You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach
the partition to a different VM, then mount it there.

This is a good question, I think. Since we distrust sys-usb I agree that we should not do the cryptsetup operations in sys-usb. But if you distrust the attached device as well (might be safer, right?), one might attach the luks-partition (resp. file) first to an intermediate (even temp !) VM, luksOpen it in there and re-attach the generated /dev/mapper volumes to the destination VM. That way sys-usb is blind to cryptsetup and the destination-vm is maximally protected from usb-based attacks. Overkill?


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to