I am trying to figure out a way to securely handle my encrypted drives without two things: connecting the USB directly to the Vault (as this is obviously a bad idea for security), and decrypting the USB in sys-usb (also obviously a bad idea).
As an example, I have some USB that I keep encrypted backups of my important documents that I keep with me in case an emergency happens (which now that I am using Qubes will probably also be in the Vault). I have files on there that I need to move to Vault, and I need to be able to continue to put files onto it (whether from Vault or from a scan I have done. <note: I will be writing some documentation hopefully on what I did giving DispVMs the sole ability to print and scan.> Which I know is a whole different problem; so I want to focus on just the encrypted storage. Another example is my backup drives which are all encrypted, and that I would like to have access to for the standard reasons. I have been pointed to [1] a couple days ago by JPO and I believe this is part of the soution, but not the whole thing. My two solutions that I have thought through are: doing PCI patthrough directly to the Vault (which is the least favorite of my ideas), and creating a separate VM for encryption that only houses software for encrypting and decrypting (dm-crypt or veracrypt). This way the USB will be passed through to this VM and will never directly touch the Vault (except through qvm-move-to-vm). I had a third solution of adding this functionality to DispVMs, but I can't PCI pass the USB to the DispVMs when they are running. So that one is out. Thanks in advance for the help; can't wait to see what I missed! [1] https://github.com/rustybird/qubes-split-dm-crypt -- Respectfully, Sam Hentschel FD6A 2998 5301 B440 D26B 7040 69D1 CE58 6FA5 BB5A -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170412031247.GA989%40Personal-Email. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature