Re: [qubes-users] Can someone pls help me troubleshoot why qvm-run --pass-io doesn't work with win7-template

[xyzo]

On Friday, June 12, 2020 at 7:38:42 PM UTC-4, unman wrote:
> On Fri, Jun 12, 2020 at 03:57:35PM -0700, xyzo wrote:
> > qubes version 4.0.
> > I need to copy files from win7-template to a Linux appvm. I was suggested 
> > to use (qvm-run --pass-io win7-template "type C:\n.pdf" > ./n.pdf)
> > To copy files from win7-template to dom0 then move it from dom0 to any 
> > destination appvm. Invoking this command in dom0 terminal, the curosr just 
> > hangs and nothing happens and I exit by ^C in terminal. Running it with 
> > --verbose parameter shows "Running win7-template C:\n.pdf" and it hangs. 
> > It's like it's not seeing that win7-template is already running.
> > 
> > I discovered that the command only works when win7-template is powered off. 
> > Then invoking above command will power on win7-template and successfully 
> > execute.
> > 
> > PS: I can copy files from any Linux appvm to the win7-template 
> > QubesIncoming folder by right-clicking the file I want to copy to 
> > win7-template and selecting "copy to another Vm" this works fine to copy 
> > any file from Linux appvm over to win7-template. But not the other way 
> > around.
> > 
> > So I'm not sure why the qvm-run --pass-io hangs when win7-template is 
> > already running. Any help is appreciated. Thanks
> > 
> 
> Why are you doing this?
> In Windows, right click on the file, Select "Send to", and there are the
> options to copy or move to another qube.
> 
> As to your "problem", on my windows templates with QWT installed, I do
> not see the behaviour you report. Simply, it does not hang, but it does
> not provide the output that you want.

Man thank you so much.. I was totally not aware of the send-to option. Somehow 
I missed that info in the windows doc. The Send-to option worked perfectly.. 
for a long time I thought there was no way we can copy files through the 
windows gui. But now I know thanks.

Out of curiosity what was the command you entered in dom0 and what was its 
output? 

It would be nice to learn if there's a way we could copy files from windows via 
terminal without having to interact directly with Windows gui.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2e8b118-3161-4a5b-a924-9d1cdba6a18ao%40googlegroups.com.

Re: [qubes-users] Can someone pls help me troubleshoot why qvm-run --pass-io doesn't work with win7-template

[unman]

On Fri, Jun 12, 2020 at 03:57:35PM -0700, xyzo wrote:
> qubes version 4.0.
> I need to copy files from win7-template to a Linux appvm. I was suggested to 
> use (qvm-run --pass-io win7-template "type C:\n.pdf" > ./n.pdf)
> To copy files from win7-template to dom0 then move it from dom0 to any 
> destination appvm. Invoking this command in dom0 terminal, the curosr just 
> hangs and nothing happens and I exit by ^C in terminal. Running it with 
> --verbose parameter shows "Running win7-template C:\n.pdf" and it hangs. It's 
> like it's not seeing that win7-template is already running.
> 
> I discovered that the command only works when win7-template is powered off. 
> Then invoking above command will power on win7-template and successfully 
> execute.
> 
> PS: I can copy files from any Linux appvm to the win7-template QubesIncoming 
> folder by right-clicking the file I want to copy to win7-template and 
> selecting "copy to another Vm" this works fine to copy any file from Linux 
> appvm over to win7-template. But not the other way around.
> 
> So I'm not sure why the qvm-run --pass-io hangs when win7-template is already 
> running. Any help is appreciated. Thanks
> 

Why are you doing this?
In Windows, right click on the file, Select "Send to", and there are the
options to copy or move to another qube.

As to your "problem", on my windows templates with QWT installed, I do
not see the behaviour you report. Simply, it does not hang, but it does
not provide the output that you want.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200612233835.GA8841%40thirdeyesecurity.org.

[qubes-users] Can someone pls help me troubleshoot why qvm-run --pass-io doesn't work with win7-template

[xyzo]

qubes version 4.0.
I need to copy files from win7-template to a Linux appvm. I was suggested to 
use (qvm-run --pass-io win7-template "type C:\n.pdf" > ./n.pdf)
To copy files from win7-template to dom0 then move it from dom0 to any 
destination appvm. Invoking this command in dom0 terminal, the curosr just 
hangs and nothing happens and I exit by ^C in terminal. Running it with 
--verbose parameter shows "Running win7-template C:\n.pdf" and it hangs. It's 
like it's not seeing that win7-template is already running.

I discovered that the command only works when win7-template is powered off. 
Then invoking above command will power on win7-template and successfully 
execute.

PS: I can copy files from any Linux appvm to the win7-template QubesIncoming 
folder by right-clicking the file I want to copy to win7-template and selecting 
"copy to another Vm" this works fine to copy any file from Linux appvm over to 
win7-template. But not the other way around.

So I'm not sure why the qvm-run --pass-io hangs when win7-template is already 
running. Any help is appreciated. Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18e41e96-3a97-4850-9939-bdbd8b510dc8o%40googlegroups.com.

Re: [qubes-users] How to add multiple virtual hard drive to a StandaloneHVM

[Lem Ming]

Thank you Emily and dhorf-hfr...@hashmail.org for your useful information. 
I learned quite a bit more about Qubes OS and ZFS.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cd6bf3c3-5304-4083-a282-235016158b20o%40googlegroups.com.

Re: [qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

On Friday, June 12, 2020 at 10:10:25 PM UTC+2, Steve Coleman wrote:
>
>
> That being said, it is extremely difficult to reflash your BIOS when 
> running a general OS in the normal user context, and even more difficult 
> when running a virtualized system such as Qubes. So, if you can prevent the 
> machine from booting from any external devices then you have just raised 
> the bar for that adversary. 
>

Wait what about internal devices ? Like disk. I can't disable NVME in BIOS 
unfortunately. Couldn't bios be reflashed from disk, before bootup ? So you 
say even Qubes doesn't protect against firmware viruses, if they are 
already there. As i am running main Windows and wanted to use Qubes from 
rom cd in external mechanic. So if i had already firmware virus, even 
that's very unlikely. Qubes wouldn't protect me in such scenario. Correct ?

Than probably best idea would be to use my old computer, disconnect disks 
and use one of the Linuxes people above suggested just for online banking. 
And use dedicated mouse and keyboard for that and external cd rom.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ee3776b-f616-41fe-ba4c-8813012f017ao%40googlegroups.com.

Re: [qubes-users] Re: Does qubes protect against all firmware viruses ?

[Steve Coleman]

On Fri, Jun 12, 2020 at 2:35 PM  wrote:

> Well that's the problem indeed, knowing if you are clean from firmware
> viruses in the first place. But i don't suspect i have firmware viruses and
> i have new pc. It takes a lot of time and money and no one would bother to
> infect specific user. I am no one. It could be used in attacks on multi
> peoples, or if already some firmware virus existed someone could use it i
> guess, i don't really know. Even probability is low. I am just acting
> responsibly about this. If i can use Qubes, than why not right. So if i use
> Qubes, using ROM optical disk in external mechanic. So i should be
> generally safe, (nothing is perfect), even if i got firmware viruses
> afterwards ? I can't unplug disks and disable all of them in BIOS, i am
> using NVME and it is blocked by GPU vertical mount and it was insane to
> plug it in the first place and doing that each time, it is not feasible. So
> if i boot from live CD, not sure if viruses on hard disks could do
> anything. And i won't be booting from Windows when live CD is in and it
> would be ROM and i'll use external CD mechanic.
>
> Also i don't know what i was saying previously, but i can't dedicate old
> pc for banking at least with Qubes, it doesn't work there. So i would be
> using it on my main PC. But if i used other Linux on my old pc and
> dedicated it only for online banking, that should be safe right ? Even if i
> had it long time, so i could have potentially some firmware viruses, that
> could impact security in future. Even if i had them and they didn't do
> anything so far. I don't know.
>

There is not much one can do to protect against firmware viruses other than
to try and prevent situations where someone can reflash your BIOS in the
first place. Since the BIOS is initialized even before the software/OS
gains control the malware code would already be resident in memory before
the DVD booted that read-only media. The DVD drive can not even operate
until the system initializes the BIOS that understands how the DVD drive
even works, so if someone was able to reflash the eeprom then game-over
even before the OS is even loaded. Any software loaded after the malicious
code is in memory is of course subject to what that code wants to do with
your system in the first place.

That being said, it is extremely difficult to reflash your BIOS when
running a general OS in the normal user context, and even more difficult
when running a virtualized system such as Qubes. So, if you can prevent the
machine from booting from any external devices then you have just raised
the bar for that adversary.  If you can prevent them from gaining physical
access to the computer internals, as to attach a JTAG device, then that
raises the bar even higher. Chances are the adversary would need physical
access to the machine to pull this off, which means that any three letter
agency or forign government would have to want you really really bad before
they put someone to task to rig your physical machine like that. yes it's
possible, but there are easier ways to do what they want than reflashing
BIOS so this scenario is unlikely unless you are one very important person.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ5FDni_eF-YtLtxNHMWh-o08-EaLNd3mLJsfhz_1u6roMJnPQ%40mail.gmail.com.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

Well that's the problem indeed, knowing if you are clean from firmware 
viruses in the first place. But i don't suspect i have firmware viruses and 
i have new pc. It takes a lot of time and money and no one would bother to 
infect specific user. I am no one. It could be used in attacks on multi 
peoples, or if already some firmware virus existed someone could use it i 
guess, i don't really know. Even probability is low. I am just acting 
responsibly about this. If i can use Qubes, than why not right. So if i use 
Qubes, using ROM optical disk in external mechanic. So i should be 
generally safe, (nothing is perfect), even if i got firmware viruses 
afterwards ? I can't unplug disks and disable all of them in BIOS, i am 
using NVME and it is blocked by GPU vertical mount and it was insane to 
plug it in the first place and doing that each time, it is not feasible. So 
if i boot from live CD, not sure if viruses on hard disks could do 
anything. And i won't be booting from Windows when live CD is in and it 
would be ROM and i'll use external CD mechanic. 

Also i don't know what i was saying previously, but i can't dedicate old pc 
for banking at least with Qubes, it doesn't work there. So i would be using 
it on my main PC. But if i used other Linux on my old pc and dedicated it 
only for online banking, that should be safe right ? Even if i had it long 
time, so i could have potentially some firmware viruses, that could impact 
security in future. Even if i had them and they didn't do anything so far. 
I don't know. 

On Tuesday, June 9, 2020 at 12:51:41 PM UTC+2, Mark Fernandes wrote:
>
> I recently did a personal study that covered at least some of these 
> issues. Ppl can also contribute to the study which is now public and in the 
> form of a wiki.
>
> On Monday, 8 June 2020 19:00:17 UTC+1, tomas.s...@gmail.com wrote:
>>
>> ... I know firmware viruses are rare, but still better safe than sorry. I 
>> am looking for safe OS to do online banking from. If i use live usb of 
>> QUBES, does that protect me against all firmware viruses ? ... 
>>
>
> My opinion is that it probably doesn't when you suspect you may already 
> have firmware viruses. If you know you are clean (including that the USB 
> memory stick is also clean from firmware malware [because USB memory 
> sticks can also have firmware malware 
> ]),
>  
> then you'll probably be safe if you only use Qubes.
>
> A live DVD of Qubes is likely more safe than a live USB memory stick of 
> Qubes—see here 
> 
> .
>
> For users not literate with the technical aspects of computing, who want 
> to do online banking securely and safely, I would advise purchasing a brand 
> new Chromebook using random physical selection at a physical computer 
> store 
> .
>  
> Chromebooks appear to be quite secure in comparison to many other kinds of 
> devices generally labelled as computers (I don't include smartphones in 
> this comparison, and I don't know so much about which smartphone one should 
> choose for online banking).
>
> If you are more technically minded, and want to do online banking, it 
> still might be the case that other "better" solutions are inappropriate for 
> you, in the sense that they are all "overkill" solutions. Banks often 
> refund monies stolen through fraud... However, if you are more technically 
> minded, it probably is a good idea to look through the aforementioned study 
> (the contents page can be accessed here 
> ).
>
> Some info on the security of BIOS/UEFI firmware (from the study ) is 
> documented here 
> 
> .
>  
>
>> Also i can't disable all my disks in BIOS, could that be problem ?  
>> So my main OS can't compromise Qubes. ... 
>>
>
> Would recommend physical disconnection of unused disks when dual-booting. 
> As I think mentioned elsewhere in these mailing lists, you can do that by 
> just taking out the power cable of the respective disks. See here 
> 
>  
> for more information.
>
>  
>
>> ... I wanted to dedicate my old pc for online banking, but Qubes doesn't 
>> work there.
>>
>
> Might be a good idea to do such dedication. It can be good from a security 
> perspective because of the isolation of the device from other systems you 
> use. You could consider using the freely-available 

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

Well that's the problem indeed, knowing if you are clean from firmware 
viruses in the first place. But i don't suspect i have firmware viruses and 
i have new pc. It takes a lot of time and money and no one would bother to 
infect specific user. I am no one. It could be used in attacks on multi 
peoples, or if already some firmware virus existed someone could use it i 
guess, i don't really know. Even probability is low. I am just acting 
responsibly about this. If i can use Qubes, than why not right. So if i use 
Qubes, using ROM optical disk in external mechanic. So i should be 
generally safe, (nothing is perfect), even if i got firmware viruses 
afterwards ? And do i even have to unplug hard disks than ? I can do that, 
if it is potential security risk, i don't bank that often. Although it is 
annoying to physically unplug them each time. But i understand you want to 
reduce attack surfaces. But if i boot from live CD, not sure if viruses on 
hard disks could do anything. And i won't be booting from Windows when live 
CD is in and it would be ROM and i'll use external CD mechanic. 

On Tuesday, June 9, 2020 at 12:51:41 PM UTC+2, Mark Fernandes wrote:
>
> I recently did a personal study that covered at least some of these 
> issues. Ppl can also contribute to the study which is now public and in the 
> form of a wiki.
>
> On Monday, 8 June 2020 19:00:17 UTC+1, tomas.s...@gmail.com wrote:
>>
>> ... I know firmware viruses are rare, but still better safe than sorry. I 
>> am looking for safe OS to do online banking from. If i use live usb of 
>> QUBES, does that protect me against all firmware viruses ? ... 
>>
>
> My opinion is that it probably doesn't when you suspect you may already 
> have firmware viruses. If you know you are clean (including that the USB 
> memory stick is also clean from firmware malware [because USB memory 
> sticks can also have firmware malware 
> ]),
>  
> then you'll probably be safe if you only use Qubes.
>
> A live DVD of Qubes is likely more safe than a live USB memory stick of 
> Qubes—see here 
> 
> .
>
> For users not literate with the technical aspects of computing, who want 
> to do online banking securely and safely, I would advise purchasing a brand 
> new Chromebook using random physical selection at a physical computer 
> store 
> .
>  
> Chromebooks appear to be quite secure in comparison to many other kinds of 
> devices generally labelled as computers (I don't include smartphones in 
> this comparison, and I don't know so much about which smartphone one should 
> choose for online banking).
>
> If you are more technically minded, and want to do online banking, it 
> still might be the case that other "better" solutions are inappropriate for 
> you, in the sense that they are all "overkill" solutions. Banks often 
> refund monies stolen through fraud... However, if you are more technically 
> minded, it probably is a good idea to look through the aforementioned study 
> (the contents page can be accessed here 
> ).
>
> Some info on the security of BIOS/UEFI firmware (from the study ) is 
> documented here 
> 
> .
>  
>
>> Also i can't disable all my disks in BIOS, could that be problem ?  
>> So my main OS can't compromise Qubes. ... 
>>
>
> Would recommend physical disconnection of unused disks when dual-booting. 
> As I think mentioned elsewhere in these mailing lists, you can do that by 
> just taking out the power cable of the respective disks. See here 
> 
>  
> for more information.
>
>  
>
>> ... I wanted to dedicate my old pc for online banking, but Qubes doesn't 
>> work there.
>>
>
> Might be a good idea to do such dedication. It can be good from a security 
> perspective because of the isolation of the device from other systems you 
> use. You could consider using the freely-available CloudReady OS 
> ,  which is something like 
> ChromeOS (used on Chromebooks) for non-Chromebook devices. I've 
> successfully installed CloudReady on an old Toshiba laptop.
>
>
> Kind regards,
>
>
> Mark Fernandes
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 

[qubes-users] Re: Black screen after GUI during install attempt.

['Josh McNattin' via qubes-users]

I've worked out what that screen is for, apparently it's analyzing the 
hardware, I just let it run for over twenty minutes...I'm guessing that 
what I have is too new for that release, then again I'm seeing similar set 
ups in the Hardware Compatibility List that are using Qubes OS 4.0.  I 
suppose I'll go through with whipping up the 4.03 ISO and see if anything 
changes.

On Friday, June 12, 2020 at 8:38:36 AM UTC-5, Josh McNattin wrote:
>
> I've had Qubes installed previously on my old motherboard, an ASRock 
> Fatal1ty Z97X, now I'm seeing if it'll run on my new ASRock Taichi x570. 
> I'm able to boot from USB via legacy, I get the first GUI install screen 
> menu, but when I select the option to install, I get an eternal black 
> screen with a blinking underscore cursor, no other text prior to this. This 
> USB stick is the same one I used to successfully install 4.01 previously on 
> my old motherboard (I know 4.03 is the latest version, I'd rather update 
> from the OS when it's installed). I've looked at several threads about 
> black screens during install, none of them seem to fit with what I'm 
> experiencing. Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f55d749-515e-408d-bda6-6044969ff259o%40googlegroups.com.

[qubes-users] Getting started with Qubes (in steps)

[E. Foster]

Greetings, 

I've been having a lot of difficulty over the past year with Qubes and I 
wanted to know if I could get some help with the parameters, and 
dependencies. 

*1 set up the network connections*
 i.e. Wifi

*2 set up sys-firewall*

*3 set up the sys-net*
to use Wifi and Firewall

*4 set up  sys-Whonix-gw*
to use the wifi, firewall and/sys-net
 
And a random DSVM that I could use to visit the net for instance.  

***With the most general/secure parameters so that my system works. 
Please be mindful, some of the automatic default settings might have 
changed while I was tinkering with the Qubes OS. 

In the past I worked on making clones but due to the dependencies I can't 
delete/fix some of the VMs. 

*Question:*

Would you know if this is the proper sequence of setting to set up a Qubes 
system with the respective dependencies? 

*and...*

Or perhaps, a hyperlink to a post where I could copy the commands or steps 
to get these basic VM/services and my system working-online. 

Once, secured and connected, I can update all the applications included in 
the Qubes full install version.  

Please forgive me, if I am not posting in sequence in other topical 
threads.  

Thanks, 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d24ec21-dbf3-44a9-b43a-042fb4266297o%40googlegroups.com.

[qubes-users] Black screen after GUI during install attempt.

['Josh McNattin' via qubes-users]

I've had Qubes installed previously on my old motherboard, an ASRock 
Fatal1ty Z97X, now I'm seeing if it'll run on my new ASRock Taichi x570. 
I'm able to boot from USB via legacy, I get the first GUI install screen 
menu, but when I select the option to install, I get an eternal black 
screen with a blinking underscore cursor, no other text prior to this. This 
USB stick is the same one I used to successfully install 4.01 previously on 
my old motherboard (I know 4.03 is the latest version, I'd rather update 
from the OS when it's installed). I've looked at several threads about 
black screens during install, none of them seem to fit with what I'm 
experiencing. Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0f7b476-1c2f-42ca-b2dc-bdf821afb301o%40googlegroups.com.

Re: [qubes-users] Full disk encryption in qubes - best practice for high risk environment

[taran1s]

dhorf-hfref.4a288...@hashmail.org:
> On Fri, Jun 12, 2020 at 12:49:04PM +, taran1s wrote:
>> - - set a higher encryption from qubes default to aes 512-bit full disk
>> encryption.
> 
> a) there is no "aes 512".
> b) the qubes default is aes-xts-512. (which is really aes-256 with
>two different keys since whoever implemented it for linux read 
>the XTS paper wrong, but it doesnt matter for security)
> c) check "cryptsetup luksDump /dev/yourqubesluksdev"
> 

Thank you for pointing out that qubes uses the aes-xts-512 already. I
read somewhere in the past that qubes uses the 256-bit encryption but
maybe it was confused with 256 effective or something.

> 
>> Is this possible to do from within running qubes or will I need to
>> reinstall the QubesOS and do it all fresh?
> 
> most likely for the "encryption" part no change is required.
> so just moving /boot + grub.

Are there any good guides on how to do this move? /boot partition and
grub installation onto the usb stick?

> 
> 
>> cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition
>> like for example sd3 in case of default qubes installation procedure.
>> Is that case from inside of qubes too?
> 
> cryptsetup can be used from inside qubes dom0, yes.
> i recommend adding a new passphrase first, making sure it works, then
> removing the old one.
> luks default has 8 key slots.

This would mean to execute sudo cryptsetup luksAddKey /dev/sd3 (sda3 is
the luks partition in my case). If I get it right it should
automatically add Key to the next free slot if available. Since sudo
cryptsetup luksDump /dev/sd3 | grep -i key  returns only one slot
enabled, my new passphrase will be in the slot 1.

Than sudo cryptsetup luksRemoveKey /dev/sdX will remove the passphrase I
enter, so I dont need to specify the slot. Is that right?

> 
> 
>> Are there any pros/cons of this setup?
> 
> make sure to have more than one boot device for redundancy.
> you will have to update them all for every kernel, xen or grub update.
> (or accept booting your system from an old grub/xen/kernel if
>  you end up using an outdated boot stick)

How do I update it? Are there any noob friendly guides?

> 
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/960bb5d2-8b98-2937-16d5-1ab3a1394d32%40mailbox.org.


0xA664B90BD3BE59B3.asc
Description: application/pgp-keys

Re: [qubes-users] Full disk encryption in qubes - best practice for high risk environment

[dhorf-hfref . 4a288f10]

On Fri, Jun 12, 2020 at 12:49:04PM +, taran1s wrote:
> - - set a higher encryption from qubes default to aes 512-bit full disk
> encryption.

a) there is no "aes 512".
b) the qubes default is aes-xts-512. (which is really aes-256 with
   two different keys since whoever implemented it for linux read 
   the XTS paper wrong, but it doesnt matter for security)
c) check "cryptsetup luksDump /dev/yourqubesluksdev"


> Is this possible to do from within running qubes or will I need to
> reinstall the QubesOS and do it all fresh?

most likely for the "encryption" part no change is required.
so just moving /boot + grub.


> cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition
> like for example sd3 in case of default qubes installation procedure.
> Is that case from inside of qubes too?

cryptsetup can be used from inside qubes dom0, yes.
i recommend adding a new passphrase first, making sure it works, then
removing the old one.
luks default has 8 key slots.


> Are there any pros/cons of this setup?

make sure to have more than one boot device for redundancy.
you will have to update them all for every kernel, xen or grub update.
(or accept booting your system from an old grub/xen/kernel if
 you end up using an outdated boot stick)



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200612130106.GC998%40priv-mua.

[qubes-users] Full disk encryption in qubes - best practice for high risk environment

[taran1s]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I would like to change the encryption password of my qubes
installation. And once I start to play with this, I would like to also:

- - set a higher encryption from qubes default to aes 512-bit full disk
encryption.
- - move the /boot partition to an external *USB device and install Grub
as described here
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onio
n/wiki/Full_Disk_Encryption

Is this possible to do from within running qubes or will I need to
reinstall the QubesOS and do it all fresh?

Cryptsetup seems pretty straightforward with just executing sudo
cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition
like for example sd3 in case of default qubes installation procedure.
Is that case from inside of qubes too?

I am a newbie in this area. How would I do that in both cases (fresh
installation of QubesOS; and from within running QubesOS)?

Could one use the Nitrokey Storage as that *USB with /boot partition
and grub installed, or it must be normal, unencrypted USB device?

Are there any pros/cons of this setup?

- -- 
Kind regards
taran1s

gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl7jea4ACgkQ5k6hqPgA
y0SLCQ//QmsiNYx3LfA40bqzU5QfgND7wIBhMWuNRhDx0UCfXieGFLk/KJd+kC4/
EJ+gat09bRHhFT/eBY+VkyF0RjSEuGQHuIh8iaStpBxalI3p9/5saxJfTZU0C/Uq
MXeskuYMht2IKrBoxO+4cJvHyPWqkN4eA/YUaNHafKj3xnJP+HsiL9i2WyCjimIG
rcMnUi/Y4K6bzbHzjSU/auGs2niAfW1tP4JO+P1TS9A/BeG+8bpSLwpf8ocQqGyX
J+7e9WqS+Zg8QDMXad/k8z64jCoTLlhw6mA1w7hp30NC0UK+hdSvqAh05j7KAMlI
B5AuSAZaX3Thn+iOYy9XbtrYVJtdWy4FmLvf5Y+XQOdtKfkiJ9ChigUSYQQ1s5vH
nAmU4mpNcRBWgNonC2lK4hDuW6ikSl1hj3LwQXBPr41Rsx82JVkaIxluvHqTsFsb
g35mr5oYfx1IEr29dVSVD6X0MOQEVFP1ep2E7gHOVbzMQcTpm2PTEtvRpI6oM0bW
xTXbrFwgZfXHvvYgMiEhpfanPH9XPM8bi5HILbleA23+v+QHFiV6nLbMQr0kP3nF
v0Cwzr4iHNFZXJRdDu4cK+IWIRbQjeCh6a3MvcF9uye+62+yqvQN1x7Vfdunxaib
4hkaQXhe/njKMZti89/4oV5hiWJuS1ffVfIgj+BUQlN5tFP2uKk=
=7sH5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93e1714d-00b0-0175-43cf-659880a069f0%40mailbox.org.


0xA664B90BD3BE59B3.asc
Description: application/pgp-keys

Re: [qubes-users] Dell Latitude E5470 running Qubes 4.0.3 - no web cam...

[Andrew Sullivan]

On Friday, 12 June 2020 13:06:01 UTC+1, Rafael Reis wrote:
>
> I’ve also started with no sys-usb and a flash drive. Then imaged the usb 
> drive to the internal ssd, and installed sys-usb afterwards. Everything 
> went smoothly. 
> You indeed cannot have sys-usb if you are booting from the usb stick. 
>
> Never tried the webcam to be honest. I find it counterintuitive to use a 
> facecam on a privacy and security oriented os. I’d tape the thing shut. But 
> you should probably try kernel-latest . It is stable on my 5470 and fixed 
> the sd card reader for me, which back then when I first installed was not 
> working. 
>
>
Hi Rafael

I have an M.2 SSD for the WWAN slot on my laptop on order, so the problem 
will be sorted soon.  If indeed it is a problem - you make a valid point 
about using a webcam on a security-focused system.  If I really have to 
(rarely) I could always revert to Windows or Mint.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4d67b967-e1c8-4cf4-9e83-b522c067f39eo%40googlegroups.com.

Re: [qubes-users] Dell Latitude E5470 running Qubes 4.0.3 - no web cam...

[Rafael Reis]

I’ve also started with no sys-usb and a flash drive. Then imaged the usb drive 
to the internal ssd, and installed sys-usb afterwards. Everything went smoothly.
You indeed cannot have sys-usb if you are booting from the usb stick.

Never tried the webcam to be honest. I find it counterintuitive to use a 
facecam on a privacy and security oriented os. I’d tape the thing shut. But you 
should probably try kernel-latest . It is stable on my 5470 and fixed the sd 
card reader for me, which back then when I first installed was not working.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/787d30c9-a085-4e3e-b2ad-b3cb92969966o%40googlegroups.com.

[qubes-users] Re: Ho to do a fully automatic 4.0.3 installation

[didier . pelligra]

Hi,

I managed to reboot the PC after the first stage and I'll just add a new 
key to luks afterwards.

I still have to find a way to either automate the second stage or skip it 
altogether since i can launch it later once logged in for the first time. 
Is there a way to at least skip initial config ?


Le jeudi 11 juin 2020 16:35:07 UTC+2, didier@gmail.com a écrit :
>
> Hi,
>
> I've been playing around for a while now with Qubes R4.0.3 and while i 
> managed to start the installation from a PXE server and with a kickstart 
> file, I cant get the installation to be fully automatic.
>
> I followed mainly this page :
>
> https://github.com/Qubes-Community/Contents/blob/master/docs/hardware/Autonomous%20Qubes-install%20(kickstart).md
>
> A few problems i'm running into :
> - In the ks.cfg file i ca'nt find how to specify an encrypted LUKS 
> passphrase, for now i have to put it in clear text
> - The installation first stage won't reboot automatically after the files 
> copy and installation
> - I can't automate the first boot configuration (which I need to do the 
> default settings, no change needed)
>
> Thanks :)
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a88589a-cff9-4247-afb0-4510e4a36e68o%40googlegroups.com.