Is a long, correctly generated (with actual dice using paper and pencil - no electronic copies ever) Diceware password entered at boot-time not sufficient? If not, why not?
On Fri, Oct 18, 2019 at 9:27 PM Josh Skipper <josh770...@gmail.com> wrote: > >> I'd just like to remind people (again) that Qubes has a storage pool >> feature. So it IS possible to encrypt VMs with different encryption >> keys. It requires some initiative from the user to set it up, however, >> to define the pools so they reside in encrypted volumes. >> > > While I was looking for a way to individually encrypt VMs with a unique > password, I stumbled upon this thread. > I did some tests with storage pools and there seems to be a major drawback. > As I understand, you have to create a new encrypted storage pool with > fixed size for every VM you want to protect individually. > So basically this defeats the advantage of the thin pool, where each VM > can dynamically use as much space as needed, while having a maximum much > larger than when is needed or even available. > I thought about a ways to actually get this to work, but the problem is, > if I set the pool size too low, I will run into bigger problems later on > where an expansion would be needed. Is this even possible if the hdd space > before and after is already assigned to other pools which can not be > shrinked? > So to be sure you'd have to assign more than enough space, eating up the > hdd space very fast, leading to not enough space for all VMs. > > Do I miss something here? If not, is there a better way to encrypt each VM > individually while still using only the default pool (qubes_dom0/pool00)? > I tried to replace the VMs private LVs with an encrypted equivalent, but > this did not work. To be precise, I replaced them with an opened luks > volume. The volume can be mounted and used but QubesOS did not like it at > all, the VMs did not start with this setup. > I guess there are modifications in QubesOS itself needed in order to do so? > > -- > You received this message because you are subscribed to the Google Groups > "qubes-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-devel/20583f92-78e6-4e9c-9a85-c6b4656e617f%40googlegroups.com > <https://groups.google.com/d/msgid/qubes-devel/20583f92-78e6-4e9c-9a85-c6b4656e617f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAMCsksF2S-GunOhh5Cr11TD4pfCSOQfH-aiH%3Dp3C1%3DOkDe0xXQ%40mail.gmail.com.
