On 2/2/20 3:20 AM, David Hobach wrote:
On 2/2/20 12:40 AM, Chris Laprise wrote:
On 2/1/20 4:12 PM, curiouscuri...@mailbox.org wrote:
To remain secure, must one use a different external storage devices
per VM / security domain? Can one use a single external storage
devices to store files from multiple VMs securely, and if so, how?
One option is to create a Qubes storage pool on the external drive,
then move some of your VMs to it:
https://www.qubes-os.org/doc/storage-pools/
Is creating multiple encrypted partitions on a USB drive, each only
mounted and unlocked in it's relevant VM, a good option? (This would
require multiple passphrases and I believe recognizing the relevant
partition from it's partition number / size, which seems a lot of
effort).
The answer in many of these cases is 'Yes', even without storage
pools. But it can get a little complicated.
Start by reading about 'qvm-block' (or the Devices GUI widget) and how
to attach raw block devices to different VMs. It also helps to know
about Linux storage e.g. how to create and use LUKS volumes.
You can, for example, have a physical disk partition accessible by
sys-usb, then 'qvm-block attach' it to a trusted encryption vm (this
could even be dom0) where 'cryptsetup' is used to format/open/close
the encryption layer. Then create partitions on top of that encryption
layer and use `qvm-block attach' to assign them to various AppVMs
where they are formatted/mounted.
My implementation for that:
https://github.com/3hhh/qcrypt
Thanks!
Anyway it depends on you use case:
If you trust the external device, attaching it to dom0 & additional
encryption against its loss & storage pools are likely the best option.
It's essentially like an internal disk then (the security properties are
very similar). You might want to keep in mind that you should use a
dedicated USB card/PCIE lane or mSata though - otherwise you have a
shared bus with other USB devices that you trust less.
If you don't trust it (you got it used from ebay, regularly give it to
other people or have many enemies in general), you'll want to go the
path outlined by Chris/in my implementation.
BTW, have you thought about a threat model where the whole disk uses a
single encryption key and partitions exist on top of that... and the
possibility that a compromised sys-usb copies some of the blocks from
other partitions into the partition of a compromised/coordinating AppVM?
What are the chances the compromised AppVM would be able to decrypt the
misappropriated blocks? I think many would be inclined to say the disk
cipher salt would protect the copied blocks from improper decryption,
but how certain is this?
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c46353be-b523-be99-ba77-22442158bc87%40posteo.net.