Anil Eklavya:
Can someone clarify exactly what all does Qubes Backup save and restore? To
me this is important because I am fairly sure my Qubes installation has
been compromised, if not at dom0, then certainly for some VMs, including
sys-net (which includes sys-usb). Most probable reason is Evil Maid Attack
as I found one screw on my laptop missing, which was earlier there. I know
this attack could be accomplished even without opening the laptop up, but
someone might have tampered with the laptop and may also have used the USB.
In such a case, if I backup and restore to a new installation, will the VMs
still be compromised because they will be restored completely, or will they
be fresh in the sense that only my data will be restored, along with a few
basics like the specification of VM?
Will it be preferable to use something like rsync for taking separate
backups of the data on VMs?
To my knowledge, Qubes Backup backs up root and private volumes of
selected VMs, their definitions from qubes.xml, their templates, and
dom0 ~/*. If I suspected compromise though (are you sure the screw
wasn't just stripped and fell out somewhere?), I wouldn't trust backups
made from it either. Restoring AppVMs to a new machine from backups made
prior to compromise would be safest if you know exactly when it
happened, and that the backup media hasn't been tampered with. You could
maybe use rsync to copy the potentially infected files out, but make
sure it's by itself on a dedicated network behind a firewall that only
permits rsync connections to the rsync server. Other option would be to
pull the hard drive, attach it to a USB-SATA converter, and very
carefully mount it on a known good machine in a disposable VM without a
network connection to extract the (possibly bad) data. Then, securely
dispose of the laptop and hard drive. Make sure to use new passphrases
on the new hardware in case a keylogger was installed on the old.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/906c7714-8c75-d6c0-5796-f638b507808d%40danwin1210.me.
