No. 4 makes sense. sys-usb shouldn't know the encryption keys. encrypted block 
device can be attached to a server vm where it would be appropriately decrypted 
and mounted, possibly from dom0 via qvm-run (you can start a vm, attach 
storage, decrypt and mount it by a short script using qvm-* command line tools) 
. server software should be run as a different user that can't login or use 
sudo. enabling services is a bit tricky in template-based vms, so the easiest 
solution is to create a small template with just the bare necessities for the 
server software, enable the service in it and then use it just for one server 
vm.
I would suggest attaching that server vm to a separate firewall vm. that way 
allowing incoming traffic in iptables should be both easier and more secure. 
firewall rules are created in different scripts in proxyvm vs netvm and appvm. 
follow Qubes documentation and don't forget to make scripts executable :)
although I used to run file and web servers on a Qubes PC I now tend to think 
that Qubes is meant to protect clients, not servers. 

P.S. Qubes networking uses NAT so LAN won't actually see any broadcast messages 
from the server unless it runs in a netvm.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4ab36370-8472-4b28-b72c-f337654b3bfc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to