On Tue, Dec 04, 2018 at 03:22:10PM +0000, tinseal374 wrote:
> mike:
> >
> > > I would decrypt in dom0 and attach decrypted to qubes. You can script
> > > this in dom0 as part of startup process - if you are content with dom0
> > > encryption you can store the password, rather than enter it each time.
> >
> > Cool -- I like the idea!
> >
> > What approach would you recommend for these:
> > a) if the partition was to be decrypted during dom0 boot -- where to script
> > it?
> > b) if the partition was to be decrypted right before a qube's start -- is
> > there a pre-domain-boot script kind of thing?
> > c) if the password was to be typed -- any idea how to pop up some password
> > input dialog box?
> >
> >
> > Many thanks unman!
> >
> > Mike
> >
>
> I'm decrypting my drive with two partitions and connect them to the VMs on
> startup like this in dom0:
>
> Keyfile: /root/my-drive-decrypt/keyfile
>
> Script: /root/my-drive-decrypt/my-drive-decrypt.sh
>
> #! /bin/bash
> case "$1" in
> start)
> cryptsetup --cipher=XXX --offset=XXX
> --key-file=/root/my-drive-decrypt/keyfile --key-size=XXX open --type=plain
> /dev/disk/by-id/XXX my-drive
> kpartx -a /dev/mapper/my-drive
> vgchange -ay my-drive
> qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
> qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
> qvm-block a --persistent -o frontend-dev=xvdi my-drive1-vm
> $(qvm-block l | grep my-drive1 | cut -f1 -d ' ')
> qvm-block a --persistent -o frontend-dev=xvdi my-drive2-vm
> $(qvm-block l | grep my-drive2 | cut -f1 -d ' ')
> ;;
> stop)
> qvm-block d my-drive1-vm $(qvm-block l my-drive1-vm | cut -f1 -d ' ')
> qvm-block d my-drive2-vm $(qvm-block l my-drive2-vm | cut -f1 -d ' ')
> vgchange -an my-drive
> sleep 1
> kpartx -d /dev/mapper/my-drive
> cryptsetup close my-drive
> ;;
> status)
> ;;
> *)
> echo $"Usage: $0 {start|stop|status}"
> exit 2
> esac
>
> exit 0
>
> Service: /etc/systemd/system/my-drive-decrypt.service
>
> [Unit]
> Description="Decrypt my-drive"
> Requires=qubes_core.service
> After=qubes_core.service
>
> [Service]
> Type=oneshot
> RemainAfterExit=true
> ExecStart=/root/my-drive-decrypt/my-drive-decrypt.sh start
> ExecStop=/root/my-drive-decrypt/my-drive-decrypt.sh stop
>
> [Install]
> WantedBy=multi-user.target
>
> Enable service:
> systemctl enable my-drive-decrypt.service
>
> -------------------------------------------------
Alternatively, encrypt the new partition with the same password that
you use for the main, and reference it in /etc/crypttab (and /etc/fstab)
b) if the partition was to be decrypted right before a qube's start -- is there
a pre-domain-boot script kind of thing?
Have a look at:
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html
This allows you to hook into various events - load/pre-start/start
For a simpler approach, a script which called:
cryptsetup luksOpen
/usr/bin/qvm-start <qube>
would do
You could create this and alias it as qvm-start to handle start of
different qubes in different ways.
c) if the password was to be typed -- any idea how to pop up some password
input dialog box?
In a script:
password=$(zenity --password)
unman
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20181207134734.7fmtpt746tm5ey6c%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
