On 03/29/2017 02:04 AM, Ángel wrote:
On 2017-03-28 at 08:33 -0400, 'Blacklight447' via qubes-devel wrote:
The basic idea was that you have to provide a password to decrypt the
vms data, so you can boot and use it, allowing you to be sure only you
can access its data. This could even be potentially combined with an
option to export the encrypted vm, to later boot it in a clean version
of qubes os.
Im not looking for just a password prompt, since those do not provide
any real security, unless your threat model is preventing someone to
access your vm"s when you forgot to shutdown or lock your machine.
You can use a HVM with LUKS disk. The password will be asked on boot,
just as when booting a physical OS with an encrypted disk.
However, being a HVM there will be less integration with other qubes
(maybe the support tools can be installed -and work- on HVM, too?).
I posted some scripts to this list on 15th of December 2015 with the
subject "Individually encrypting domains" that implements groups of
encrypted VMs (you can have groups of one if you so wish, of course).
I still maintain these scripts privately, and have been using them for
~two years now without problems.
I also have a Python ctypes oneline to call posix_fallocate() on
root.img to get rid of the thin provisioning stuff using sparse files
that upstream Qubes applies to make sure your data gets fucked up when
you run out of disk space in dom0.
(Works for the other .img, too, where a similar problem presents itself,
of course, but I have disabled volatile.img in my setup because I
consider the feature insane.)
If someone wants a copy I'd be happy to share.
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/9060248f-c11d-22ad-8074-4cf8097d18f6%40celo.io.
For more options, visit https://groups.google.com/d/optout.
