Re: [qubes-users] The safest way to search in files on an external hard drive

2021-06-03 Thread Rusty Bird 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Michael Singer:

> I am looking for a really secure way to use Qubes for searching not
> only a hard drive for file names, but for text that is in files.
> 
> The goal is to avoid an exploit in the searched files leading to a
> takeover of the hard drive by malware.
> 
> The total size of all my files is too large for me to put them all
> in one qube before searching for text in them.
> 
> Would it perhaps be possible to mount only a single partition of the
> hard drive into a qube, but not with write permissions, only read
> permissions?

Yes, e.g. like this:

$ qvm-block attach --ro destinationvm sys-usb:sda1

Then you can decrypt and mount the read-only /dev/xvdi in the
destination VM.

> I would do the search on command line, using "grep" for plain text
> files, "pdfgrep" for PDFs, and something for table files, databases,
> etc.
> 
> Is my idea feasible? And how secure would it be?

Sounds fine to me. But malicious content could still exploit the
destination VM, so consider attaching to a DisposableVM (after
switching off its networking).

If your partition is LUKS1[1] encrypted, Split dm-crypt[2] might be
convenient. Its default behavior is to attach the decrypted partition
to an offline DisposableVM:

$ qvm-block-split attach --ro sys-usb:sda1

[1] TODO: LUKS2 support
[2] https://github.com/rustybird/qubes-split-dm-crypt

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmC41rFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/Lyw//cZIGHFtGNqEbBSIoNlWgNuxQxpfbaNrgkfnRyzqRQgJ99qgZU7rCJmTq
OygfKEE+Iwgnn6MdYDjvIG1JSAAW6hBonAYDpIGRNWFdJGHppJvxOvVSH7zlni/8
xwQjrn2X3NnMhlEBLNMibyx5Sc7GpId+/nEaz3UXhb1g7METBk1AVzLc20HOT5Ga
5zeaBz+6BoXi7YUoBYkCgU2GbuiOK6ZGgTJ5ekCP+iT0tTbZ8s97XNmmBe2oPHgP
IHpPBgezjnG8az7Z7uRC1BHYQQx4mKEC2K9LOSUmWkqZiPFmJ+OYgdAt4GSzJjka
TvJQK17rNuFy3+vvfipmI94IhBClV0PnT55YKQgE1KBEyxi5Rs179wIY5Jx68emp
BgpFUdsUK1CPxbdPixUESLf2jzkgQwN9h1GtFiX5sFWdldAUXqyHEmKobnyxAQEG
Hz6S2d2SiR88USW1D4f/dFsRSi3ef1EcCKI6nzTISnJ+vHWFG6r6gzTSN4pHWpI0
irbGR4KfI1rAwk9fk4YV+BFSXhHI8af17mvU3ot9qB2lI1JfIljMBG6se7ad2YDd
FdMJVwtkuJmRCf9PfG3InB2wqX71eIwKFlb+oviAcyGJZHvEH2wdmeiQCj6jhPCw
hHUtGl0eVHrVGV4hw34oCzjoaM1V+8TU5msvxd6lTIgAcrUqFZ8=
=7/h+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YLjAMaVc8KFVSWSp%40mutt.

[qubes-users] [HCL] ThinkPad T430

2021-06-03 Thread Sven Semmler 

A dream has come true!

* ThinkPad T430
* Coreboot/Heads with TOTP & HOTP (Nitrokey)
* ME cleaned & disabled
* Qubes OS R4.0.4 all debian-minimal, memory optimized

Upgrades:

* i7-3740QM
* 16 GB RAM
* 2 TB SSD
* Intel Wireless 7260
* 1080p display

I'll be using this machine for a long long time. :-)

/Sven

--
 public key: https://www.svensemmler.org/2A632C537D744BC7.asc
fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0bf684b-78c5-dc3d-f6af-7965e6b4aa3e%40SvenSemmler.org.
---
layout:
  'hcl'
type:
  'laptop'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  ''
remap:
  'yes'
brand: |
  Lenovo
model: |
  ThinkPad T430 (23497W9)
bios: |
  Heads-v0.2.0-1043
cpu: |
  Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz
cpu-short: |
  i7-3740QM
chipset: |
  Intel Corporation 3rd Gen Core processor DRAM Controller [8086:0154] (rev 09)
chipset-short: |
  Ivy Bridge
gpu: |
  Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 
09) (prog-if 00 [VGA controller])
gpu-short: |
  Integrated Graphics (HD 4000)
network: |
  Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 04)
  Intel Corporation Wireless 7260 (rev 73)
memory: |
  16148
scsi: |
  Samsung SSD 870  Rev: 1B6Q
  DVD-RW DS8A8SH   Rev: KU54
usb: |
  4
versions:

  - works:
  'yes'
qubes: |
  R4.0
xen: |
  4.8.5-32.fc25
kernel: |
  4.19.182-1
remark: |

credit: |
  Sven Semmler
link: |
  FIXLINK

---


OpenPGP_signature
Description: OpenPGP digital signature