Clonezilla Live Images have sshd included, as a Cloning from Clonzilla Live to a partimag on remote location accessible via ssh is possible. But this is from a Clonezilla perspective OUTGOING only. On the remote site there would be no Clonezilla Live, but whatever OS being able to server as SSH tunnel endpoint.
Just brainstorming: One way to use an SSH tunnel between two Clonezilla Live instances, where already as of of now manual intervention is always neccesary, would be to "exchange" an ssh public key remotely. As of now, in this CLL (Clonezilla Live) to CLL scenario, you have to switch the CLL receiving the image (I always forget which side is remote-source and remote-dest :)) into "ready for connection mode", where in the mentioned script netcat has started, opened a socket, and listens. Then you have to enter on the other site, where the to be cloned device resides, the URL/IP/port etc. information abouit the waiting site. Exactly here could some steps be added: - sending site would use ssh_keygen to create a key pair for current CLL OS user. - Result would be the PUBLIC key, which the waiting site would need - Waiting site woud take the public key from previuos step, and add to ~/.ssh/authorized_keys for the current CLL OS user on the waiting site. From than on, sending site could connect via ssh, key based, getting an encrypted tunnel for the subsequent sending. Restriction IMHO is probably the "handshake": In the mentioned VPS to VPS scenario, in assumed 99% percent of cases CLL means rescue system, DVD/ISO booted CLL or similar. And access to CLL via VNC, more and more (only) browser based, from hosting companys' offered customer control panels. Means: a) no issue from a security perspective, if VNC connection is encrypted, also b) BUT: In most of the cases I'm aware of *** NO *** copy&paste would be possible. And "exchanging" public ssh keys by TYPING them into a remote VNC terminal is a pain in the neck, IMHO :D Am 07.05.25 um 20:12 schrieb James Epp:
Honestly I hadn't thought too strictly in terms of necessitating the encryption to occur within clonezilla but seeing as we're on the *clonezilla* mailing list I suppose that would be a fair restriction to apply (if nothing else for the sake of refining a potential feature request). Again, SSH tunneling may be *an* approach here. I could've sworn the live env has SSH built-in but whether that would work I don't know. Just skimming the usage section of the code you link to, my brain wanders towards some drop-in replacement for netcat that would work for the -np option (or in a different but similar vein, the --net-filter option). I'm well outside my expertise at this point. On Wed, May 7, 2025 at 11:17 AM michaelof--- via Clonezilla-live <clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>> wrote: VPN would be of course a good idea, but as we have two Clonezilla Live instances here, means "including" operating system, not "only" Clonezilla, the VPN must be included/prepared by Clonzilla "within" e.g the ISO. BUT thinking about this I strongly assume that your first remarks reg. auth/enc keys are the key to the answer of my question :) I've looked into the source code, and if I got it right, this file (https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly <https://github.com/stevenshiau/clonezilla/blob/62e404d8f1d8a4619cf116dac3598036f81e61a4/sbin/ocs-onthefly>) is the relevant script. Which uses netcat (https://manpages.org/nc <https://manpages.org/nc>), means UENCRYPTED. Am 07.05.25 um 14:43 schrieb James Epp: > I haven't done any testing (yet) but a couple more thoughts on the subject: > > 1. I am not super skilled with network analysis. I will not be able to tell just by looking at data streams whether the data is compressed, encrypted, or both. Clonezilla almost certainly compresses blocks in transit, so I probably won't be able to tell much from that angle. > > 2. If you trust the LANs in both your source and target networks/providers, you could consider doing something like a VPN tunnel using any number of different technologies/protocols. That would probably remove *most* of the risk you're exposed to (because presumably you trust the provider to not intercept/eavesdrop on your traffic as a customer). > > 3. In terms of this evolving into a feature request, maybe SSH tunneling is a method here but again we still face the challenge of needing to authenticate the machines with one another which is easier said than done (though one could argue that's putting perfection before progress). > > On Tue, May 6, 2025 at 1:29 PM michaelof--- via Clonezilla-live <clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net> <mailto:clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>>> wrote: > > I assumed the same, but if this true and in case this uncrypted communication is NOT documented - maybe I've just not found it - it would IMHO be worth to add this to the docs. E.g. with a warning "Use direct cloning only on LANs!" or similar. > > > Just a remark: ** IF ** live cloning with sufficient encryption would be possible, it would be IMHO a cool feature and would be make the following use case for VPS possible: > > "Move" a "VPS old" to "VPS new", by using Clonezilla Live in both VPS simultaneously. Needed from time to time, if. e.g hosting company offers no "upgrade path" from VPS type A to B, if you want to upgrade/modernize your VPS. Happens frequently. Similar if hosting company increase prices etc., and you want to move to a different company. > - Very frequently VPS have only exactly one virtual hdd > - Means, at least AFAIK, no chance to use a local partimag, both on "old" or "new". I've tried to store the image locally on "old", didn't work as I found no way to "tell" Clonezilla to exclude the "partimag" Partition. LVM LV in my case. Recursion errors by Clonezilla Live. Tried also to use Clonezilla Live on "old", storing the image via SSH to "new", "new" not Clonezilla Live, but "normal" Linux (mainly hoster's default VPS images based). Imaging then (of course) works fine, but NO IDEA how to tell Clonezilla Live in 2nd step to "restore" from local partimag.. hen and egg :) Remark. In my case I always had enough disk space available for all these operations. > > I've solved this always by device to image, writing via SSH to my PC @home, and afterwards restore to device, reading via SSH from my PC @home. Works (of course, Clonezilla is pretty stable :), but is naturally MUCH slower than data center "old" to data center "new", or even within same data center... > > > > Am 06.05.25 um 19:27 schrieb James Epp: > > I'm only responding to say that's an excellent question I don't have an answer for but maybe I could try to test that and inspect the traffic to see if there's a way to tell. From a purely academic point of view though, I would warn that unless you are manually typing in encryption keys on both ends or some similar form of manual authentication there's really no good way to prevent a MITM attack (at least not from a modern "end to end" perspective). > > > > On Tue, May 6, 2025 at 10:40 AM michaelof--- via Clonezilla-live <clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net> <mailto:clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>> <mailto:clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net> <mailto:clonezilla-live@lists.sourceforge.net <mailto:clonezilla-live@lists.sourceforge.net>>>> wrote: > > > > Hi all, > > > > > > haven't found anything in avail. docs and mailing list archives: > > > > If I do a remote cloning via Clonezilla live, one machine as remote-dest, one as remote-source, which type of network communication is this using. Is there any encryption between these two machines? > > > > > > Thanks, > > Michael > > > > > > _______________________________________________ > > Clonezilla-live mailing list > > Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> <mailto:Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net>> <mailto:Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> <mailto:Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net>>> > > https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live> <https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>> <https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live> <https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>>> > > > > > > _______________________________________________ > Clonezilla-live mailing list > Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> <mailto:Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net>> > https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live> <https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>> > _______________________________________________ Clonezilla-live mailing list Clonezilla-live@lists.sourceforge.net <mailto:Clonezilla-live@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/clonezilla-live <https://lists.sourceforge.net/lists/listinfo/clonezilla-live>
_______________________________________________ Clonezilla-live mailing list Clonezilla-live@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/clonezilla-live
