On Thu, May 17, 2018 12:51 pm, Bernhard wrote: > >> You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach >> the partition to a different VM, then mount it there. >> > This is a good question, I think. Since we distrust sys-usb I agree that > we should not do the cryptsetup operations in sys-usb. But if you > distrust the attached device as well (might be safer, right?), one might > attach the luks-partition (resp. file) first to an intermediate (even > temp !) VM, luksOpen it in there and re-attach the generated /dev/mapper > volumes to the destination VM. That way sys-usb is blind to cryptsetup > and the destination-vm is maximally protected from usb-based attacks. > Overkill?
I think it's a bit overkill for partition based LUKS volumes, using qvm-block already gets you protection against usb attacks. File based ones might benefit from the additional step, but not sure how much. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7c5f55f67ffe69de3b7aa40fe7dd3c9b%40elude.in. For more options, visit https://groups.google.com/d/optout.
