Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Sat, Jul 15, 2017 at 03:20:44PM -0400, 'P R' via qubes-users wrote: > Hello, > > Am 15.07.2017 10:45 vorm. schrieb "Noor Christensen" < > kchr+qubes-us...@fripost.org>: > > > I found this project the other day: https://github.com/rustybird/ > qubes-split-dm-crypt > > Haven't tried it myself yet but it looks like it could fit your idea. > > > Thank you for the link, very interesting! > As far as I understand the qubes-split-dm-crypt has a security benefit as > the credentials are not entered in an AppVM where the encrypted partition > should be mounted but in another VM. > As such there is less opportunity to grab the passphrase as it is entered > in another VM. > > As far as I have understand 'codegeak98' he is asking for a solution to > store data in one storage qube, which might be accessed by several AppVMs > while still beeing sure that the data is protected from access by other VMs > or even the storage Qube itself. Yeah, I'm looking for a similar solution myself... I think we can learn a lot from the qubes-split-dm-crypt for this since it's more or less the same workflow but without the LUKS layer. But if someone else have a working solution to the use case please share! -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| n...@fripost.org ~ 0x401DA1E0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170715192539.mq6ttqvpqgrvucwu%40mail. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Hello, Am 15.07.2017 10:45 vorm. schrieb "Noor Christensen" < kchr+qubes-us...@fripost.org>: I found this project the other day: https://github.com/rustybird/ qubes-split-dm-crypt Haven't tried it myself yet but it looks like it could fit your idea. Thank you for the link, very interesting! As far as I understand the qubes-split-dm-crypt has a security benefit as the credentials are not entered in an AppVM where the encrypted partition should be mounted but in another VM. As such there is less opportunity to grab the passphrase as it is entered in another VM. As far as I have understand 'codegeak98' he is asking for a solution to store data in one storage qube, which might be accessed by several AppVMs while still beeing sure that the data is protected from access by other VMs or even the storage Qube itself. - PhR -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BvUigXQSORVtCLMF5F%2BsFZDhNhp3kbT5%2BQd2OjC348Yw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Sat, Jul 15, 2017 at 10:45:38AM +0200, Noor Christensen wrote: > On Tue, Jul 11, 2017 at 01:08:55PM -0700, codegee...@gmail.com wrote: > > Right now, I have a lot of stuff all just "consolidated" on one hard drive. > > /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\ > > moon,deluge}} and so on. > > > > But, obviously, I want to try with Qubes to have some isolation from > > my webserver, perhaps have my Torrent client not be able to read my > > browser profile, etc. > > > > I'm thinking of setting up perhaps something like a "Storage Qube", > > which will have the storage drive permanently attached, and be in > > charge of managing permissions and serving the folders to authorized > > VMs via…NFS? SSHFS? > > > > The catch is, I want to try to have it at least be reasonably > > performant (i.e., my browser profile is there currently), and > > preferably not make it "too" hacky/inelegant, in case the Qubes devs > > roll their own guided/integrated system for this. > > > > DOES Qubes have a facility to do this currently? > > I found this project the other day: > https://github.com/rustybird/qubes-split-dm-crypt > > Haven't tried it myself yet but it looks like it could fit your idea. Also, one of the main Qubes workflows is to create AppVMs separated by "domain". This can mean many things, but in your case I can think of at least two: browser and torrents. You can have two AppVMs (one for browser, one for torrents) that share the same TemplateVM but have their own private storage for persistent files (browser profile, torrent client config). By separating applications into their own AppVMs they are isolated from each other, and they cannot read private data from other AppVMs. If you need them to share anything, you just put that in the template and it will be available for any AppVM using that template next time it starts. Everything stored in an AppVM's private storage is persistent between restarts. It is only available to that AppVM. -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| n...@fripost.org ~ 0x401DA1E0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170715085730.ojdqv3wvwazfd3tg%40mail. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
On Tue, Jul 11, 2017 at 01:08:55PM -0700, codegee...@gmail.com wrote: > Right now, I have a lot of stuff all just "consolidated" on one hard drive. > /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\ > moon,deluge}} and so on. > > But, obviously, I want to try with Qubes to have some isolation from > my webserver, perhaps have my Torrent client not be able to read my > browser profile, etc. > > I'm thinking of setting up perhaps something like a "Storage Qube", > which will have the storage drive permanently attached, and be in > charge of managing permissions and serving the folders to authorized > VMs via…NFS? SSHFS? > > The catch is, I want to try to have it at least be reasonably > performant (i.e., my browser profile is there currently), and > preferably not make it "too" hacky/inelegant, in case the Qubes devs > roll their own guided/integrated system for this. > > DOES Qubes have a facility to do this currently? I found this project the other day: https://github.com/rustybird/qubes-split-dm-crypt Haven't tried it myself yet but it looks like it could fit your idea. -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| n...@fripost.org ~ 0x401DA1E0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170715084538.tps5njk3xqhdxwm3%40mail. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Hello, Am 11.07.2017 10:52 nachm. schrieb "Florian Brandes" : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/11/2017 10:08 PM, codegee...@gmail.com wrote: (...) > I'm thinking of setting up perhaps something like a "Storage Qube", which will have the storage drive permanently attached, and be in charge of managing permissions and serving the folders to authorized VMs via…NFS? SSHFS? (...) I'm new to qubes, so excuse me if I may sound stupid, but wouldn't it be easier to include your storage space in your overall qubes setup (maybe as an LVM), so that you would just use your qubes and extend their personal disk space? This way you could take advantage of the isolation provided by qubes without the hassle of setting up a dedicated storage VM which would also need to check permissions. On the other hand you could probably set up a storage VM and serve the files via NFS on a IP basis. Since every qube has a unique IP address you could make sure that no other qube except the one you permit has access to a specific storage folder. One idea that came to my mind: - setup a "storage qube" which serves as a NFS Server - create exports in separate folders which can only be accessed by dedicated IPs (from the AppVMs) - as an additional Layer of security you could use encfs (with maybe some symlinks) in the AppVMs, so that the date is decrypted from the view of an AppVM but encrypted from the view of the Storage Qube. I guess it should be possible to script something where the decryption key is stored locally in the AppVM (Assuming that the data would be unencrypted in the AppVM without a "Storage Qube". Would this work for you? - PhR -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BnV%3DURba_SDF_3C34ReZnvg%3D%3D0eBQU2wx%2Bi%2BmV4%3Dx%3DUQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/11/2017 10:08 PM, codegee...@gmail.com wrote: > Right now, I have a lot of stuff all just "consolidated" on one hard drive. > /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\ > moon,deluge}} and so on. > > But, obviously, I want to try with Qubes to have some isolation from my > webserver, perhaps have my Torrent client not be able to read my browser > profile, etc. > > I'm thinking of setting up perhaps something like a "Storage Qube", which > will have the storage drive permanently attached, and be in charge of > managing permissions and serving the folders to authorized VMs via…NFS? SSHFS? > > The catch is, I want to try to have it at least be reasonably performant > (i.e., my browser profile is there currently), and preferably not make it > "too" hacky/inelegant, in case the Qubes devs roll their own > guided/integrated system for this. > > DOES Qubes have a facility to do this currently? > Hi, I'm new to qubes, so excuse me if I may sound stupid, but wouldn't it be easier to include your storage space in your overall qubes setup (maybe as an LVM), so that you would just use your qubes and extend their personal disk space? This way you could take advantage of the isolation provided by qubes without the hassle of setting up a dedicated storage VM which would also need to check permissions. On the other hand you could probably set up a storage VM and serve the files via NFS on a IP basis. Since every qube has a unique IP address you could make sure that no other qube except the one you permit has access to a specific storage folder. Greetings, Florian -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQI0BAEBCAAeBQJZZTp6FxxmbG9yaWFuLmJyYW5kZXNAZ214LmRlAAoJEKf3MHt6 BMRJ8REP/1Q1/3DYemY7X1zHtyhZ2BGTh82HXqfwSEKxJDOm4kLa60pl+JAeJuUm INegwPw6zLLnCNnT2+aRjIB/keRJmLGs+/cJeLd3Qt0gu8BXBIitAOl4kXPxksNi tdi5p7xmyy2opiXQakGkHGY/knWV1CowPSNAny6LL5RI+Sn0rYXZW1EvMeAoPSZs oZrBJB3tafVA5CB7ywe25TkdszeDSFR+ZnEQn3ZbsTHbNm/LnH+BsZ+G0LUZIGLf R6GG9d5+mQvzUOjCK/ANVdxxSGCflfvkhC2ERLu9LXNRgjh6mnrQMlJFvtiBwun4 CJ/FHIbiG692dDfEpiJ8UuXXNXKIzhsKzhXkuwEjq5+ygvimP2cAGgMLMiTGSFJ/ MUa61mY6/n2SZja5fG/Lxitw7zRKGiblRYFrjYcm1KEt4j4HC6G07icJkN9znqiN 2MKtLCt+5xlUFHvvD7Jz5KZSWqy8EfFj17WAruGBSs+qANPLw3jehTMFGUN39PDe EYLYhDSLmJPnY0qFZR/KOG7aD3LVMTBuCLMeuxDBXd4c9NHH9hgoBfiB/l6FQObO jlEuLcENHyHBNsGA6wtirwhPLeoCwzXZl1KUJEjp8YNz/FnKcVS1tUyGnj1reRrG C5zJCljHaEMEw81yKRU+gNY5kZaBHwAJUsPSisfm+6KjHD7ablUB =RDvn -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a6068c15-7553-4604-c6de-ad3035c16483%40gmx.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] "Storage Qube" or otherwise share folders of a drive selectively?
Right now, I have a lot of stuff all just "consolidated" on one hard drive. /var/storage/{Anime,public_html,Documents,Pictures,.config/{pale\ moon,deluge}} and so on. But, obviously, I want to try with Qubes to have some isolation from my webserver, perhaps have my Torrent client not be able to read my browser profile, etc. I'm thinking of setting up perhaps something like a "Storage Qube", which will have the storage drive permanently attached, and be in charge of managing permissions and serving the folders to authorized VMs via…NFS? SSHFS? The catch is, I want to try to have it at least be reasonably performant (i.e., my browser profile is there currently), and preferably not make it "too" hacky/inelegant, in case the Qubes devs roll their own guided/integrated system for this. DOES Qubes have a facility to do this currently? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6be3032-aee8-4279-bbcb-a49f5273a7e6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.