You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach
the partition to a different VM, then mount it there.

This is a good question, I think. Since we distrust sys-usb I agree that we should not do the cryptsetup operations in sys-usb. But if you distrust the attached device as well (might be safer, right?), one might attach the luks-partition (resp. file) first to an intermediate (even temp !) VM, luksOpen it in there and re-attach the generated /dev/mapper volumes to the destination VM. That way sys-usb is blind to cryptsetup and the destination-vm is maximally protected from usb-based attacks. Overkill?

Bernhard


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/205543a3-89e6-5a55-f607-f48a6dd73d35%40web.de.
For more options, visit https://groups.google.com/d/optout.

Reply via email to