section of the code you link to, my brain wanders towards some drop-in replacement for netcat that would work for the -np option (or in a different but similar vein, the --net-filter option). I'm well outside my expertise at this point. On Wed, May 7, 2025 at 11:17 AM michaelof--- via Clonezilla-live < clonezilla-live@lists.sourceforge.net> wrote: > VPN would be of course a good idea, but as we have two Clonezilla Live > instances here, means "including" operating system, not "only" Clonezilla, > the VPN must be included/prepared by Clonzilla "within" e.g the ISO. > > BUT thinking about this I strongly assume that your first remarks reg. > auth/enc keys are the key to the answer of my question :) > > I've looked into the source code, and if I got it right, this file ( > https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly) > is the relevant script. Which uses netcat (https://manpages.org/nc), > means UENCRYPTED. > > > > > Am 07.05.25 um 14:43 schrieb James Epp: > > I haven't done any testing (yet) but a couple more thoughts on the > subject: > > > > 1. I am not super skilled with network analysis. I will not be able to > tell just by looking at data streams whether the data is compressed, > encrypted, or both. Clonezilla almost certainly compresses blocks in > transit, so I probably won't be able to tell much from that angle. > > > > 2. If you trust the LANs in both your source and target > networks/providers, you could consider doing something like a VPN tunnel > using any number of different technologies/protocols. That would probably > remove *most* of the risk you're exposed to (because presumably you trust > the provider to not intercept/eavesdrop on your traffic as a customer). > > > > 3. In terms of this evolving into a feature request, maybe SSH tunneling > is a method here but again we still face the challenge of needing to > authenticate the machines with one another which is easier said than done > (though one could argue that's putting perfection before progress). > > > > On Tue, May 6, 2025 at 1:29 PM michaelof--- via Clonezilla-live < > clonezilla-live@lists.sourceforge.net <mailto: > clonezilla-live@lists.sourceforge.net>> wrote: > > > > I assumed the same, but if this true and in case this uncrypted > communication is NOT documented - maybe I've just not found it - it would > IMHO be worth to add this to the docs. E.g. with a warning "Use direct > cloning only on LANs!" or similar. > > > > > > Just a remark: ** IF ** live cloning with sufficient encryption > would be possible, it would be IMHO a cool feature and would be make the > following use case for VPS possible: > > > > "Move" a "VPS old" to "VPS new", by using Clonezilla Live in both > VPS simultaneously. Needed from time to time, if. e.g hosting company > offers no "upgrade path" from VPS type A to B, if you want to > upgrade/modernize your VPS. Happens frequently. Similar if hosting company > increase prices etc., and you want to move to a different company. > > - Very frequently VPS have only exactly one virtual hdd > > - Means, at least AFAIK, no chance to use a local partimag, both on > "old" or "new". I've tried to store the image locally on "old", didn't work > as I found no way to "tell" Clonezilla to exclude the "partimag" Partition. > LVM LV in my case. Recursion errors by Clonezilla Live. Tried also to use > Clonezilla Live on "old", storing the image via SSH to "new", "new" not > Clonezilla Live, but "normal" Linux (mainly hoster's default VPS images > based). Imaging then (of course) works fine, but NO IDEA how to tell > Clonezilla Live in 2nd step to "restore" from local partimag.. hen and egg > :) Remark. In my case I always had enough disk space available for all > these operations. > > > > I've solved this always by device to image, writing via SSH to my PC > @home, and afterwards restore to device, reading via SSH from my PC @home. > Works (of course, Clonezilla is pretty stable :), but is naturally MUCH > slower than data center "old" to data center "new", or even within same > data center... > > > > > > > > Am 06.05.25 um 19:27 schrieb James Epp: > > > I'm only responding to say that's an excellent question I don't > have an answer for but maybe I could try to test that and inspect the > traffic to see if there's a way to tell. From a purely academic point of > view though, I would warn that unless you are manually typing in encryption > keys on both ends or some similar form of manual authentication there's > really no good way to prevent a MITM attack (at least not from a modern > "end to end" perspective). > > > > > > On Tue, May 6, 2025 at 10:40 AM michaelof--- via Clonezilla-live < > clonezilla-live@lists.sourceforge.net <mailto: > clonezilla-live@lists.sourceforge.net> <mailto: > clonezilla-live@lists.sourceforge.net <mailto: > clonezilla-live@lists.sourceforge.net>>> wrote: > > > > > > Hi all, > > > > > > > > > haven't found anything in avail. docs and mailing list > archives: > > > > > > If I do a remote cloning via Clonezilla live, one machine as > remote-dest, one as remote-source, which type of network communication is > this using. Is there any encryption between these two machines? > > > > > > > > > Thanks, > > > Michael > > > > > > > > > _______________________________________________ > > > Clonezilla-live mailing list > > > Clonezilla-live@lists.sourceforge.net <mailto: > Clonezilla-live@lists.sourceforge.net> <mailto: > Clonezilla-live@lists.sourceforge.net <mailto: > Clonezilla-live@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/clonezilla-live < > https://lists.sourceforge.net/lists/listinfo/clonezilla-live> < > https://lists.sourceforge.net/lists/listinfo/clonezilla-live < > https://lists.sourceforge.net/lists/listinfo/clonezilla-live>> > > > > > > > > > > > _______________________________________________ > > Clonezilla-live mailing list > > Clonezilla-live@lists.sourceforge.net <mailto: > Clonezilla-live@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/clonezilla-live < > https://lists.sourceforge.net/lists/listinfo/clonezilla-live> > > > > > > _______________________________________________ > Clonezilla-live mailing list > Clonezilla-live@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/clonezilla-live >
_______________________________________________ Clonezilla-live mailing list Clonezilla-live@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clonezilla-live
