Re: [qubes-users] Formatting and Permissions for internal HDDs
On Fri, December 1, 2017 03:58, Gaijin wrote: > On 2017-11-27 10:26, awokd wrote: >> On Mon, November 27, 2017 05:22, Gaijin wrote: > > Following your recommendation I tried encrypting the drive and having it > mount in dom0 on boot. That works remembering the password, but it's not > optimal for all drives. That's fine for my backups drive, but I have > another data drive that I want to mount to different AppVMs. Mounting > that to dom0 on boot isn't a good idea. If I unmount an encrypted drive > from dom0 and attach it to an AppVM, I still need to enter the disk > decryption password from the AppVM to access the drive. This is a drive > I wanted to use between several AppVMs. Would I need to setup an > /etc/fstab in each AppVM for this? Generally speaking, if something is hard to do in Qubes that means you are using it wrong! Accessing the same data drive from different AppVMs or dom0 breaks their isolation. Consider always mounting the data drive in one VM and using qvm-copy/move-to-vm to move data files between AppVMs. Can't think of a secure way to mount that automatically. >>> My other issue is that whether I encrypt the drive partitions with LUKS >>> or just make a ext4 partition, I can't access the drives after creating >>> them because they're assigned ownership to the root account. Normal >>> Qubes use is thru the dom0 account or the user account on the VMs, not >>> root. What would be a good permissions setting to allow dom0 or a VM >>> access the hard drives? >> >> I think if you mount them as part of boot you will have less trouble. >> Don't remember having to do anything special with permissions, but >> review >> the ones set on /var/lib/qubes if needed. Also see >> https://www.qubes-os.org/doc/secondary-storage/ . > > That permissions issue is still there even if I mount the encrypted > drive at boot. I have this issue on 2 different machines running R3.2. > These are new, blank HDDs that dom0 recognizes when I boot up. They're > set with rw for the Owner root and in the root Group, which only has r, > Others are r as well. Should I be chown-ing these from the AppVMs so > that the User account there can manipulate them? I'm a bit new to *nix > disk permissions... /var/lib/qubes shows most are owned root:qubes, not root:root. Try changing your group owner to match, and review https://www.qubes-os.org/doc/secondary-storage/ again. >From what I can tell of your scenario, I'd: 1. Mount encrypted data drive on boot 2. Start "data" appvm that lives in this encrypted drive per the secondary storage article 3. Use qvm-move/copy commands to share data between AppVMs -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b8f8727b84ab2b16dbd8a2885efc35a%40elude.in. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Formatting and Permissions for internal HDDs
On 2017-11-27 10:26, awokd wrote: > On Mon, November 27, 2017 05:22, Gaijin wrote: >> In R3.2 I have some additional internal hard drives in my PC. I wanted >> to format them to be encrypted so that they will match the disk >> encryption of my main Qubes disk install, and so that I won't have to >> enter the disk password every time I access the drives or attach them to >> a VM. I have not been able to figure this out. Is this possible? > > Yes, give them the exact same password as your primary and mount them by > UUID in both /etc/crypttab and /etc/fstab. Following your recommendation I tried encrypting the drive and having it mount in dom0 on boot. That works remembering the password, but it's not optimal for all drives. That's fine for my backups drive, but I have another data drive that I want to mount to different AppVMs. Mounting that to dom0 on boot isn't a good idea. If I unmount an encrypted drive from dom0 and attach it to an AppVM, I still need to enter the disk decryption password from the AppVM to access the drive. This is a drive I wanted to use between several AppVMs. Would I need to setup an /etc/fstab in each AppVM for this? >> My other issue is that whether I encrypt the drive partitions with LUKS >> or just make a ext4 partition, I can't access the drives after creating >> them because they're assigned ownership to the root account. Normal >> Qubes use is thru the dom0 account or the user account on the VMs, not >> root. What would be a good permissions setting to allow dom0 or a VM >> access the hard drives? > > I think if you mount them as part of boot you will have less trouble. > Don't remember having to do anything special with permissions, but review > the ones set on /var/lib/qubes if needed. Also see > https://www.qubes-os.org/doc/secondary-storage/ . That permissions issue is still there even if I mount the encrypted drive at boot. I have this issue on 2 different machines running R3.2. These are new, blank HDDs that dom0 recognizes when I boot up. They're set with rw for the Owner root and in the root Group, which only has r, Others are r as well. Should I be chown-ing these from the AppVMs so that the User account there can manipulate them? I'm a bit new to *nix disk permissions... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/88c25dc1748fe3c6b916aeb5b7ee14d4%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Formatting and Permissions for internal HDDs
On Mon, November 27, 2017 05:22, Gaijin wrote: > In R3.2 I have some additional internal hard drives in my PC. I wanted > to format them to be encrypted so that they will match the disk > encryption of my main Qubes disk install, and so that I won't have to > enter the disk password every time I access the drives or attach them to > a VM. I have not been able to figure this out. Is this possible? Yes, give them the exact same password as your primary and mount them by UUID in both /etc/crypttab and /etc/fstab. > My other issue is that whether I encrypt the drive partitions with LUKS > or just make a ext4 partition, I can't access the drives after creating > them because they're assigned ownership to the root account. Normal > Qubes use is thru the dom0 account or the user account on the VMs, not > root. What would be a good permissions setting to allow dom0 or a VM > access the hard drives? I think if you mount them as part of boot you will have less trouble. Don't remember having to do anything special with permissions, but review the ones set on /var/lib/qubes if needed. Also see https://www.qubes-os.org/doc/secondary-storage/ . -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9ed1c9920210ccb8fa8197d4a54c172e%40elude.in. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Formatting and Permissions for internal HDDs
In R3.2 I have some additional internal hard drives in my PC. I wanted to format them to be encrypted so that they will match the disk encryption of my main Qubes disk install, and so that I won't have to enter the disk password every time I access the drives or attach them to a VM. I have not been able to figure this out. Is this possible? My other issue is that whether I encrypt the drive partitions with LUKS or just make a ext4 partition, I can't access the drives after creating them because they're assigned ownership to the root account. Normal Qubes use is thru the dom0 account or the user account on the VMs, not root. What would be a good permissions setting to allow dom0 or a VM access the hard drives? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bda050ef4e77df812d4b034383d7939%40riseup.net. For more options, visit https://groups.google.com/d/optout.
