No. 4 makes sense. sys-usb shouldn't know the encryption keys. encrypted block
device can be attached to a server vm where it would be appropriately decrypted
and mounted, possibly from dom0 via qvm-run (you can start a vm, attach
storage, decrypt and mount it by a short script using qvm-*
I'm looking for some suggestions for running a "maximally-secure" media
server that will access an encrypted USB hard drive for it's storage. It
can and probably should be read-only to the media-server software.
A few possibilities I can think of listed from assumed lowest security
to highest