-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bernhard: > > You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach > > the partition to a different VM, then mount it there. > > > This is a good question, I think. Since we distrust sys-usb I agree that we > should not do the cryptsetup operations in sys-usb. But if you distrust the > attached device as well (might be safer, right?), one might attach the > luks-partition (resp. file) first to an intermediate (even temp !) VM, > luksOpen it in there and re-attach the generated /dev/mapper volumes to the > destination VM. That way sys-usb is blind to cryptsetup and the > destination-vm is maximally protected from usb-based attacks. Overkill?
That's basically what Split dm-crypt automates (with even more overkill): https://github.com/rustybird/qubes-split-dm-crypt Rusty -----BEGIN PGP SIGNATURE----- iQJ7BAEBCgBmBQJbAdM6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfO78P+MOUh1UqQeXrpHcwOcj4M/mX z9+5pAXGgCa2t+MinDZTGE8Wvfeb62U/gc8A8Uwqzqs5g1NkGOQER2Z+azMS+Xnt y9XukE3PE8MRA4XgfSZzreh6xOt8AZX8QRTNzlsPet+QjteKGW3B5tk2wBtzeTIU Y+teN5cIKIWWXPy4AZPYbCDK9aXVYd0Za0/Dj6+Tcn1tuoGbOt4Gr1rLigql6Pi9 3Z1cpkK8VecoXIvOixxycYEBNAr6n7pMW35OjBCpbyB0uGHMXcZFqkoBFca2kOOb HQbZwRLMlOQnI6DGF9O0jx5unabsnOli5OUXMWHdn1Xo/PMiNSWez02tNJkCFB/4 byhLi7b6p94DnWGyg4WJCi9XkMQ3nkEtNG0a2obvvjDF6bam0X9dRFwfbT7CiNLV PleQFQjvoLFZJK/tVicnQyQVcTt2KeLD0nzzhqHe+At6XTPeiyBhf8mDERL8pIYr FVws8oRGmKs2UHeRuFT16CmUN59xjrUuZv2Lf2q/I7Zlncv7pnBfQ5V/h+xT/gim 6K3l8xOBrspV4PRO20XAAQZ1i2NaDzZ8HBig+1q3hfhvMlFfzOT6EmrNk/oSTsSh W4XO8R0L8wz5cZjHnJJU99UAooyUWj9jBiLbDd/1UT7RG8apHCXHriUpgMaFnAPo nNT9XnACZNM4zkeA0NI= =Lh2Z -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180520195746.GA1257%40mutt. For more options, visit https://groups.google.com/d/optout.
