Re: [qubes-users] Shredding VM images
On Mon, Aug 20, 2018 at 6:06 PM, Steve Coleman wrote: > On 08/20/18 12:49, Chris Laprise wrote: >> >> On 08/20/2018 11:34 AM, tierl...@gmail.com wrote: >>> >>> What's the most convenient way to wipe these images? (I'm just talking >>> about individual VM images) >> >> >> To clarify on your first question: Since encryption is protecting the >> storage pool that contains the disk images and its on an SSD, the only sure >> way to 'wipe' them in general (not just in the other-VMs-can't see the data >> sense) is to throw away the encryption passphrase. This makes the entire >> pool unusable, but if this seems like a problem you can configure more than >> one storage pool each with its own encryption key+passphrase and store VMs >> inside them. > > > With an Opal 2.0 SSD you could create a "locking range" for the volatile > portion of the VM file system, using sedutil-cli then when destroying the VM > you simply run it with the '--eraseLockingRange' command which essentially > flips the key bits associated with that region of the SSD. The logic built > into the drive will ensure the erase of the physical memory mapped into that > SSD's defined locking range[n]. > > sedutil-cli > > > --setupLockingRange <0...n> > --enableLockingRange <0...n> > > > --disableLockingRange <0...n> > --eraseLockingRange <0...n> ...as implemented by a black box of untrustworthy firmware. Don't be surprised when this is found to not work as hoped. I wouldn't recommend relying on it for anything important. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BwbkAD__s_-qagjYmJCtVDL6btaJubh0cNQXRNUOtgSA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Shredding VM images
On 08/20/18 12:49, Chris Laprise wrote: On 08/20/2018 11:34 AM, tierl...@gmail.com wrote: What's the most convenient way to wipe these images? (I'm just talking about individual VM images) To clarify on your first question: Since encryption is protecting the storage pool that contains the disk images and its on an SSD, the only sure way to 'wipe' them in general (not just in the other-VMs-can't see the data sense) is to throw away the encryption passphrase. This makes the entire pool unusable, but if this seems like a problem you can configure more than one storage pool each with its own encryption key+passphrase and store VMs inside them. With an Opal 2.0 SSD you could create a "locking range" for the volatile portion of the VM file system, using sedutil-cli then when destroying the VM you simply run it with the '--eraseLockingRange' command which essentially flips the key bits associated with that region of the SSD. The logic built into the drive will ensure the erase of the physical memory mapped into that SSD's defined locking range[n]. sedutil-cli --setupLockingRange <0...n> --enableLockingRange <0...n> --disableLockingRange <0...n> --eraseLockingRange <0...n> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f2019579-5ab4-5f5f-0278-aefd757df080%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Shredding VM images
On 08/20/2018 11:34 AM, tierl...@gmail.com wrote: What's the most convenient way to wipe these images? (I'm just talking about individual VM images) To clarify on your first question: Since encryption is protecting the storage pool that contains the disk images and its on an SSD, the only sure way to 'wipe' them in general (not just in the other-VMs-can't see the data sense) is to throw away the encryption passphrase. This makes the entire pool unusable, but if this seems like a problem you can configure more than one storage pool each with its own encryption key+passphrase and store VMs inside them. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d1cc1013-3b70-e838-f2e7-5b1b8490d7b5%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Shredding VM images
On 08/20/2018 11:34 AM, tierl...@gmail.com wrote:
What's the most convenient way to wipe these images? (I'm just talking about
individual VM images)
I'm on Qubes 4.0, and I understand it's not that simple on SSDs, but whats the
situation?
The SSD's firmware determines 100% whether or not discard/TRIM commands
(generated when deleting files and VM volumes) cause data to be
physically erased.
Qubes does not pass discard/TRIM to the SSD by default however, so you
may want to enable that. https://www.qubes-os.org/doc/disk-trim/
The role discard does play in a default Qubes config is to deallocate
blocks from the pool-- these blocks are effectively wiped as far as any
future VM allocation is concerned (no domU VM can see the deallocated
data even if it later gains control over the deallocated blocks).
I see that /dev/mapper has a number of links to ../dm devices, these are
encrypted, right? Where is the key stored? How is that stored on disk, and is
it likely to leave fragments all over the drive?
In a default Qubes config, the ones prefixed with "qubes_dom0" are all
encrypted. It is possible to install Qubes differently, however, so that
these are not encrypted or use a different encryption scheme.
The key is normally stored in a LUKS disk header which itself gets
unlocked when you enter a correct passphrase.
Can a `shred -vzn 7` be done on these devices? Does it effectively erase the
data?
Its doubtful that shred would be of much use on an SSD, because shred
needs the drive to "rewrite data in-place" which SSDs almost never do.
The only thing that we know for sure protects your privacy with an SSD
is encryption.
I see that within /dev/mapper there's foo--private, foo--private--{0-9}+--back,
and foo--private--snap. What's the difference between these? How are they
created and used?
Unfortunately these are not well documented yet. The vm-foo-private-snap
volumes are working-copy snapshots while the VM is running (IIRC this
behavior is supposed to change for 4.1). The best docs on the storage
layer currently appear to be:
https://www.qubes-os.org/doc/template-implementation/
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-storage.html
Am I right in thinking that only the private images hold VM specific states?
What about foo--volatile?
The volatile volumes are swap space. They are deallocated when the VM is
started/stopped.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d2ee4ec6-0432-a47d-7c35-fa8134eec8f4%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Shredding VM images
What's the most convenient way to wipe these images? (I'm just talking about
individual VM images)
I'm on Qubes 4.0, and I understand it's not that simple on SSDs, but whats the
situation?
I see that /dev/mapper has a number of links to ../dm devices, these are
encrypted, right? Where is the key stored? How is that stored on disk, and is
it likely to leave fragments all over the drive?
Can a `shred -vzn 7` be done on these devices? Does it effectively erase the
data?
I see that within /dev/mapper there's foo--private, foo--private--{0-9}+--back,
and foo--private--snap. What's the difference between these? How are they
created and used?
Am I right in thinking that only the private images hold VM specific states?
What about foo--volatile?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7a6ab861-a76d-4791-b8ff-c7851ce55b66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
