Hello, Am 11.07.2017 10:52 nachm. schrieb "Florian Brandes" <[email protected] >:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/11/2017 10:08 PM, [email protected] wrote: (...) > I'm thinking of setting up perhaps something like a "Storage Qube", which will have the storage drive permanently attached, and be in charge of managing permissions and serving the folders to authorized VMs via…NFS? SSHFS? (...) I'm new to qubes, so excuse me if I may sound stupid, but wouldn't it be easier to include your storage space in your overall qubes setup (maybe as an LVM), so that you would just use your qubes and extend their personal disk space? This way you could take advantage of the isolation provided by qubes without the hassle of setting up a dedicated storage VM which would also need to check permissions. On the other hand you could probably set up a storage VM and serve the files via NFS on a IP basis. Since every qube has a unique IP address you could make sure that no other qube except the one you permit has access to a specific storage folder. One idea that came to my mind: - setup a "storage qube" which serves as a NFS Server - create exports in separate folders which can only be accessed by dedicated IPs (from the AppVMs) - as an additional Layer of security you could use encfs (with maybe some symlinks) in the AppVMs, so that the date is decrypted from the view of an AppVM but encrypted from the view of the Storage Qube. I guess it should be possible to script something where the decryption key is stored locally in the AppVM (Assuming that the data would be unencrypted in the AppVM without a "Storage Qube". Would this work for you? - PhR -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BnV%3DURba_SDF_3C34ReZnvg%3D%3D0eBQU2wx%2Bi%2BmV4%3Dx%3DUQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
