Re: [qubes-users] Full disk encryption in qubes - best practice for high risk environment
dhorf-hfref.4a288...@hashmail.org: > On Fri, Jun 12, 2020 at 12:49:04PM +, taran1s wrote: >> - - set a higher encryption from qubes default to aes 512-bit full disk >> encryption. > > a) there is no "aes 512". > b) the qubes default is aes-xts-512. (which is really aes-256 with >two different keys since whoever implemented it for linux read >the XTS paper wrong, but it doesnt matter for security) > c) check "cryptsetup luksDump /dev/yourqubesluksdev" > Thank you for pointing out that qubes uses the aes-xts-512 already. I read somewhere in the past that qubes uses the 256-bit encryption but maybe it was confused with 256 effective or something. > >> Is this possible to do from within running qubes or will I need to >> reinstall the QubesOS and do it all fresh? > > most likely for the "encryption" part no change is required. > so just moving /boot + grub. Are there any good guides on how to do this move? /boot partition and grub installation onto the usb stick? > > >> cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition >> like for example sd3 in case of default qubes installation procedure. >> Is that case from inside of qubes too? > > cryptsetup can be used from inside qubes dom0, yes. > i recommend adding a new passphrase first, making sure it works, then > removing the old one. > luks default has 8 key slots. This would mean to execute sudo cryptsetup luksAddKey /dev/sd3 (sda3 is the luks partition in my case). If I get it right it should automatically add Key to the next free slot if available. Since sudo cryptsetup luksDump /dev/sd3 | grep -i key returns only one slot enabled, my new passphrase will be in the slot 1. Than sudo cryptsetup luksRemoveKey /dev/sdX will remove the passphrase I enter, so I dont need to specify the slot. Is that right? > > >> Are there any pros/cons of this setup? > > make sure to have more than one boot device for redundancy. > you will have to update them all for every kernel, xen or grub update. > (or accept booting your system from an old grub/xen/kernel if > you end up using an outdated boot stick) How do I update it? Are there any noob friendly guides? > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/960bb5d2-8b98-2937-16d5-1ab3a1394d32%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Full disk encryption in qubes - best practice for high risk environment
On Fri, Jun 12, 2020 at 12:49:04PM +, taran1s wrote: > - - set a higher encryption from qubes default to aes 512-bit full disk > encryption. a) there is no "aes 512". b) the qubes default is aes-xts-512. (which is really aes-256 with two different keys since whoever implemented it for linux read the XTS paper wrong, but it doesnt matter for security) c) check "cryptsetup luksDump /dev/yourqubesluksdev" > Is this possible to do from within running qubes or will I need to > reinstall the QubesOS and do it all fresh? most likely for the "encryption" part no change is required. so just moving /boot + grub. > cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition > like for example sd3 in case of default qubes installation procedure. > Is that case from inside of qubes too? cryptsetup can be used from inside qubes dom0, yes. i recommend adding a new passphrase first, making sure it works, then removing the old one. luks default has 8 key slots. > Are there any pros/cons of this setup? make sure to have more than one boot device for redundancy. you will have to update them all for every kernel, xen or grub update. (or accept booting your system from an old grub/xen/kernel if you end up using an outdated boot stick) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200612130106.GC998%40priv-mua.
[qubes-users] Full disk encryption in qubes - best practice for high risk environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I would like to change the encryption password of my qubes installation. And once I start to play with this, I would like to also: - - set a higher encryption from qubes default to aes 512-bit full disk encryption. - - move the /boot partition to an external *USB device and install Grub as described here http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onio n/wiki/Full_Disk_Encryption Is this possible to do from within running qubes or will I need to reinstall the QubesOS and do it all fresh? Cryptsetup seems pretty straightforward with just executing sudo cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition like for example sd3 in case of default qubes installation procedure. Is that case from inside of qubes too? I am a newbie in this area. How would I do that in both cases (fresh installation of QubesOS; and from within running QubesOS)? Could one use the Nitrokey Storage as that *USB with /boot partition and grub installed, or it must be normal, unencrypted USB device? Are there any pros/cons of this setup? - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl7jea4ACgkQ5k6hqPgA y0SLCQ//QmsiNYx3LfA40bqzU5QfgND7wIBhMWuNRhDx0UCfXieGFLk/KJd+kC4/ EJ+gat09bRHhFT/eBY+VkyF0RjSEuGQHuIh8iaStpBxalI3p9/5saxJfTZU0C/Uq MXeskuYMht2IKrBoxO+4cJvHyPWqkN4eA/YUaNHafKj3xnJP+HsiL9i2WyCjimIG rcMnUi/Y4K6bzbHzjSU/auGs2niAfW1tP4JO+P1TS9A/BeG+8bpSLwpf8ocQqGyX J+7e9WqS+Zg8QDMXad/k8z64jCoTLlhw6mA1w7hp30NC0UK+hdSvqAh05j7KAMlI B5AuSAZaX3Thn+iOYy9XbtrYVJtdWy4FmLvf5Y+XQOdtKfkiJ9ChigUSYQQ1s5vH nAmU4mpNcRBWgNonC2lK4hDuW6ikSl1hj3LwQXBPr41Rsx82JVkaIxluvHqTsFsb g35mr5oYfx1IEr29dVSVD6X0MOQEVFP1ep2E7gHOVbzMQcTpm2PTEtvRpI6oM0bW xTXbrFwgZfXHvvYgMiEhpfanPH9XPM8bi5HILbleA23+v+QHFiV6nLbMQr0kP3nF v0Cwzr4iHNFZXJRdDu4cK+IWIRbQjeCh6a3MvcF9uye+62+yqvQN1x7Vfdunxaib 4hkaQXhe/njKMZti89/4oV5hiWJuS1ffVfIgj+BUQlN5tFP2uKk= =7sH5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/93e1714d-00b0-0175-43cf-659880a069f0%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
