On 08/27/2016 07:36 PM, Cube wrote: > On Saturday, August 27, 2016 at 9:31:31 AM UTC-7, Alex wrote: >> On 08/27/2016 05:59 PM, Cube wrote: For specific services (say, the >> mentioned Amazon) I keep a keepassx database on the specific AppVM >> in which the service is expected to be used - the Amazon account I >> use to buy work stuff is saved in the keepassx database in the Work >> appVM, the personal one is saved in the personal appVM. > > Interesting idea. For the downside of having to remember extra > passwords (for the databases), backups (albeit part of the general > backups), and managing the running instances of XKeyPass, you can > save a few keystrokes pasting between VM's. It does seem like there > are more disadvantages, why not just keep them together in one Vault > XKeyPass? I see, this may be a personal preference. Me being obsessed with architectural research, I like to explain this with "isolation". Actual benefits may be that I can share the personal keepassx database with another device with simple tools, say - the laptop I use to only watch cat videos on youtube when I'm done at the workstation.
>> And there are some types of password I keep in a >> non-internet-connected AppVM, together with some OTP generator >> scripts. They are meant to be used for targets that may be >> sensitive to large scale attacks (say, home banking credentials, >> amazon AWS otp generators, etc.) where attackers may have the >> financial power to aggressively attack the target AppVM - so my >> line of defense here is to be sure not to have the sensitive >> information available on the filesystem at all. >> > > Well they're in the AppVM though so are on the filesystem, aren't > they? What you buy is network isolation, effectively air gapping, but > even better. It depends on the point of view; yes, they are on the same dom0 filesystem, but they are on different filesystems from the AppVM's point of view. May as well be on another machine, or another universe, if Xen isolation keeps. I may have poorly expressed myself in the quoted paragraph; the "target AppVM" can be one of the internet-facing AppVMs, like the Banking or Work or Personal ones, while the one I keep the sensitive passwords on is like a VaultVM from your original message. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4163a19c-8609-ea7e-6006-82fbbd47e9ce%40gmx.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
