Re: [qubes-users] backup with debian-10-minimal based sys-usb fails

[Sven Semmler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 3/31/19 9:36 AM, unman wrote:
> 1. The minimal template is minimal - it doenst have any GUI file 
> manager. When you click on the ... button it spawns a file manager
> in the backup qube. Since you dont have one installed it cant be 
> opened.

I neglected to mention that I did install nautilus for that very reason.


> You could install a file manager but then you're getting closer to
> the normal Debian template which is pretty minimal. If you are
> committed to minimal service qubes, CLI backup .

You convinced me. My intermediate solution will be to run sys-net and
sys-firewall as named disposable VMs based on a true minimal (not the
one I messed with, but the original minimal template plus the
qubes-core-* packets required for networking). And sys-usb as a named
disposable VM based on the plain debian template.

Soon though I will understand the CLI for backup and restore and
automate my backups using a shell script. Then sys-usb will be like
sys-net and sys-firewall already are.

Thank you for your help!

/Sven

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlym7RQACgkQ2m4We49U
H7bMpg//XeEzn1KGpgVWGK4MCekQ2RuJXNJItOsdnnGK4yxDHbPIEewdP4EIl+ZW
/+jwoTsWXHImpSJBaaFCWBayZwhOgyUaLVBT08GGd6P6hbNYBxiOG2qdrPrCEsds
XlVfwgfPTKIVVKn2poegzZ/762c/kPa5E1aL+nB+UqCzO05kuXoH720HpVcTmywW
ig6bOeuXlowOrLMXgUKsHaA111WmEfrbReVDDzf25xrZukPiFX7FhIKT3wQfGdSf
Z+wFvL+7CEvk4WBBR5PA2y8mx5BSXiYVOuR4zKPI9yXVhZnc5QkrB9lp3LljcIqA
TF6VfsYyAYYjg7rmEe7i72gzUf8eAbXvKXvZUzfJ3cblRUxAKIdUU/rCRUJS2QvX
5gR+y4XFG4ZXit3LNxqRmi0G1aL0haSvnGWhykeTK+q7Jclym9sInabuoKs+zme4
Tu2wg7Exkvx6kJ9+DRn1DhVyi1CPAJP6dXHsqnVhy6/xpSfulMPsqugW8EngcdsK
8xYKQfO2N1ddTI6qlljeE/PLDPPsgyPW0wk0/dHadOfFQ9FrdSYV1H3ZDxfRozEH
HjL8DmXuwpgEash748pb0KQgbEGRBorUGTRWVD6RtXgBpDu15ME0MwF7DYiYMC9V
FFWPHAin1hMI3jLC+TaPRnNlkC7CPXLmKCxpBHEY2jzj3YqhOew=
=ZgVG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2680f942-0284-d929-9b51-01226087e07e%40SvenSemmler.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't Start Network, V4

[Ray Joseph]

unman,

Thank you. 

On opening sys-net, there were two USB controllers already attached, one was 
00:14.0.  So I removed both and added the nic.  Sys-net is now running.  

So I now want to test it.  I thought I could just open a vm such as debian, but 
I found it says it can't have networking.  Further reading said networking can 
be enabled in the Basic tab.  I am guessing sys-firewall should be the choice. 
Then connect with Tor.   

Bootstrap phase stuck on 5% (10 minutes before I stopped it).  There is only 
one AP and it is open (out of my control).  

Any suggestions on progressing?

 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aacf6589-c820-4439-9af6-b2f54ea5229a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] is this time issue ever going to be properly fixed?

[Jon deps]

on rebooting my taskbar time is for some reason not persisting Again !
I can try explaining but  there seem to be too many moving parts  to 
ever get this to stop breaking  on random reboots ?



clockvm is sys-net   ;  sys-net  at the moment  is debian-10 based, but 
using fedora-29   didn't seem to help  when I changed it, and then did


qvm-sync clock  in  dom0

I went and peaked at the widget setup, which give a mouse-over that say 
leave blank to use local time  for timezone  , it HAD had my current TZ 
, so I emptied it , but  no change at all


so I finally ended up using timedatectl   to set the date

however, sys-whonix-14  is still complaining  that the time isn't good 
enough ..



so to me, something fundamentally remains wrong with  Qubes 4.0   that I 
have to do all this  ..



there is like a chain of breaks, and I don't like having to sort through 
something  with  no protocol  and random problems.



I know it was supposed to have been fixed at one point and I had been 
using a different template that wasn't broken,  maybe I need to go find 
that manual  fix  and try it again  though  my  debian-10 was just an 
upgrade not a new template ,  but maybe the upgrade broke  ntp or 
something ,  doesn't explain why fedora-29  would be broken



sigh

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/32abd45b-a8bf-843b-4605-5fe88155025e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] debian 10 minimal ... issue with update proxy

[haaber]

On Wed, Apr 03, 2019 at 08:56:56AM +1100, haaber wrote:

You need to enable the qubes-update-proxy service - this creates the
necessary file at  /var/run/qubes-service/qubes-updates-proxy

There's another issue in that the service file refers to
/usr/sbin/tinyproxy but the exec is in /usr/bin
Fix this by editing /lib/systemd/system/qubes-updates-proxy.service to
refer to the correct path.


Dear qubes-users, dear Unman, I tried to follow these instructions, but
I am stuck. There is an odd spelling issue, sometimes I read  *updates*
(plural), sometimes *update* (singular). I presume the service name is
meant to be in plural:  qubes-updates-proxy ?

I have actually tried both, singular and plural, but it won't work I
rebooted each time): the plural version generates the file
/var/run/qubes-service/qubes-updates-proxy but it has zero size. Is this
normal? And this file  /lib/systemd/system/qubes-updates-proxy.service
you mention does simply not exist.Any hints?



The service is the plural. I mumbled the singular.
Yes, it's normal to have a zero size file.
I dont know why you wouldnt have the service file - it comes with
qubes-core-agent-networking. You are looking in the qube, not in dom0?


I looked in the qube-template: dpkg -s qubes-core-agent-networking
reveals that the package was not installed on my debian-9-minimal
template :)) So I'll do that frist, then clone and buster it afterwards.
I guess that was all, so thanks once more, Unman.

Another remark / question: the tinyproxy path is also wrong in the
"full" debian-10 buster. Funnily that did not prevent upgrade from
stretch, nor 'manual' apt-get upgrades. I guess it is better to correct
that  as well, rather than symlinking /usr/bin/tinyproxy to
/usr/sbin/tinyproxy ...cheers, Bernhard

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7105bb8-9f61-8c13-ced6-5f33eb6e686c%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] split pgp not working in debian 9 vms

[unman]

On Thu, Apr 04, 2019 at 07:51:28PM -0400, J.M. Porup wrote:
> On Fri, Apr 05, 2019 at 12:25:30AM +0100, unman wrote:
> > On Thu, Apr 04, 2019 at 10:52:09AM -0400, J.M. Porup wrote:
> > > hi,
> > > 
> > > Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms.
> > > 
> > > split pgp works to sign documents from the email vm:
> > > 
> > > qubes-gpg-client-wrapper --clearsign foo.txt
> > > 
> > > but does not work to encrypt documents/emails:
> > > 
> > > /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt
> > > 
> > > which returns the error message:
> > > 
> > > gpg: cannot open '/dev/tty': No such device or address
> > > 
> > > I've been tinkering with this for several days, and am not finding a
> > > solution. Why is split pgp working for signing, but not encrypting?
> > 
> > Add --batch or put this in your gpg.conf
> 
> thanks. adding --batch gives me the following error:
> 
> /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt --batch 
> foo.txt
> 
> gpg: no valid addressees
> gpg: [stdin]: encryption failed: No user ID
> 
> For some reason qubes-gpg-client-wrapper can find my signing subkey
> but not the encryption subkey.
> 
> ideas?
> 
> thanks
> jmp
> 

You havent specified who it's encrypted to.
 -r 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190405001048.o6qpjvpavi4kamk4%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] debian 10 minimal ... issue with update proxy

[unman]

On Wed, Apr 03, 2019 at 08:56:56AM +1100, haaber wrote:
> > You need to enable the qubes-update-proxy service - this creates the
> > necessary file at  /var/run/qubes-service/qubes-updates-proxy
> > 
> > There's another issue in that the service file refers to
> > /usr/sbin/tinyproxy but the exec is in /usr/bin
> > Fix this by editing /lib/systemd/system/qubes-updates-proxy.service to
> > refer to the correct path.
> > 
> Dear qubes-users, dear Unman, I tried to follow these instructions, but
> I am stuck. There is an odd spelling issue, sometimes I read  *updates*
> (plural), sometimes *update* (singular). I presume the service name is
> meant to be in plural:  qubes-updates-proxy ?
> 
> I have actually tried both, singular and plural, but it won't work I
> rebooted each time): the plural version generates the file
> /var/run/qubes-service/qubes-updates-proxy but it has zero size. Is this
> normal? And this file  /lib/systemd/system/qubes-updates-proxy.service
> you mention does simply not exist.Any hints?
> 

The service is the plural. I mumbled the singular.
Yes, it's normal to have a zero size file.
I dont know why you wouldnt have the service file - it comes with
qubes-core-agent-networking. You are looking in the qube, not in dom0?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190405000918.u6jsvpxhggtsid5t%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] split pgp not working in debian 9 vms

[J.M. Porup]

On Fri, Apr 05, 2019 at 12:25:30AM +0100, unman wrote:
> On Thu, Apr 04, 2019 at 10:52:09AM -0400, J.M. Porup wrote:
> > hi,
> > 
> > Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms.
> > 
> > split pgp works to sign documents from the email vm:
> > 
> > qubes-gpg-client-wrapper --clearsign foo.txt
> > 
> > but does not work to encrypt documents/emails:
> > 
> > /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt
> > 
> > which returns the error message:
> > 
> > gpg: cannot open '/dev/tty': No such device or address
> > 
> > I've been tinkering with this for several days, and am not finding a
> > solution. Why is split pgp working for signing, but not encrypting?
> 
> Add --batch or put this in your gpg.conf

thanks. adding --batch gives me the following error:

/usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt --batch 
foo.txt

gpg: no valid addressees
gpg: [stdin]: encryption failed: No user ID

For some reason qubes-gpg-client-wrapper can find my signing subkey
but not the encryption subkey.

ideas?

thanks
jmp

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190404235128.q336wzwgw7ouo6jb%40fastmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't Start Network, V4

[unman]

On Thu, Apr 04, 2019 at 05:13:03AM -0700, Ray Joseph wrote:
> unman
> 
> Thank you for the trip through the qube.  Currently, sys-net is still not 
> working.  I have tried both strict and not.  And I have rebooted also 
> rebooted after the change.
> 
> What looks odd is under sys-net device, the wireless card number is 02:00.0 
> and reports my card.  The error message states 00:14.0 which is called out in 
> the device as USB controller.
> 
> This appears to mean it is trying to use the USB for the network IF.  
> 
> Any suggestions?
> 

I recall using an Acer where to get the wifi working I had to add the
card-reader to sys-net also.
Try adding 00:14.0 to sys-net, and then set no-strict on that device
too.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190404233228.bz2fa3aknqefvcpx%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] split pgp not working in debian 9 vms

[unman]

On Thu, Apr 04, 2019 at 10:52:09AM -0400, J.M. Porup wrote:
> hi,
> 
> Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms.
> 
> split pgp works to sign documents from the email vm:
> 
> qubes-gpg-client-wrapper --clearsign foo.txt
> 
> but does not work to encrypt documents/emails:
> 
> /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt
> 
> which returns the error message:
> 
> gpg: cannot open '/dev/tty': No such device or address
> 
> I've been tinkering with this for several days, and am not finding a
> solution. Why is split pgp working for signing, but not encrypting?
> 
> Any ideas?
> 
> thanks!
> 
> jmp
> 
> -- 
> J.M. Porup
> www.JMPorup.com
> 

Add --batch or put this in your gpg.conf

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190404232530.kkxu3rmgibsvyxa3%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Device Manager makes problems

[evo]

no effects, so it doesn't restart, but shows no error


On 4/4/19 9:48 PM, awokd wrote:
> Try to restart it per the other thread today:
> 
> $ systemctl --user restart qubes-widget@qui-devices.service
> 
> 
> 
> evo wrote on 4/4/19 5:59 PM:
>> i can just manage the problem over making it manualy, there i have no
>> problem to attach and detach devices, but the device manager shows NO
>> remark.
>>
>> On 4/4/19 7:54 PM, evo wrote:
>>> now, after reboot, i can not mount nothing.
>>> it shows me that device is mounted, but the device manager shows nothing
>>> about the new device (in that case an USB stick)
>>>
>>> On 4/4/19 6:37 PM, evo wrote:
 Hi!

 Since some time device manager makes some strange problems.
 I can mount some USB-Stick, but if i want to unmount it, it shows me,
 that nothing is mounted. So i unmount it in the VM itself and reboot
 the
 USB-VM. Then it can mount something again.

 Now it shows me even an old USB-Stick i already unmounted, even after
 reboot.

 Best regards!
 evo

>>
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f4ac3f6-dd85-9294-f9df-385f791638e6%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Update checking over clearnet instead of Tor?

[Lorenzo Lamas]

Thanks unman!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/732065ea-8c90-43ab-ae72-cacd3c4ee220%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Device Manager makes problems

[Lorenzo Lamas]

Try updating to qubes-desktop-linux-manager 4.0.17 in current-testing

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f95863bf-c896-4ef4-88f2-66621f507eec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] "Qubes Devices" widget not working anymore

[Lorenzo Lamas]

Try updating to qubes-desktop-linux-manager 4.0.17 in current-testing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a560d9f-dd2d-46d5-ba57-10035a11065c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: off topic - invite codes to 'riseup'

[g . machado1]

On Thursday, April 4, 2019 at 3:19:10 PM UTC-3, robsonsil...@gmail.com wrote:
> Me to. If anyone has a rise up invite I will be thankful in advance. 
> 
> :)

can some one send me a invite to riseUp too? thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d843e0d1-08b8-40e2-a855-9e04dd979167%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Audio Recording

['awokd' via qubes-users]

solworth%uic.edu via qubes-users wrote on 4/4/19 1:58 PM:

I want to record lectures, both audio and slides. I've installed open broadcast 
software, and it works well if the microphone is working.

I haven't gotten the microphone to work reliably in Qubes 4.0. My question is:

 1. What are the steps to make the microphone work and attach it to a 
app-vm?
 2. Is this scriptable?

I have a thinkpad t580 and I'm using i3wm.


All you should have to do is use the Device Widget (with a yellow 
square) to connect the dom0:mic to an AppVM.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7bf699e-a74f-9aad-41a7-a93cad032b19%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4 boot stuck at: "[ OK ] Reached target Basic System. "

['awokd' via qubes-users]

cube...@tutamail.com wrote on 4/4/19 6:32 PM:


Hi,
Yes, I've tried the command "vgchange -ay" and it gives me error message:
"Check of pool qubes_dom0/pool00 failed (status:1). Manual repair required!
1 logical volume(s) in volume group "qubes_dom0" now active. "

That single active volume is 'swap'.
All other lv'sn (which I have 86) have "LV Status" set to "NOT available", and 
I can't turn them back to active. Also vgchange wasn't able to activate them.

Is there any other way to to get to the lv's of the LUKS encrypted qubes disk?

  Are there are any dedicated LUKS / LVM2 recovery tools (somebody mentioned 
'scalpel' but I have't tried it yet)?
I would be grateful for any hints into good direction of retrieving data from 
my luks encrypted qubes disk.


You can try qtpie's procedure in 
https://www.mail-archive.com/qubes-users@googlegroups.com/msg19011.html.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f41e094-a8b3-09f5-d372-bbd8b8555ca3%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4 boot stuck at: "[ OK ] Reached target Basic System. "

[cubecub]

Apr 3, 2019, 8:47 PM by qubes-users@googlegroups.com:

> cube...@tutamail.com >  wrote on 4/3/19 6:26 PM:
>
>> Thank you for your suggestion. I have given it a try but unfortunately the 
>> systems hasn't yet been restored. (I'm guessing you referred to the 
>> following commands to enter rescue mode: pkill -9 anaconda;  anaconda 
>> --rescue; )
>>
>> I also tried mounting my Qubes disk in LinuxMint, using commands:
>> cryptsetup luksOpen /dev/sda2 qubes-disk;
>> then pvscan, pvdisplay, vgscan, vgdisplay, lvscan, lvdisplay.
>>
>> These allowed me to see logical structure of my qubes_dom0 volumes, volumes 
>> representing AppVM, but I was unsuccessful mounting these volumes to get 
>> access to the data.
>> Comman 'lvscan' shows LV status next to each volumes, and  only 'swap' was 
>> marked as active. Everything else was 'NOT active', including 'root', 
>> 'pool00', and AppVM volumes.
>>
>> Do you, or anybody else, have any idea how to proceed? I must recover the 
>> data. I hope they didn't get corrupted, only the access point has gone 
>> missing.
>>
> You're in the right area, but I don't see a "vgchange -ay" in your list of 
> commands?
>

Hi, 
Yes, I've tried the command "vgchange -ay" and it gives me error message:
"Check of pool qubes_dom0/pool00 failed (status:1). Manual repair required!
1 logical volume(s) in volume group "qubes_dom0" now active. "

That single active volume is 'swap'. 
All other lv'sn (which I have 86) have "LV Status" set to "NOT available", and 
I can't turn them back to active. Also vgchange wasn't able to activate them. 

Is there any other way to to get to the lv's of the LUKS encrypted qubes disk?

 Are there are any dedicated LUKS / LVM2 recovery tools (somebody mentioned 
'scalpel' but I have't tried it yet)? 
I would be grateful for any hints into good direction of retrieving data from 
my luks encrypted qubes disk. 

Thank you.


>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/70a61521-d7dc-9e17-eae1-7872d2e79...@danwin1210.me
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Lbdbxds--3-1%40tutamail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: off topic - invite codes to 'riseup'

[robsonsilvadasilva]

Me to. If anyone has a rise up invite I will be thankful in advance. 

:)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac95ad4e-dca7-40e1-a284-bcc10914624d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Qubes Devices" widget not working anymore

[g80vmgmsqw]

john.e.ma...@gmail.com:
> For no apparent reason, when I plug a USB flash drive into my computer (Qubes 
> 4.0) the Qubes Devices widget in the upper right no longer displays the 
> device. When I plug in the flash drive the system presents multiple black 
> popups indicating the drive is available, but nothing shows in Qubes Devices.
> 
> I'm using a USB qube called sys-usb, and this function used to work 
> perfectly. 
> 
> Any suggestions would be greatly appreciated.
> 
> Thanks.
> John
> 

This happens often for me.  For some reason the UI seems to freeze.  Try
running, in a terminal in Dom0:

$ systemctl --user restart qubes-widget@qui-devices.service

Does that solve the issue?  If so, maybe you should make a desktop
shortcut for that command--at least until the qui-devices widget is more
stable.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/654805a4-2bdf-8dfe-b94d-64f16517c767%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Device Manager makes problems

[evo]

i can just manage the problem over making it manualy, there i have no
problem to attach and detach devices, but the device manager shows NO
remark.

On 4/4/19 7:54 PM, evo wrote:
> now, after reboot, i can not mount nothing.
> it shows me that device is mounted, but the device manager shows nothing
> about the new device (in that case an USB stick)
> 
> On 4/4/19 6:37 PM, evo wrote:
>> Hi!
>>
>> Since some time device manager makes some strange problems.
>> I can mount some USB-Stick, but if i want to unmount it, it shows me,
>> that nothing is mounted. So i unmount it in the VM itself and reboot the
>> USB-VM. Then it can mount something again.
>>
>> Now it shows me even an old USB-Stick i already unmounted, even after
>> reboot.
>>
>> Best regards!
>> evo
>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/718f7622-0a14-c22b-e453-acde88cb6740%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Device Manager makes problems

[evo]

now, after reboot, i can not mount nothing.
it shows me that device is mounted, but the device manager shows nothing
about the new device (in that case an USB stick)

On 4/4/19 6:37 PM, evo wrote:
> Hi!
> 
> Since some time device manager makes some strange problems.
> I can mount some USB-Stick, but if i want to unmount it, it shows me,
> that nothing is mounted. So i unmount it in the VM itself and reboot the
> USB-VM. Then it can mount something again.
> 
> Now it shows me even an old USB-Stick i already unmounted, even after
> reboot.
> 
> Best regards!
> evo
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb49683a-9da8-ab8b-2c2c-f2d008c57c5a%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Device Manager makes problems

[evo]

Hi!

Since some time device manager makes some strange problems.
I can mount some USB-Stick, but if i want to unmount it, it shows me,
that nothing is mounted. So i unmount it in the VM itself and reboot the
USB-VM. Then it can mount something again.

Now it shows me even an old USB-Stick i already unmounted, even after
reboot.

Best regards!
evo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2247673c-f811-125c-4830-cc4566f67ee6%40aliaks.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] "Qubes Devices" widget not working anymore

[john . e . maher]

For no apparent reason, when I plug a USB flash drive into my computer (Qubes 
4.0) the Qubes Devices widget in the upper right no longer displays the device. 
When I plug in the flash drive the system presents multiple black popups 
indicating the drive is available, but nothing shows in Qubes Devices.

I'm using a USB qube called sys-usb, and this function used to work perfectly. 

Any suggestions would be greatly appreciated.

Thanks.
John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2eca73b-e7f3-4a4a-ac32-9dca7552e664%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] split pgp not working in debian 9 vms

[J.M. Porup]

hi,

Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms.

split pgp works to sign documents from the email vm:

qubes-gpg-client-wrapper --clearsign foo.txt

but does not work to encrypt documents/emails:

/usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt

which returns the error message:

gpg: cannot open '/dev/tty': No such device or address

I've been tinkering with this for several days, and am not finding a
solution. Why is split pgp working for signing, but not encrypting?

Any ideas?

thanks!

jmp

-- 
J.M. Porup
www.JMPorup.com

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190404145208.4hxkwxlsnmkvpizz%40fastmail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Audio Recording

[solworth%uic.edu via qubes-users]

I want to record lectures, both audio and slides. I've installed open broadcast 
software, and it works well if the microphone is working.

I haven't gotten the microphone to work reliably in Qubes 4.0. My question is:

1. What are the steps to make the microphone work and attach it to a app-vm?
2. Is this scriptable?

I have a thinkpad t580 and I'm using i3wm.

thanks,
Jon

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6eb85a14-c2e3-47fc-9dc8-797c3736d098%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Question about LVM metadata and VM startup

[Chris Laprise]

On 4/4/19 7:56 AM, 'qubeslover' via qubes-users wrote:

Hello,
in the last two months I have had a problem with Qubes: the VMs startup process 
suddenly has became very slow (30 sec more or less). After looking at htop, I 
have been able to fix the problem modifying two options in lvm.conf:

"backup=0"

"archive=0"


Nevertheless the lvm config file states:

"# Think very hard before turning this off!"

Am I doing something of terribly wrong? Do I need to have an archive and a 
backup of LVM metadata?

Thanks in advance.


You can trim back the archives without deleting them all.

See issue 4927:

https://github.com/QubesOS/qubes-issues/issues/4927#issuecomment-479082579

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/76b1a1c0-442c-8e99-f367-a73eb902c2f3%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't Start Network, V4

[Ray Joseph]

unman

Thank you for the trip through the qube.  Currently, sys-net is still not 
working.  I have tried both strict and not.  And I have rebooted also rebooted 
after the change.

What looks odd is under sys-net device, the wireless card number is 02:00.0 and 
reports my card.  The error message states 00:14.0 which is called out in the 
device as USB controller.

This appears to mean it is trying to use the USB for the network IF.  

Any suggestions?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8ac1864-ad68-4d31-94c5-8f44b811ea22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Question about LVM metadata and VM startup

['qubeslover' via qubes-users]

Hello,
in the last two months I have had a problem with Qubes: the VMs startup process 
suddenly has became very slow (30 sec more or less). After looking at htop, I 
have been able to fix the problem modifying two options in lvm.conf:

"backup=0"

"archive=0"


Nevertheless the lvm config file states:

"# Think very hard before turning this off!"

Am I doing something of terribly wrong? Do I need to have an archive and a 
backup of LVM metadata?

Thanks in advance.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/uS7nU6qjXHlLgGIu24MVszjgg_Tqim5vfmKGS5sUs1craec6IJteLzsGzY-qUTiHulkWQXJd5OGxncQIYq1TjdL1myQBQZfJoBzOGtM5288%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Hyperthreading on or off?

[brendan . hoar]

On Thursday, April 4, 2019 at 5:10:39 AM UTC-4, donoban wrote:
> On 4/3/19 11:54 PM, jr...@gmail.com wrote:
> > Looking for guidance on best practices for Qubes configuration:
> > given the vulnerabilities that have been reported with
> > Hyperthreading, it would seem to be a no-brainer that it should be
> > disabled, but I don’t see anyone coming right out and saying so.
> > Curious what this group thinks.
> 
> If you mean that disabling it could be too drastic solution or the
> risk in real-world conditions is too low, you could be right.
> 
> I read a paper about this where the attacker needed a lot of time
> while other VM was running an infinite loop using a SSL key (no real
> world behavior). So probably, in real conditions this is very very
> hard to exploit.
> 
> On the other side, Qubes security model and sense of existence is to
> guarantee that some compromised VM can not compromise other VMs or the
> whole system so just disabling could be reasonable too.

Makes sense to me: Qubes policy is to enforce safer defaults. User can modify, 
at their own risk.

Layperson's thought: perhaps there could be a CPU allocation strategy in Xen 
that allocates cores instead of logical CPUs? That may mitigate the security 
issue if the workload would benefit from Hyperthreading (aka SMT).

Whether this is significantly safer than the default logical CPU allocation w/ 
hyperthreading really depends upon the CPU cache strategies in effect, perhaps. 
E.g. contemporary Intel CPUs (packages?) have three or more levels of cache and 
some interesting cache topologies including cross-core caches...

Some support software-selectable caching strategies as well for parts of the 
cache.

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee9eb691-cef1-46d9-a68c-67d8755f7ddf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Still don't understand how Debian-9 template is connected to Whonix templates

[thedigitalsaving]

Il giorno domenica 31 marzo 2019 17:04:11 UTC+2, jrsm...@gmail.com ha scritto:
> I'm finally going to just ask.  I've been searching for something to help me 
> understand this for months now.  Debian-9 template is somehow connected to 
> the Whonix templates, but not by the usual templateVM / appVM mechanism.  Can 
> someone please enlighten me or point me to the docs I've not found yet.

Hi thanks for the info. that's exactly what I was looking for.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e1f62b2c-9f4b-46ba-b0e6-63fcfb2e4d78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes-mirage-firewall 0.5

[Thomas Leonard]

I'd like to announce the release of qubes-mirage-firewall 0.5:

  https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.5

This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. 
It may be useful if you want something smaller or faster-to-start than the 
Linux-based sys-firewall. It requires around 32MB of RAM when running and 
requires 0.0s of CPU time to boot, according to "xl list". It does not need or 
use a hard-disk, and does not persist any state between reboots.

For installation instructions, see:

  https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md

For a blog post explaining the background for this, with a walk-through of the 
code (it's written in OCaml), see:

  http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/

Changes since 0.4:

- Update to the latest mirage-net-xen, mirage-nat and tcpip libraries 
(@yomimono, @talex5, #45, #47). In iperf benchmarks between a client VM and 
sys-net, this more than doubled the reported bandwidth!

- Don't wait for the Qubes GUI daemon to connect before attaching client VMs 
(@talex5, #38). If the firewall is restarted while AppVMs are connected, qubesd 
tries to reconnect them before starting the GUI agent. However, the firewall 
was waiting for the GUI agent to connect before handling the connections. This 
led to a 10s delay on restart for each client VM. Reported by @xaki23.

- Add stub makefile for qubes-builder (@xaki23, #37).

- Update build instructions for latest Fedora (@talex5, #36). yum no longer 
exists. Also, show how to create a symlink for /var/lib/docker on build VMs 
that aren't standalone. Reported by @xaki23.

- Add installation instructions for Qubes 4 (@yomimono, @reynir, @talex5, #27).

- Use Ethernet_wire.sizeof_ethernet instead of a magic 14 (@hannesm, #46).

Note that the repository has moved from github.com/talex5 to the 
github.com/mirage organisation, as it's no longer just my personal project.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/727d1b86-a37b-4a65-a167-b128a23c8197%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Compiling kernel modules

[Zbigniew Łukasiak]

Thanks - it worked!

I hope a fix gets into the core system as I still have some problems
with the modem and I am not sure what I am doing wrong.

Z.

On Sat, Mar 30, 2019 at 5:07 PM awokd  wrote:
>
> Zbigniew Łukasiak wrote on 3/27/19 8:22 AM:
> > On Wed, Mar 27, 2019 at 12:50 AM 'awokd' via qubes-users
> >  wrote:
> >>
> >> Zbigniew Łukasiak wrote on 3/24/19 4:22 PM:
> >>> OK - so it looks that it does not work like that in QubesOS - i.e. by
> >>> default the  modules directory is read only. I found some instructions
> >>> on installing custom kernels in:
> >>> www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm.
> >>> I don't really need a new kernel - I just want to be able to compile
> >>> the modules - but this looks like a possible way out for me. So I did
> >>> cloned the fedora-29 template and:
> >>>
> >>> qvm-prefs  virt_mode hvm
> >>> qvm-prefs  kernel ''
> >>>
> >>> unfortunately now the cloned template does not start - so I cannot
> >>> continue with the instructions at the doc linked above. When I change
> >>> the kernel back to '4.14.103-1' it works fine.
> >>
> >> That should be all you have to do. Might be an issue with fedora-29.
> >> Does it work with 28?
> >
> > With 28 the same thing. It does not start -
> > /var/log/xen/console/guest-fedora-28-netvm-template.log is empty.
> >
>
> This worked for me with Debian-9:
>
> - create Standalone based from template, or clone existing template
> - leave PVH and kernel set, start terminal
> - sudo dkms autoinstall -k 4.9.0-8-amd64 [without this step I got either
> gibberish or no terminal window]
> - powerdown, set to HVM and kernel to none
> - start terminal
>
> I had the same problem you described while trying Fedora-28. I'm not
> sure how to run dkms in there because it complains about a missing
> dkms.conf. See also https://github.com/QubesOS/qubes-issues/issues/4920.
>
>


-- 
Zbigniew Lukasiak
https://medium.com/@zby
http://brudnopis.blogspot.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGL_UUvgadzPhpjTdQ8yODQf%3D-3B4eFXaZJ8WYH9ZvRUPRyV_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Hyperthreading on or off?

[donoban]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 4/3/19 11:54 PM, jrsmi...@gmail.com wrote:
> Looking for guidance on best practices for Qubes configuration:
> given the vulnerabilities that have been reported with
> Hyperthreading, it would seem to be a no-brainer that it should be
> disabled, but I don’t see anyone coming right out and saying so.
> Curious what this group thinks.
> 

If you mean that disabling it could be too drastic solution or the
risk in real-world conditions is too low, you could be right.

I read a paper about this where the attacker needed a lot of time
while other VM was running an infinite loop using a SSL key (no real
world behavior). So probably, in real conditions this is very very
hard to exploit.

On the other side, Qubes security model and sense of existence is to
guarantee that some compromised VM can not compromise other VMs or the
whole system so just disabling could be reasonable too.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlylygEACgkQFBMQ2OPt
CKV8kA/5ASGEuRBcUtCKgDiYtSgf3CwQ/VSKJkZiAd9AEbfmOhT+vIjAH3xRvZbU
fdpFr2GkDVrJX4BQAHnE20EtolNrPM4Grxp7CQrag1+z0YXdVyKE9TfuNNcVthWy
LURfN3jkoDPlV7Dfn4yVjhSVWx+BMvGQVGvusuWSD3aWhm6aC5sX4u1pyCrLgvLr
FQQk65mwjUklH+0mRwZGu4f4EUkRpmPleSmj22djV2yQ6RjuuRmQoDvrePvjrAZr
Nqf0CCccp/DXQMhlEpFvVgwgLNIHARrfX5CX21uH/obiVu/+zolPxyoMg4JCe3Np
auE31kK/8r0KUKvUGYX06VUs7cl/CGKbz1Y8VREezvebbXUIC4ORzumu2VOApNZj
GKHU4BAE9UEQW+5QO5rYbQiu9AaEUDr0BXBtQD8/HBwQV9H8YWMXBuM1cQpbdMMo
QQKzFB8CI8HQlQrCXmMIt03wDwDIH/kiPG0v5WZjk4tyfjvjbIJjX7NJ6/Q8JUet
yEQJEZWKLauoF+wRCUgcmg+HpYklswr6Qltcj4SLYc4x8v2LB/eyGwKBU3f9pJ9J
5V/dLIemzCHLEpUdY9GNuNxAXLdLk70FSCNLGWI3JJyRBkKpv/e5i+pUgsKzFx33
dFCrnh1FOmWgPIauAYA/mRAyvsnbEQjFJ+/Jb0hs5VTVFZETh9g=
=Ycgi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/202a7a39-4b8d-2a89-0d2d-f353898103ef%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: dom0 environment lost on restore

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/04/2019 12.59 PM, Ryan Tate wrote:
> On Wed, Apr 3, 2019 at 1:53 PM Ryan Tate 
> wrote:
> 
>> That said, I would just note --  Files from dom0 do traverse
>> other VMs in all the scenarios we've discussed. I expect in
>> backup/restore scenario they are encrypted as they transit, for
>> example, sys-usb. But I don't know of any reason this could not
>> be the case for random files you want to export -- you would
>> encrypt in gpg symmetric mode in dom0 with a passphrase (like a
>> backup) before qvm-move-to-vm to sys-usb or wherever and out into
>> the world.
> 
> As I should have suspected, using the official backup-restore
> tools does get you integrity checks (and perhaps better
> encryption?) compared to this more basic technique I outlined, so
> I'm not suggesting anyone run out and do it.
> 
> https://www.qubes-os.org/doc/backup-emergency-restore-v4/
> 

Right. The authentication check prior to decryption is critical to
protecting dom0.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlyluYsACgkQ203TvDlQ
MDDu2xAAnRBgCdSkgCTJs6nQs0gTy30ig/Ow5NqYTto6+pQfxOi1YYoQKAtzxNoH
bejIpw9BzxmtTpb2s7sJ5LfChQpONVMghpHhUxuweUSsMQpKWQRdFcl/AgLWDUPl
x65dqrl1rD/nvZ2gvyt0JxPgvLJGIrc7jnewa49t4GgMOqOihclfZ8DeeBjxONxB
5G3O3wJVDdsAhGGFmlzE2++WKTEm7ZxxW2H8RTWXVefPjxw9KiIpSIc+I2foIP8m
bohvihfoQutJ8xMUKvcGuWPArn1qdZnVxlHzkv6+LzeFNg5MgBefG493A0c75uu7
k/2aZM6zebVf8G+m4mZXWdL7jF5B+sjwVyLLp9gQPouYrckn/5Liks31KEd79gt3
5lUJdecvNLg5WwJ0O4FluMZ9qy9iX/lqI2IsSlux32Ag/roEWU98ntkcCMHIFsgQ
VGLk0sZVnn9gQsayNmnfUyWq26jwdTEmWhZaAst36x+vnOhP0SurY3oSTzDeOTVT
MzpEGaQfQiHsnZwC4WEgmPh4XO9dA46irxmAFoRKnzXopsA0wEAzlKO3wSHSPZa0
SDZdFJj+NrwUlJ+ru3GvtNFzg61vjdjgB6qq4AsZWjaRMtJ8T+1Vzirra8EzqLN1
ALDiQhfEwZJdF1nEs9C4zH7K2qU9WVDVafinyEh67tKFapaGEkM=
=kRPu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/297d71f7-80ae-27a8-333f-780e88a41e30%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.