On 08/11/2017 08:41 PM, Nicolas Mojon wrote:
> Hi, 
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
> Thank you in advance...
> Best regards
> Nicolas

Hi Nicolas,

I am not aware of any changes between r3.2 and r4.0 that would affect
your use case. You can disable the vm's networking of course. If you
want a read-only USB flash drive you should look at the USG hardware
firewall. I have recently released configurable firmware with a
read-only mass storage option:


Regarding USB keyboards with sys-usb, as you have discovered this does
not work. Enabling sys-usb sets a kernel option to hide all USB
controllers from dom0, and you then cannot type the disk password. You
have two choices:

 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop
keyboards are PS/2)
 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached
to dom0. Assign other PCI USB controllers to your own usb VM. If your
system only has one USB controller you could purchase a USB expansion card.

Read the Qubes USB docs for more info:



You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to