Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Sat, Jul 15, 2017 at 03:20:44PM -0400, 'P R' via qubes-users wrote: > Hello, > > Am 15.07.2017 10:45 vorm. schrieb "Noor Christensen" < > kchr+qubes-us...@fripost.org>: > > > I found this project the other day: https://github.com/rustybird/ > qubes-split-dm-crypt > > Haven't tried it myself yet but it looks like it could fit your idea. > > > Thank you for the link, very interesting! > As far as I understand the qubes-split-dm-crypt has a security benefit as > the credentials are not entered in an AppVM where the encrypted partition > should be mounted but in another VM. > As such there is less opportunity to grab the passphrase as it is entered > in another VM. > > As far as I have understand 'codegeak98' he is asking for a solution to > store data in one storage qube, which might be accessed by several AppVMs > while still beeing sure that the data is protected from access by other VMs > or even the storage Qube itself. Yeah, I'm looking for a similar solution myself... I think we can learn a lot from the qubes-split-dm-crypt for this since it's more or less the same workflow but without the LUKS layer. But if someone else have a working solution to the use case please share! -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| n...@fripost.org ~ 0x401DA1E0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170715192539.mq6ttqvpqgrvucwu%40mail. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Hello, Am 15.07.2017 10:45 vorm. schrieb "Noor Christensen" < kchr+qubes-us...@fripost.org>: I found this project the other day: https://github.com/rustybird/ qubes-split-dm-crypt Haven't tried it myself yet but it looks like it could fit your idea. Thank you for the link, very interesting! As far as I understand the qubes-split-dm-crypt has a security benefit as the credentials are not entered in an AppVM where the encrypted partition should be mounted but in another VM. As such there is less opportunity to grab the passphrase as it is entered in another VM. As far as I have understand 'codegeak98' he is asking for a solution to store data in one storage qube, which might be accessed by several AppVMs while still beeing sure that the data is protected from access by other VMs or even the storage Qube itself. - PhR -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BvUigXQSORVtCLMF5F%2BsFZDhNhp3kbT5%2BQd2OjC348Yw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Sat, Jul 15, 2017 at 10:45:38AM +0200, Noor Christensen wrote:
> On Tue, Jul 11, 2017 at 01:08:55PM -0700, codegee...@gmail.com wrote:
> > Right now, I have a lot of stuff all just "consolidated" on one hard drive.
> > /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\
> > moon,deluge}} and so on.
> >
> > But, obviously, I want to try with Qubes to have some isolation from
> > my webserver, perhaps have my Torrent client not be able to read my
> > browser profile, etc.
> >
> > I'm thinking of setting up perhaps something like a "Storage Qube",
> > which will have the storage drive permanently attached, and be in
> > charge of managing permissions and serving the folders to authorized
> > VMs via…NFS? SSHFS?
> >
> > The catch is, I want to try to have it at least be reasonably
> > performant (i.e., my browser profile is there currently), and
> > preferably not make it "too" hacky/inelegant, in case the Qubes devs
> > roll their own guided/integrated system for this.
> >
> > DOES Qubes have a facility to do this currently?
>
> I found this project the other day:
> https://github.com/rustybird/qubes-split-dm-crypt
>
> Haven't tried it myself yet but it looks like it could fit your idea.
Also, one of the main Qubes workflows is to create AppVMs separated by
"domain".
This can mean many things, but in your case I can think of at least two:
browser and torrents. You can have two AppVMs (one for browser, one for
torrents) that share the same TemplateVM but have their own private
storage for persistent files (browser profile, torrent client config).
By separating applications into their own AppVMs they are isolated from
each other, and they cannot read private data from other AppVMs. If you
need them to share anything, you just put that in the template and it
will be available for any AppVM using that template next time it starts.
Everything stored in an AppVM's private storage is persistent between
restarts. It is only available to that AppVM.
-- noor
|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| n...@fripost.org ~ 0x401DA1E0
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20170715085730.ojdqv3wvwazfd3tg%40mail.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Tue, Jul 11, 2017 at 01:08:55PM -0700, codegee...@gmail.com wrote:
> Right now, I have a lot of stuff all just "consolidated" on one hard drive.
> /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\
> moon,deluge}} and so on.
>
> But, obviously, I want to try with Qubes to have some isolation from
> my webserver, perhaps have my Torrent client not be able to read my
> browser profile, etc.
>
> I'm thinking of setting up perhaps something like a "Storage Qube",
> which will have the storage drive permanently attached, and be in
> charge of managing permissions and serving the folders to authorized
> VMs via…NFS? SSHFS?
>
> The catch is, I want to try to have it at least be reasonably
> performant (i.e., my browser profile is there currently), and
> preferably not make it "too" hacky/inelegant, in case the Qubes devs
> roll their own guided/integrated system for this.
>
> DOES Qubes have a facility to do this currently?
I found this project the other day:
https://github.com/rustybird/qubes-split-dm-crypt
Haven't tried it myself yet but it looks like it could fit your idea.
-- noor
|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| n...@fripost.org ~ 0x401DA1E0
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20170715084538.tps5njk3xqhdxwm3%40mail.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Hello, Am 11.07.2017 10:52 nachm. schrieb "Florian Brandes" : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/11/2017 10:08 PM, codegee...@gmail.com wrote: (...) > I'm thinking of setting up perhaps something like a "Storage Qube", which will have the storage drive permanently attached, and be in charge of managing permissions and serving the folders to authorized VMs via…NFS? SSHFS? (...) I'm new to qubes, so excuse me if I may sound stupid, but wouldn't it be easier to include your storage space in your overall qubes setup (maybe as an LVM), so that you would just use your qubes and extend their personal disk space? This way you could take advantage of the isolation provided by qubes without the hassle of setting up a dedicated storage VM which would also need to check permissions. On the other hand you could probably set up a storage VM and serve the files via NFS on a IP basis. Since every qube has a unique IP address you could make sure that no other qube except the one you permit has access to a specific storage folder. One idea that came to my mind: - setup a "storage qube" which serves as a NFS Server - create exports in separate folders which can only be accessed by dedicated IPs (from the AppVMs) - as an additional Layer of security you could use encfs (with maybe some symlinks) in the AppVMs, so that the date is decrypted from the view of an AppVM but encrypted from the view of the Storage Qube. I guess it should be possible to script something where the decryption key is stored locally in the AppVM (Assuming that the data would be unencrypted in the AppVM without a "Storage Qube". Would this work for you? - PhR -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BnV%3DURba_SDF_3C34ReZnvg%3D%3D0eBQU2wx%2Bi%2BmV4%3Dx%3DUQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/11/2017 10:08 PM, codegee...@gmail.com wrote:
> Right now, I have a lot of stuff all just "consolidated" on one hard drive.
> /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\
> moon,deluge}} and so on.
>
> But, obviously, I want to try with Qubes to have some isolation from my
> webserver, perhaps have my Torrent client not be able to read my browser
> profile, etc.
>
> I'm thinking of setting up perhaps something like a "Storage Qube", which
> will have the storage drive permanently attached, and be in charge of
> managing permissions and serving the folders to authorized VMs via…NFS? SSHFS?
>
> The catch is, I want to try to have it at least be reasonably performant
> (i.e., my browser profile is there currently), and preferably not make it
> "too" hacky/inelegant, in case the Qubes devs roll their own
> guided/integrated system for this.
>
> DOES Qubes have a facility to do this currently?
>
Hi,
I'm new to qubes, so excuse me if I may sound stupid, but wouldn't it be easier
to include your storage space in your overall qubes setup (maybe as an LVM), so
that you would just use your qubes and extend their personal disk space? This
way you could take advantage of the isolation provided by qubes without the
hassle of setting up a dedicated storage VM which would also need to check
permissions.
On the other hand you could probably set up a storage VM and serve the files
via NFS on a IP basis. Since every qube has a unique IP address you could make
sure that no other qube except the one you permit has access to a specific
storage folder.
Greetings,
Florian
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQI0BAEBCAAeBQJZZTp6FxxmbG9yaWFuLmJyYW5kZXNAZ214LmRlAAoJEKf3MHt6
BMRJ8REP/1Q1/3DYemY7X1zHtyhZ2BGTh82HXqfwSEKxJDOm4kLa60pl+JAeJuUm
INegwPw6zLLnCNnT2+aRjIB/keRJmLGs+/cJeLd3Qt0gu8BXBIitAOl4kXPxksNi
tdi5p7xmyy2opiXQakGkHGY/knWV1CowPSNAny6LL5RI+Sn0rYXZW1EvMeAoPSZs
oZrBJB3tafVA5CB7ywe25TkdszeDSFR+ZnEQn3ZbsTHbNm/LnH+BsZ+G0LUZIGLf
R6GG9d5+mQvzUOjCK/ANVdxxSGCflfvkhC2ERLu9LXNRgjh6mnrQMlJFvtiBwun4
CJ/FHIbiG692dDfEpiJ8UuXXNXKIzhsKzhXkuwEjq5+ygvimP2cAGgMLMiTGSFJ/
MUa61mY6/n2SZja5fG/Lxitw7zRKGiblRYFrjYcm1KEt4j4HC6G07icJkN9znqiN
2MKtLCt+5xlUFHvvD7Jz5KZSWqy8EfFj17WAruGBSs+qANPLw3jehTMFGUN39PDe
EYLYhDSLmJPnY0qFZR/KOG7aD3LVMTBuCLMeuxDBXd4c9NHH9hgoBfiB/l6FQObO
jlEuLcENHyHBNsGA6wtirwhPLeoCwzXZl1KUJEjp8YNz/FnKcVS1tUyGnj1reRrG
C5zJCljHaEMEw81yKRU+gNY5kZaBHwAJUsPSisfm+6KjHD7ablUB
=RDvn
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a6068c15-7553-4604-c6de-ad3035c16483%40gmx.de.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Right now, I have a lot of stuff all just "consolidated" on one hard drive.
/var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\ moon,deluge}}
and so on.
But, obviously, I want to try with Qubes to have some isolation from my
webserver, perhaps have my Torrent client not be able to read my browser
profile, etc.
I'm thinking of setting up perhaps something like a "Storage Qube", which will
have the storage drive permanently attached, and be in charge of managing
permissions and serving the folders to authorized VMs via…NFS? SSHFS?
The catch is, I want to try to have it at least be reasonably performant (i.e.,
my browser profile is there currently), and preferably not make it "too"
hacky/inelegant, in case the Qubes devs roll their own guided/integrated system
for this.
DOES Qubes have a facility to do this currently?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c6be3032-aee8-4279-bbcb-a49f5273a7e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
