On Fri, Jun 17, 2016 at 1:52 PM, David Hobach <trip...@hackingthe.net>
wrote:
> Dear users,
>
> I wonder whether there's any sensible (= relatively secure) way of sharing
> data between 2 Qubes installations via a single USB pen drive or hard disk?
>
> What are you using or do you have any thoughts?
>
> Of course I assume that both installations have multiple VMs for which you
> want to share data (i.e. Qubes_A has VM_1, VM_2, VM_3, ... and Qubes_B has
> VM_1*, VM_2*, VM_3* and you want to share data as follows: VM_1 -> VM_1*,
> VM_2 -> VM_2* and so on). The single VM solution is obviously directly
> supported by Qubes.
>
> I also consider having one USB drive per VM not practical.
>
> Kind Regards
> David
>
> ------------------------------------------------------------------
>
> My proposal:
>
> 0. for each client VM you'll need a subfolder on that USB drive with a
> dmcrypt container inside
> 1. Attach the USB drive to some usbshare VM ("server" VM) & mount it there
> 2. Run a ssh server in the usbshare VM, accessible for all client VMs
> 3. in your client VMs use e.g. sshfs to access the respective dmcrypt
> container and decrypt it using a key local to the respective client VM
>
> Mitigated attacks:
> - USB driver attacks would be executed in the usbshare VM which doesn't
> have access to any sensible data (all encrypted) --> USB drive does not
> need to be trusted
> - no VM can access another one's data without successfully compromising
> the other VM or breaking the dmcrypt crypto
> - other OSes cannot read the data and cannot modify it without being
> noticed (integrity needs to be checked by the deployed crypto algorithms)
>
> Possible attacks:
> - ssh exploits (clients can try to attack the usbshare VM, the usbshare VM
> might try to attack the client VMs via ssh vulnerabilities)
>
>
> Feedback welcome!
>
>
Probably I did understand what you are trying to achieve, but when I had
to copy data between two Qubes installations made a backup of the first
installation on a NAS and restored it on the second installation, changing
the name of conflicting VMs before restore. Everything really easy and fast.
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/57642AC5.4070100%40hackingthe.net
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAPzH-qBD_%2BcS_d-tpBJPb5WBzBwf6eC_iCyU0OOGPC3oGFb%3DmA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
