Secure Disk Cloning Over SSH: Using dd with Netcat for Encrypted Transfers Between Linux Hosts


2 views

When you need to perform secure disk cloning between Linux machines, combining dd with netcat over an SSH tunnel provides an efficient encrypted transfer method. This approach is particularly useful when:

  • Deploying system images across multiple machines
  • Migrating servers without physical media
  • Maintaining data security during transfers

On the source machine (Host A):

dd if=/dev/sdX | gzip -1 - | nc -l 3333

On the destination machine (Host B) without SSH:

nc hostA 3333 | gunzip | dd of=/dev/sdY

To secure the transfer, we'll tunnel netcat through SSH:

Method 1: Direct SSH Pipe

# On Host A:
dd if=/dev/sdX | gzip -1 - | ssh user@hostB "gunzip | dd of=/dev/sdY"

Method 2: Netcat with SSH Tunnel

# First open a tunnel on Host B:
ssh -f -N -L 3333:localhost:3333 user@hostA

# Then on Host A:
dd if=/dev/sdX | nc -l 3333

# Finally on Host B:
nc localhost 3333 | dd of=/dev/sdY

Add pv to monitor transfer progress:

# On Host A:
dd if=/dev/sdX | pv -s $(blockdev --getsize64 /dev/sdX) | gzip -1 - | \
    ssh user@hostB "gunzip | dd of=/dev/sdY"
# After transfer, verify checksums on both ends:
ssh user@hostA "sha256sum /dev/sdX"
sha256sum /dev/sdY
  • Always use SSH key authentication
  • Consider using -c aes256-ctr for stronger encryption
  • For sensitive data, add -o Ciphers=chacha20-poly1305@openssh.com
# Use larger block sizes for faster transfers:
dd if=/dev/sdX bs=1M | ssh -c aes256-ctr user@hostB "dd of=/dev/sdY bs=1M"

When performing disk-to-disk cloning across networks, we need to combine several Linux tools:

  • dd for raw disk access
  • netcat for efficient network transfer
  • SSH for encryption and authentication

On the receiving machine (Host B):

nc -l 1234 | dd of=/dev/sdX bs=1M status=progress

On the source machine (Host A):

dd if=/dev/sdY bs=1M status=progress | nc hostB 1234

The raw netcat approach is unencrypted. For security, we'll tunnel through SSH:

First method (using SSH port forwarding):

# On Host A:
ssh -f -N -L 1234:localhost:1234 user@hostB

# Then run the netcat sender:
dd if=/dev/sdY bs=1M status=progress | nc localhost 1234

Alternative method (SSH as the pipe directly):

dd if=/dev/sdY bs=1M status=progress | gzip -c | ssh user@hostB "gunzip -c | dd of=/dev/sdX"

For better performance with large disks:

# Use larger block sizes and compression:
dd if=/dev/sdY bs=4M status=progress | gzip -1 | ssh -c aes128-ctr user@hostB "gunzip -c | dd of=/dev/sdX bs=4M"

To verify the transfer:

# Generate checksum on source:
dd if=/dev/sdY bs=1M | sha256sum

# Generate checksum on destination after transfer:
dd if=/dev/sdX bs=1M | sha256sum
  • Ensure both machines have network connectivity
  • Verify disk permissions (often requires root)
  • Check available disk space on destination
  • Monitor transfer speed with pv if installed

Always:

  • Use SSH key authentication
  • Restrict SSH access with firewall rules
  • Consider using socat instead of netcat for additional features
  • Destroy temporary files securely after transfer