On 1/20/19 12:33 AM, Andrew David Wong wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512On 18/01/2019 11.43 PM, thorsten.schie...@gmail.com wrote:I am also interested in having encrypted vms (preferably having one password for each VM-group). Let's assume I have one or more VMs for each customer which contain sensitive data that must not leak anywhere. While working for customer 1 I want to make sure that only VMs for customer 1 are decrypted and usable (along with my non-customer VMs). VMs from customer 2,3,... should be encrypted and unaccessible at this time. When I move to cusomer 2, only these VMs should be decrypted, etc. My goals are: - In the rare case I forget to lock my notebook at cusomer 1 I don't want anyone to be able to extract other customers data. (While not perfect in regards to dom0 security at least it makes sure no data can be stolen) [...]We actually have an open issue for this: https://github.com/QubesOS/qubes-issues/issues/1293 (I didn't see this mentioned in your message, so you may not be aware of it.)
Or just encrypt all your customer A data inside a container or partition in dom0 and attach that to the right VM on demand whilst memorizing the respective password.
That would be ~20 lines of code or 5 min work per customer.Anyway if your dom0 is compromised and you don't fully give up the machine, your data is compromised as well.
-- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/d86a6b5f-e2cf-ad97-26e3-ab7dbe4167b0%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
