You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach
the partition to a different VM, then mount it there.
This is a good question, I think. Since we distrust sys-usb I agree that
we should not do the cryptsetup operations in sys-usb. But if you
distrust the attached device as well (might be safer, right?), one might
attach the luks-partition (resp. file) first to an intermediate (even
temp !) VM, luksOpen it in there and re-attach the generated /dev/mapper
volumes to the destination VM. That way sys-usb is blind to cryptsetup
and the destination-vm is maximally protected from usb-based attacks.
Overkill?
Bernhard
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/205543a3-89e6-5a55-f607-f48a6dd73d35%40web.de.
For more options, visit https://groups.google.com/d/optout.
