mike:
I would decrypt in dom0 and attach decrypted to qubes. You can script
this in dom0 as part of startup process - if you are content with dom0
encryption you can store the password, rather than enter it each time.
Cool -- I like the idea!
What approach would you recommend for these:
a) if the partition was to be decrypted during dom0 boot -- where to script it?
b) if the partition was to be decrypted right before a qube's start -- is there
a pre-domain-boot script kind of thing?
c) if the password was to be typed -- any idea how to pop up some password
input dialog box?
Many thanks unman!
Mike
I'm decrypting my drive with two partitions and connect them to the VMs on
startup like this in dom0:
Keyfile: /root/my-drive-decrypt/keyfile
Script: /root/my-drive-decrypt/my-drive-decrypt.sh
#! /bin/bash
case "$1" in
start)
cryptsetup --cipher=XXX --offset=XXX
--key-file=/root/my-drive-decrypt/keyfile --key-size=XXX open --type=plain
/dev/disk/by-id/XXX my-drive
kpartx -a /dev/mapper/my-drive
vgchange -ay my-drive
qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
qvm-block a --persistent -o frontend-dev=xvdi my-drive1-vm $(qvm-block
l | grep my-drive1 | cut -f1 -d ' ')
qvm-block a --persistent -o frontend-dev=xvdi my-drive2-vm $(qvm-block
l | grep my-drive2 | cut -f1 -d ' ')
;;
stop)
qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
vgchange -an my-drive
sleep 1
kpartx -d /dev/mapper/my-drive
cryptsetup close my-drive
;;
status)
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 2
esac
exit 0
Service: /etc/systemd/system/my-drive-decrypt.service
[Unit]
Description="Decrypt my-drive"
Requires=qubes_core.service
After=qubes_core.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/root/my-drive-decrypt/my-drive-decrypt.sh start
ExecStop=/root/my-drive-decrypt/my-drive-decrypt.sh stop
[Install]
WantedBy=multi-user.target
Enable service:
systemctl enable my-drive-decrypt.service
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/780a6837-db03-70dd-622b-1e9ed185eede%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.