Hello, I'd like to add, that I know that EncFS seems to have some issues, mentioned here for example: https://defuse.ca/audits/encfs.htm While this report is from 2014 and a new version has been issued it seems that encfs 2.x (which should provide better security) is still on its way - if it will come at all.
Unfortunately encfs is the only solution which is cross-platform, if someone is using a Linux only environment, the encryption layer could be replaced with other solutions: https://www.cryfs.org/comparison As such the subject should not be... "Idea for (resonable secure) cloud-storage usage with Qubes" ... but ... "Idea for (a slightly more secure) cloud-storage usage with Qubes"  PS: sorry for Top-Posting ;-) I have a typo in my initial post, replace my-untrusted with my-work (where I unmount the encfs uencrypted directory) -------- Original-Nachricht -------- An 15. Okt. 2017, 01:54,  schrieb: > Hello, > I thought about how to work with cloud storage under Qubes OS and I'd like to > share my idea with you, to provide feedback. > I have already build a prototype that works "reasonable" well, but I am far > away from being a security professional, as such I'd like to hear your opion > about it. > Assumptions: > You are using cloud storage like Microsoft OneDrive and you would like to do > so under Qubes in a more secure way. > Goals: > - all files within onedrive should be encrypted > - files should still be accessible/decryption from other Operating systems > - decrypted data storage and cloud storage access should be separated into > two AppVMs > - different AppVMs should have access to data in the cloud storage, but it's > impossible for an AppVM to read the data which should be read by other AppVMs > (meaning you have the option to create individuall encrypted directories) > - solution should be easy to use and relying on scripts to provide good > automation and a good tradeoff between security and user experience. > > Idea: > In order to reach the goals, the idea is to work with two AppVMs: > 1. "Access+Transfer AppVM" this VM will access the cloud storage provider, > provide synchronisation and will always see encrypted data > 2. "Storage-AppVM" this VM will receive the encrypted files from the > Access+Transfer AppVM and store the files. It will also work as a data-hub to > provide access to data to your other AppVMs which you use to manipulate the > data within this VM. > > As such we have separated: > - Access & Transfer of data from cloud storage provider > - Local data storage > - Data manipulation > > Solution Design: > [Access+Transfer AppVM] > Template: fedora-25-minimal > Additional packages: > - OneDrive Freeclient > ([https://github.com/skilion/onedrive)](https://github.com/skilion/onedrive) > - sudo dnf -y install nfsutils > Will be configured to mount a NFS-share from the Storage AppVM and to access > OneDrive to synchronize the files > Data will be downloaded and storad in the mounted NFS-Share of the Storage > AppVM > > [Storage App-VM] > Template: fedora-25-minimal > Additional packages: > - sudo dnf -y nfs-utils encfs > This machine has been setup as a NFS Server. > The /etc/exports file and also the iptables Firewall of this AppVM has been > setup, so that the [Access+Transfer AppVM] kann access a certain location. > Within this location all files ENCFS-encrypted. > As such the Access+Transfer AppVM but also the Cloud Storage provider will > only see encrypted files. > Additional AppVMs can also mount the main NFS Share/directory. > Those AppVMs can access certain subfolders and mount them via ENCFS to get > the unecrypted data. > So the ENCFS decryption are done in those AppVMs. > You could setup various subfolders within your Onedrive directory and each > folder could be encrypted within the different AppVMs. > Example: > onedrive\photos --> NFS Share to --> my-photo-appvm > onedrive\work --> NFS Share to --> my-work-appvm > onedrive\media --> NFS Share to --> my multimedia-appvm > > Let's look at one AppVM (example my-work-appvm = 10.137.2.25 // storage-appvm > = 10.137.2.20) > On sys-firewall there is a rule, so that the work-appvm can access the > storage-appvm: > [user@sys-firewall ~]$ sudo iptables -I FORWARD 2 -s 10.137.2.25 -d > 10.137.2.20 -j ACCEPT > > On the storage appvm: > [user@my-storage ~]$ sudo iptables -I INPUT 5 -i eth0 -s 10.137.2.25 -d > 10.137.2.20 -j ACCEPT > The NFS Exports file: > [...] > # 10.137.2.15 = Access+Transfer AppVM > /var/nfs 10.137.2.15(rw,sync,no_subtree_check) > # 10.137.2.25 = Work AppVM > /var/nfs/work 10.137.2.25(rw,sync,no_subtree_check) > [...] > > In the Work AppVM you are mounting the NFS Share from the Storage AppVM: > sudo mount 10.137.2.20:/var/nfs/work /mnt/onedrive-work.encfs > > In Order to access the files, the NFS share is encfs-mounted: > encfs /mnt/onedrive-work.encfs ~/work > > the unencrypted files can be accessed in ~/work. > If saved they will be encfs-encrypted and stored to NFS share of the Storage > AppVM. > The Storage AppVM is connected to the Access-Transfer-AppVM which will > recognize that an (encrypted) file has changed and will upload it to Onedrive. > > As you can guess, you can use different AppVMs, which access different > subfolders with different ENCFS-Keys. > For additional security you can also choose to shutdown the Access+Transfer > AppVM and disable the NFS Server in the Storage AppVM if you don't need > access to the files. > > Script to start the NFS Server from dom0 > #!/bin/bash > qvm-run my-storage 'xterm -e "sudo systemctl start nfs"' > sleep 2 > > Scripts to unencrypt the data in an AppVM from dom0: > #!/bin/bash > qvm-run my-work 'xterm -e "encfs /mnt/onedrive-work.encfs ~/work"' > > Script to unmount the unencrypted share in an AppVM: > #!/bin/bash > qvm-run my-untrusted 'xterm -e "fusermount -u ~/work"' > > I have already a working prototype, regarding the NFS server and ENCFS-part > and will now add the onedrive part. > > What's your opinion about this approach (I hope I could make clear what the > idea is) - am I opening to much attack possibilities because I need to have > NFS server running between the AppVMs? Keep in mind, that I am only sharing > one directory, which is encrypted and only the AppVM knows how to decrypt the > data. > So even if the Storage AppVM gets compromissed, the data should be encrypted > (and therof protected). > > The password entry within the AppVM to open of the ENCFS-encrypted data could > be simplified by using something like a yubikey + short password. > > Interested to get your feedback. > >  -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1AEzAuelWDrVQsdrIbOmPhwI9QwoloMGiX6VcHatwcwHduke7sU-hDiyWwer2ffDpftxICtSWgAMAfUtd4kSus2RzA1v1DSUMOkwdLzkDkE%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.